Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ssl status per thread #63

Closed
wants to merge 1 commit into from
Closed

Ssl status per thread #63

wants to merge 1 commit into from

Conversation

@dveeden
Copy link
Contributor

dveeden commented Jun 7, 2015

Inspired by http://www.depesz.com/2015/05/11/waiting-for-9-5-add-system-view-pg_stat_ssl/

It is missing information:

  • if and which client certificate was used.
  • validity for the client certificate

Related: http://bugs.mysql.com/bug.php?id=77271

@MarkLeith
Copy link
Member

MarkLeith commented Jun 30, 2015

This needs an update to the README to include the details in there as well.

I also wonder why you chose just these variables? You mentioned in your bug about "What are the start and end date for the client certificate?", these could be added to the table with the Ssl_server_not_after and Ssl_server_not_before variables.

I think it's not beyond reason that we would perhaps want statistics vs config tables here, like ssl_config_per_thread and ssl_stats_per_thread, and wonder if you would be interested in doing that instead?

Finally, note that in 5.7.8 there has been a new CONNECTION_TYPE column added to performance_schema.threads:

http://dev.mysql.com/doc/refman/5.7/en/threads-table.html

"CONNECTION_TYPE

The protocol used to establish the connection, or NULL for background threads. Permitted values are TCP/IP (TCP/IP connection established without SSL), SSL/TLS (TCP/IP connection established with SSL), Socket (Unix socket file connection), Named Pipe (Windows named pipe connection), and Shared Memory (Windows shared memory connection).

This column was added in MySQL 5.7.8."

You may want to join against THREADS, where the connection_type is SSL/TLS too? Of course, that's hard to test for you at the moment without that build available yet so understand if you skip that (and maybe I can do it instead after merge).

@dveeden
Copy link
Contributor Author

dveeden commented Jun 30, 2015

Don't the Ssl_server_not_after and Ssl_server_not_before variables indicate the validity of the server certificate and not of the client certificate?

Thanks for pointing the CONNECTION_TYPE feature out to me. It looks nice, however it still doesn't give information about if and which client certificate was used.

@MarkLeith
Copy link
Member

MarkLeith commented Jun 30, 2015

Ah, yea, you're right it is just server not client (clue is in the name huh). I wonder why that is also a session variable.. Anyway, forget that bit. :)

I wasn't meaning to replace this with the CONNECTION_TYPE, I just wonder if we should JOIN and use that info in the WHERE to filter for only threads that are connected via SSL.

MarkLeith added a commit that referenced this pull request Aug 13, 2015
…w for session SSL status.

Made a few changes from the original, such as a rename of the sessions view to session, and the contributed view to session_ssl_status.
@MarkLeith
Copy link
Member

MarkLeith commented Aug 13, 2015

Thanks for the contribution, I manually merged this with a few changes (to rename to session_ssl_status, and rename the sessions view to session), see the related commit.

@MarkLeith MarkLeith closed this Aug 13, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.