envoyproxy
diff --git a/‎api/envoy/data/accesslog/v2/accesslog.proto‎
Lines changed: 6 additions & 0 deletions b/‎api/envoy/data/accesslog/v2/accesslog.proto‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎docs/root/configuration/access_log.rst‎
Lines changed: 13 additions & 2 deletions b/‎docs/root/configuration/access_log.rst‎
Lines changed: 13 additions & 2 deletions
diff --git a/‎docs/root/intro/arch_overview/ssl.rst‎
Lines changed: 20 additions & 0 deletions b/‎docs/root/intro/arch_overview/ssl.rst‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎docs/root/intro/version_history.rst‎
Lines changed: 3 additions & 1 deletion b/‎docs/root/intro/version_history.rst‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎include/envoy/http/codec.h‎
Lines changed: 3 additions & 1 deletion b/‎include/envoy/http/codec.h‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎include/envoy/http/conn_pool.h‎
Lines changed: 2 additions & 1 deletion b/‎include/envoy/http/conn_pool.h‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎include/envoy/network/connection.h‎
Lines changed: 6 additions & 0 deletions b/‎include/envoy/network/connection.h‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎include/envoy/network/transport_socket.h‎
Lines changed: 6 additions & 0 deletions b/‎include/envoy/network/transport_socket.h‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎include/envoy/stream_info/stream_info.h‎
Lines changed: 11 additions & 0 deletions b/‎include/envoy/stream_info/stream_info.h‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎source/common/access_log/access_log_formatter.cc‎
Lines changed: 8 additions & 0 deletions b/‎source/common/access_log/access_log_formatter.cc‎
Lines changed: 8 additions & 0 deletions
@@ -135,6 +135,12 @@ message AccessLogCommon {
   // that ID in this field and cross reference later. It can also be used to
   // determine if a canary endpoint was used or not.
   envoy.api.v2.core.Metadata metadata = 17;
+
+  // If upstream connection failed due to transport socket (e.g. TLS handshake), provides the
+  // failure reason from the transport socket. The format of this field depends on the configured
+  // upstream transport socket. Common TLS failures are in
+  // :ref:`TLS trouble shooting <arch_overview_ssl_trouble_shooting>`.
+  string upstream_transport_failure_reason = 18;
 }
 
 // Flags indicating occurrences during request/response processing.
 
@@ -28,7 +28,7 @@ Format Strings
 --------------
 
 Format strings are plain strings, specified using the ``format`` key. They may contain
-either command operators or other characters interpreted as a plain string. 
+either command operators or other characters interpreted as a plain string.
 The access log formatter does not make any assumptions about a new line separator, so one
 has to specified as part of the format string.
 See the :ref:`default format <config_access_log_default_format>` for an example.
@@ -78,7 +78,7 @@ For example, with the following format provided in the configuration:
       }
     }
   }
-  
+
 The following JSON object would be written to the log file:
 
 .. code-block:: json
@@ -228,6 +228,17 @@ The following command operators are supported:
   Local address of the upstream connection. If the address is an IP address it includes both
   address and port.
 
+.. _config_access_log_format_upstream_transport_failure_reason:
+
+%UPSTREAM_TRANSPORT_FAILURE_REASON%
+  HTTP
+    If upstream connection failed due to transport socket (e.g. TLS handshake), provides the failure
+    reason from the transport socket. The format of this field depends on the configured upstream
+    transport socket. Common TLS failures are in :ref:`TLS trouble shooting <arch_overview_ssl_trouble_shooting>`.
+
+  TCP
+    Not implemented ("-")
+
 %DOWNSTREAM_REMOTE_ADDRESS%
   Remote address of the downstream connection. If the address is an IP address it includes both
   address and port.
 
@@ -158,3 +158,23 @@ infrastructure.
 
