(trafficserver) branch master updated: TLS: Add per-curve handshake time metrics (#12539)

mochen Mon, 13 Oct 2025 11:12:33 -0700

This is an automated email from the ASF dual-hosted git repository.

mochen pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git



The following commit(s) were added to refs/heads/master by this push:
     new 4e1facec57 TLS: Add per-curve handshake time metrics (#12539)
4e1facec57 is described below

commit 4e1facec579229db971a50587b85ca7fe0dd79e3
Author: Mo Chen <[email protected]>
AuthorDate: Mon Oct 13 13:12:22 2025 -0500

    TLS: Add per-curve handshake time metrics (#12539)
    
    Track handshake duration for each TLS curve/group to enable performance 
analysis across different elliptic curves.  Extends existing per-group 
connection counters with corresponding handshake_time metrics.
---
 src/iocore/net/SSLStats.cc        | 11 +++++++++++
 src/iocore/net/SSLStats.h         |  2 ++
 src/iocore/net/TLSBasicSupport.cc | 25 +++++++++++++++++++++++++
 3 files changed, 38 insertions(+)

diff --git a/src/iocore/net/SSLStats.cc b/src/iocore/net/SSLStats.cc
index 440846731f..ee8c6cb629 100644
--- a/src/iocore/net/SSLStats.cc
+++ b/src/iocore/net/SSLStats.cc
@@ -36,8 +36,10 @@ std::unordered_map<std::string, Metrics::Counter::AtomicType 
*> cipher_map;
 
 #ifdef OPENSSL_IS_BORINGSSL
 std::unordered_map<std::string, Metrics::Counter::AtomicType *> tls_group_map;
+std::unordered_map<std::string, Metrics::Counter::AtomicType *> 
tls_group_handshake_time_map;
 #elif defined(SSL_get_negotiated_group)
 std::unordered_map<int, Metrics::Counter::AtomicType *> tls_group_map;
+std::unordered_map<int, Metrics::Counter::AtomicType *> 
tls_group_handshake_time_map;
 #endif
 
 namespace
@@ -61,6 +63,15 @@ add_group_stat(T key, const std::string &name)
     tls_group_map.emplace(key, metric);
     Dbg(dbg_ctl_ssl, "registering SSL group metric '%s'", name.c_str());
   }
+
+  // Register corresponding handshake time metric
+  if (tls_group_handshake_time_map.find(key) == 
tls_group_handshake_time_map.end()) {
+    Metrics::Counter::AtomicType *time_metric =
+      Metrics::Counter::createPtr("proxy.process.ssl.group.user_agent." + name 
+ ".handshake_time");
+
+    tls_group_handshake_time_map.emplace(key, time_metric);
+    Dbg(dbg_ctl_ssl, "registering SSL group handshake time metric 
'%s.handshake_time'", name.c_str());
+  }
 }
 #endif // OPENSSL_IS_BORINGSSL or SSL_get_negotiated_group
 
diff --git a/src/iocore/net/SSLStats.h b/src/iocore/net/SSLStats.h
index 9e2cdc428f..7e326029f3 100644
--- a/src/iocore/net/SSLStats.h
+++ b/src/iocore/net/SSLStats.h
@@ -116,8 +116,10 @@ extern std::unordered_map<std::string, 
Metrics::Counter::AtomicType *> cipher_ma
 
 #if defined(OPENSSL_IS_BORINGSSL)
 extern std::unordered_map<std::string, Metrics::Counter::AtomicType *> 
tls_group_map;
+extern std::unordered_map<std::string, Metrics::Counter::AtomicType *> 
tls_group_handshake_time_map;
 #elif defined(SSL_get_negotiated_group)
 extern std::unordered_map<int, Metrics::Counter::AtomicType *> tls_group_map;
+extern std::unordered_map<int, Metrics::Counter::AtomicType *> 
tls_group_handshake_time_map;
 constexpr int                                                  
SSL_GROUP_STAT_OTHER_KEY = 0;
 #endif
 
diff --git a/src/iocore/net/TLSBasicSupport.cc 
b/src/iocore/net/TLSBasicSupport.cc
index bb77dab836..c837126075 100644
--- a/src/iocore/net/TLSBasicSupport.cc
+++ b/src/iocore/net/TLSBasicSupport.cc
@@ -238,6 +238,31 @@ TLSBasicSupport::_record_tls_handshake_end_time()
 
   Dbg(dbg_ctl_ssl, "ssl handshake time:%" PRId64, ssl_handshake_time);
   Metrics::Counter::increment(ssl_rsb.total_handshake_time, 
ssl_handshake_time);
+
+  // Record per-group handshake time
+#if defined(OPENSSL_IS_BORINGSSL)
+  SSL     *ssl      = this->_get_ssl_object();
+  uint16_t group_id = SSL_get_group_id(ssl);
+  if (group_id != 0) {
+    const char *group_name = SSL_get_group_name(group_id);
+    if (auto it = tls_group_handshake_time_map.find(group_name); it != 
tls_group_handshake_time_map.end()) {
+      Metrics::Counter::increment(it->second, ssl_handshake_time);
+    }
+  }
+#elif defined(SSL_get_negotiated_group)
+  SSL *ssl = this->_get_ssl_object();
+  int  nid = SSL_get_negotiated_group(const_cast<SSL *>(ssl));
+  if (nid != NID_undef) {
+    if (auto it = tls_group_handshake_time_map.find(nid); it != 
tls_group_handshake_time_map.end()) {
+      Metrics::Counter::increment(it->second, ssl_handshake_time);
+    } else {
+      auto other = tls_group_handshake_time_map.find(SSL_GROUP_STAT_OTHER_KEY);
+      if (other != tls_group_handshake_time_map.end()) {
+        Metrics::Counter::increment(other->second, ssl_handshake_time);
+      }
+    }
+  }
+#endif
 }
 
 void

(trafficserver) branch master updated: TLS: Add per-curve handshake time metrics (#12539)

Reply via email to