New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ssl status per thread #63

Closed
wants to merge 1 commit into
base: development
from

Conversation

Projects
None yet
2 participants
@dveeden
Contributor

dveeden commented Jun 7, 2015

Inspired by http://www.depesz.com/2015/05/11/waiting-for-9-5-add-system-view-pg_stat_ssl/

It is missing information:

  • if and which client certificate was used.
  • validity for the client certificate

Related: http://bugs.mysql.com/bug.php?id=77271

@MarkLeith

This comment has been minimized.

Show comment
Hide comment
@MarkLeith

MarkLeith Jun 30, 2015

Member

This needs an update to the README to include the details in there as well.

I also wonder why you chose just these variables? You mentioned in your bug about "What are the start and end date for the client certificate?", these could be added to the table with the Ssl_server_not_after and Ssl_server_not_before variables.

I think it's not beyond reason that we would perhaps want statistics vs config tables here, like ssl_config_per_thread and ssl_stats_per_thread, and wonder if you would be interested in doing that instead?

Finally, note that in 5.7.8 there has been a new CONNECTION_TYPE column added to performance_schema.threads:

http://dev.mysql.com/doc/refman/5.7/en/threads-table.html

"CONNECTION_TYPE

The protocol used to establish the connection, or NULL for background threads. Permitted values are TCP/IP (TCP/IP connection established without SSL), SSL/TLS (TCP/IP connection established with SSL), Socket (Unix socket file connection), Named Pipe (Windows named pipe connection), and Shared Memory (Windows shared memory connection).

This column was added in MySQL 5.7.8."

You may want to join against THREADS, where the connection_type is SSL/TLS too? Of course, that's hard to test for you at the moment without that build available yet so understand if you skip that (and maybe I can do it instead after merge).

Member

MarkLeith commented Jun 30, 2015

This needs an update to the README to include the details in there as well.

I also wonder why you chose just these variables? You mentioned in your bug about "What are the start and end date for the client certificate?", these could be added to the table with the Ssl_server_not_after and Ssl_server_not_before variables.

I think it's not beyond reason that we would perhaps want statistics vs config tables here, like ssl_config_per_thread and ssl_stats_per_thread, and wonder if you would be interested in doing that instead?

Finally, note that in 5.7.8 there has been a new CONNECTION_TYPE column added to performance_schema.threads:

http://dev.mysql.com/doc/refman/5.7/en/threads-table.html

"CONNECTION_TYPE

The protocol used to establish the connection, or NULL for background threads. Permitted values are TCP/IP (TCP/IP connection established without SSL), SSL/TLS (TCP/IP connection established with SSL), Socket (Unix socket file connection), Named Pipe (Windows named pipe connection), and Shared Memory (Windows shared memory connection).

This column was added in MySQL 5.7.8."

You may want to join against THREADS, where the connection_type is SSL/TLS too? Of course, that's hard to test for you at the moment without that build available yet so understand if you skip that (and maybe I can do it instead after merge).

@dveeden

This comment has been minimized.

Show comment
Hide comment
@dveeden

dveeden Jun 30, 2015

Contributor

Don't the Ssl_server_not_after and Ssl_server_not_before variables indicate the validity of the server certificate and not of the client certificate?

Thanks for pointing the CONNECTION_TYPE feature out to me. It looks nice, however it still doesn't give information about if and which client certificate was used.

Contributor

dveeden commented Jun 30, 2015

Don't the Ssl_server_not_after and Ssl_server_not_before variables indicate the validity of the server certificate and not of the client certificate?

Thanks for pointing the CONNECTION_TYPE feature out to me. It looks nice, however it still doesn't give information about if and which client certificate was used.

@MarkLeith

This comment has been minimized.

Show comment
Hide comment
@MarkLeith

MarkLeith Jun 30, 2015

Member

Ah, yea, you're right it is just server not client (clue is in the name huh). I wonder why that is also a session variable.. Anyway, forget that bit. :)

I wasn't meaning to replace this with the CONNECTION_TYPE, I just wonder if we should JOIN and use that info in the WHERE to filter for only threads that are connected via SSL.

Member

MarkLeith commented Jun 30, 2015

Ah, yea, you're right it is just server not client (clue is in the name huh). I wonder why that is also a session variable.. Anyway, forget that bit. :)

I wasn't meaning to replace this with the CONNECTION_TYPE, I just wonder if we should JOIN and use that info in the WHERE to filter for only threads that are connected via SSL.

MarkLeith added a commit that referenced this pull request Aug 13, 2015

Manually merge PR #63, contribution by Daniël van Eeden for a new vie…
…w for session SSL status.

Made a few changes from the original, such as a rename of the sessions view to session, and the contributed view to session_ssl_status.
@MarkLeith

This comment has been minimized.

Show comment
Hide comment
@MarkLeith

MarkLeith Aug 13, 2015

Member

Thanks for the contribution, I manually merged this with a few changes (to rename to session_ssl_status, and rename the sessions view to session), see the related commit.

Member

MarkLeith commented Aug 13, 2015

Thanks for the contribution, I manually merged this with a few changes (to rename to session_ssl_status, and rename the sessions view to session), see the related commit.

@MarkLeith MarkLeith closed this Aug 13, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment