TSG-4030 Security Event Logs 中的 SSL.Intercept State 为 Passthrough 时，并未说明引起 Passthrough 的原因v4.5.34-20220128

(当命中 tcp passthrough 时，将 ssl_intercept_status 设置为 passthrough)

2 files changed, 4 insertions, 0 deletions

diff --git a/platform/src/proxy.cpp b/platform/src/proxy.cpp
index b485209..b43129f 100644
--- a/platform/src/proxy.cpp
+++ b/platform/src/proxy.cpp
@@ -192,10 +192,13 @@ int tfe_proxy_fds_accept(struct tfe_proxy * ctx, int fd_downstream, int fd_upstr
 	if (unlikely(ctx->tcp_all_passthrough) || tcp_passthrough > 0)
 	{
 		bool __true = true;
+		uint64_t ssl_intercept_status = SSL_ACTION_PASSTHROUGH;
 		enum tfe_stream_proto __session_type = STREAM_PROTO_PLAIN;
 
 		tfe_stream_option_set(stream, TFE_STREAM_OPT_PASSTHROUGH, &__true, sizeof(__true));
 		tfe_stream_option_set(stream, TFE_STREAM_OPT_SESSION_TYPE, &__session_type, sizeof(__session_type));
+		tfe_cmsg_set(cmsg, TFE_CMSG_SSL_PASSTHROUGH_REASON, (const unsigned char *)"TCP Passthrough", (uint16_t)strlen("TCP Passthrough"));
+		tfe_cmsg_set(cmsg, TFE_CMSG_SSL_INTERCEPT_STATE, (const unsigned char *)&ssl_intercept_status, (uint16_t)sizeof(ssl_intercept_status));
 	}
     TFE_LOG_DEBUG(ctx->logger, "%p: fetch tcp options: cmsg's tcp_passthrough: %d, conf's tcp_passthrough: %d, enalbe passthrough: %d",
                   stream, tcp_passthrough, ctx->tcp_all_passthrough, (ctx->tcp_all_passthrough > 0 || tcp_passthrough > 0) ? 1 : 0);
diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp
index a6baa70..f826129 100644
--- a/platform/src/ssl_stream.cpp
+++ b/platform/src/ssl_stream.cpp
@@ -1476,6 +1476,7 @@ static void peek_chello_on_succ(future_result_t * result, void * user)
 	if (ATOMIC_READ(&certstore_is_unavailable) > 3)
 	{
 		s_stream->up_parts.action=SSL_ACTION_PASSTHROUGH;
+		ssl_stream_set_cmsg_string(s_stream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certstore Unavailable");
 		TFE_LOG_ERROR(ctx->mgr->logger, "CertStore is unavailable, PASSTHROUGH");
 	}