Report expired client certificate as a separate metric

author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2020-04-08 15:32:04 +0200
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2020-04-08 15:40:15 +0200
commit: 440de4cd80bf0640445ba854efc12942b2344b3a (patch)
tree: c435d38b3e4f75ed4b7c2b79940ca4cfafaae81c /jdisc_http_service/src/main/java/com
parent: 7ed8e0eda85d186d6a8250112a4a52a6a7cbc9ad (diff)
2 files changed, 5 insertions, 0 deletions
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java
index c5f42ff9cc5..04db58f6d07 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java
@@ -110,6 +110,7 @@ public class JettyHttpServer extends AbstractServerProvider {
         String CONTENT_SIZE = "jdisc.http.request.content_size";
 
         String SSL_HANDSHAKE_FAILURE_MISSING_CLIENT_CERT = "jdisc.http.ssl.handshake.failure.missing_client_cert";
+        String SSL_HANDSHAKE_FAILURE_EXPIRED_CLIENT_CERT = "jdisc.http.ssl.handshake.failure.expired_client_cert";
         String SSL_HANDSHAKE_FAILURE_INVALID_CLIENT_CERT = "jdisc.http.ssl.handshake.failure.invalid_client_cert";
         String SSL_HANDSHAKE_FAILURE_INCOMPATIBLE_PROTOCOLS = "jdisc.http.ssl.handshake.failure.incompatible_protocols";
         String SSL_HANDSHAKE_FAILURE_INCOMPATIBLE_CIPHERS = "jdisc.http.ssl.handshake.failure.incompatible_ciphers";
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/SslHandshakeFailedListener.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/SslHandshakeFailedListener.java
index 886071243ba..75df82036a2 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/SslHandshakeFailedListener.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/SslHandshakeFailedListener.java
@@ -56,6 +56,10 @@ class SslHandshakeFailedListener implements SslHandshakeListener {
         MISSING_CLIENT_CERT(
                 Metrics.SSL_HANDSHAKE_FAILURE_MISSING_CLIENT_CERT,
                 "Empty server certificate chain"),
+        EXPIRED_CLIENT_CERTIFICATE(
+                Metrics.SSL_HANDSHAKE_FAILURE_EXPIRED_CLIENT_CERT,
+                // Note: this pattern will match certificates with too late notBefore as well
+                "PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed"),
         INVALID_CLIENT_CERT(
                 Metrics.SSL_HANDSHAKE_FAILURE_INVALID_CLIENT_CERT,
                 "PKIX path (building|validation) failed: .+");
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2020-04-08 15:32:04 +0200
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2020-04-08 15:40:15 +0200
commit	440de4cd80bf0640445ba854efc12942b2344b3a (patch)
tree	c435d38b3e4f75ed4b7c2b79940ca4cfafaae81c /jdisc_http_service/src/main/java/com
parent	7ed8e0eda85d186d6a8250112a4a52a6a7cbc9ad (diff)