mod_ssl: Add SSL_HANDSHAKE_RTT environment variable.

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl): Support
  SSL_HANDSHAKE_RTT.  (ssl_var_lookup_ssl_handshake_rtt): New
  function.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Fixup_vars): Add
  SSL_HANDSHAKE_RTT.

Submitted by: csmutz
Github: closes #477


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1920297 13f79535-47bb-0310-9956-ffa450edef68

4 files changed, 17 insertions, 0 deletions

diff --git a/changes-entries/ssl-handshake-rtt.txt b/changes-entries/ssl-handshake-rtt.txt
new file mode 100644
index 0000000000..f48dfbce1e
--- /dev/null
+++ b/changes-entries/ssl-handshake-rtt.txt
@@ -0,0 +1 @@
+  *) mod_ssl: Add SSL_HANDSHAKE_RTT environment variable.  [csmutz]
diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index 092bbb2e51..c4be28c7cf 100644
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -109,6 +109,7 @@ compatibility variables.</p>
 <tr><td><code>SSL_SRP_USER</code></td>                  <td>string</td>    <td>SRP username</td></tr>
 <tr><td><code>SSL_SRP_USERINFO</code></td>              <td>string</td>    <td>SRP user info</td></tr>
 <tr><td><code>SSL_TLS_SNI</code></td>                   <td>string</td>    <td>Contents of the SNI TLS extension (if supplied with ClientHello)</td></tr>
+<tr><td><code>SSL_HANDSHAKE_RTT</code></td>             <td>number</td>    <td>Round-trip time of TLS handshake in microseconds including endpoint processing (set to empty string if OpenSSL version prior to 3.2 or if round-trip time can not be determined)</td></tr>
 </table>
 
 <p><em>x509</em> specifies a component of an X.509 DN; one of
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index e89bc0cecc..4ce98aa80b 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1546,6 +1546,7 @@ static const char *const ssl_hook_Fixup_vars[] = {
     "SSL_SRP_USER",
     "SSL_SRP_USERINFO",
 #endif
+    "SSL_HANDSHAKE_RTT",
     NULL
 };
 
diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
index d8881734b9..7d09846c27 100644
--- a/modules/ssl/ssl_engine_vars.c
+++ b/modules/ssl/ssl_engine_vars.c
@@ -51,6 +51,7 @@ static const char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl);
 static const char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, const SSLConnRec *sslconn);
 static const char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, const SSLConnRec *sslconn, const char *var);
 static void  ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize);
+static const char *ssl_var_lookup_ssl_handshake_rtt(apr_pool_t *p, SSL *ssl);
 static const char *ssl_var_lookup_ssl_version(const char *var);
 static const char *ssl_var_lookup_ssl_compress_meth(SSL *ssl);
 
@@ -472,6 +473,9 @@ static const char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn,
     else if (ssl != NULL && strlen(var) >= 6 && strcEQn(var, "CIPHER", 6)) {
         result = ssl_var_lookup_ssl_cipher(p, sslconn, var+6);
     }
+    else if (ssl != NULL && strcEQ(var, "HANDSHAKE_RTT")) {
+        result = ssl_var_lookup_ssl_handshake_rtt(p, ssl);
+    }
     else if (ssl != NULL && strlen(var) > 18 && strcEQn(var, "CLIENT_CERT_CHAIN_", 18)) {
         sk = SSL_get_peer_cert_chain(ssl);
         result = ssl_var_lookup_ssl_cert_chain(p, sk, var+18, 1);
@@ -961,6 +965,16 @@ static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algke
     return;
 }
 
+static const char *ssl_var_lookup_ssl_handshake_rtt(apr_pool_t *p, SSL *ssl)
+{
+#if OPENSSL_VERSION_NUMBER >= 0x30200000L
+    apr_uint64_t rtt;
+    if (SSL_get_handshake_rtt(ssl, &rtt) > 0)
+        return apr_psprintf(p, "%" APR_UINT64_T_FMT, rtt);
+#endif
+    return NULL;
+}
+
 static const char *ssl_var_lookup_ssl_version(const char *var)
 {
     if (strEQ(var, "INTERFACE")) {