 Client TLS authentication filter :ref:`configuration reference
 <config_network_filters_client_ssl_auth>`.
+
+.. _arch_overview_ssl_trouble_shooting:
+
+Trouble shooting
+----------------
+
+When Envoy originates TLS when making connections to upstream clusters, any errors will be logged into
+:ref:`UPSTREAM_TRANSPORT_FAILURE_REASON<config_access_log_format_upstream_transport_failure_reason>` field or
+:ref:`AccessLogCommon.upstream_transport_failure_reason<envoy_api_field_data.accesslog.v2.AccessLogCommon.upstream_transport_failure_reason>` field.
+Common errors are:
+
+* ``Secret is not supplied by SDS``: Envoy is still waiting SDS to deliver key/cert or root CA.
+* ``SSLV3_ALERT_CERTIFICATE_EXPIRED``: Peer certificate is expired and not allowed in config.
+* ``SSLV3_ALERT_CERTIFICATE_UNKNOWN``: Peer certificate is not in config specified SPKI.
+* ``SSLV3_ALERT_HANDSHAKE_FAILURE``: Handshake failed, usually due to upstream requires client certificate but not presented.
+* ``TLSV1_ALERT_PROTOCOL_VERSION``: TLS protocol version mismatch.
+* ``TLSV1_ALERT_UNKNOWN_CA``: Peer certificate CA is not in trusted CA.
+
+More detailed list of error that can be raised by BoringSSL can be found
+`here <https://github.com/google/boringssl/blob/master/crypto/err/ssl.errordata>`_
@@ -6,6 +6,8 @@ Version history
 * access log: added a new flag for upstream retry count exceeded.
 * access log: added a :ref:`gRPC filter <envoy_api_msg_config.filter.accesslog.v2.GrpcStatusFilter>` to allow filtering on gRPC status.
 * access log: added a new flag for stream idle timeout.
+* access log: added a new field for upstream transport failure reason in :ref:`file access logger<config_access_log_format_upstream_transport_failure_reason>` and
+  :ref:`gRPC access logger<envoy_api_field_data.accesslog.v2.AccessLogCommon.upstream_transport_failure_reason>` for HTTP access logs.
 * admin: the admin server can now be accessed via HTTP/2 (prior knowledge).
 * buffer: fix vulnerabilities when allocation fails.
 * build: releases are built with GCC-7 and linked with LLD.
@@ -17,7 +19,7 @@ Version history
 * config: finish cluster warming only when a named response i.e. ClusterLoadAssignment associated to the cluster being warmed comes in the EDS response. This is a behavioural change from the current implementation where warming of cluster completes on missing load assignments also.
 * config: use Envoy cpuset size to set the default number or worker threads if :option:`--cpuset-threads` is enabled.
 * cors: added :ref:`filter_enabled & shadow_enabled RuntimeFractionalPercent flags <cors-runtime>` to filter.
-* ext_authz: added an configurable option to make the gRPC service cross-compatible with V2Alpha. Note that this feature is already deprecated. It should be used for a short time, and only when transitioning from alpha to V2 release version. 
+* ext_authz: added an configurable option to make the gRPC service cross-compatible with V2Alpha. Note that this feature is already deprecated. It should be used for a short time, and only when transitioning from alpha to V2 release version.
 * ext_authz: migrated from V2alpha to V2 and improved the documentation.
 * ext_authz: authorization request and response configuration has been separated into two distinct objects: :ref:`authorization request
   <envoy_api_field_config.filter.http.ext_authz.v2.HttpService.authorization_request>` and :ref:`authorization response
 
@@ -134,8 +134,10 @@ class StreamCallbacks {
   /**
    * Fires when a stream has been remote reset.
    * @param reason supplies the reset reason.
+   * @param transport_failure_reason supplies underlying transport failure reason.
    */
-  virtual void onResetStream(StreamResetReason reason) PURE;
+  virtual void onResetStream(StreamResetReason reason,
+                             absl::string_view transport_failure_reason) PURE;
 
   /**
    * Fires when a stream, or the connection the stream is sending to, goes over its high watermark.
 
@@ -46,10 +46,11 @@ class Callbacks {
   /**
    * Called when a pool error occurred and no connection could be acquired for making the request.
    * @param reason supplies the failure reason.
+   * @param transport_failure_reason supplies the details of the transport failure reason.
    * @param host supplies the description of the host that caused the failure. This may be nullptr
    *             if no host was involved in the failure (for example overflow).
    */
-  virtual void onPoolFailure(PoolFailureReason reason,
+  virtual void onPoolFailure(PoolFailureReason reason, absl::string_view transport_failure_reason,
                              Upstream::HostDescriptionConstSharedPtr host) PURE;
 
   /**
 
@@ -261,6 +261,12 @@ class Connection : public Event::DeferredDeletable, public FilterManager {
    * @return std::chrono::milliseconds The delayed close timeout value.
    */
   virtual std::chrono::milliseconds delayedCloseTimeout() const PURE;
+
+  /**
+   * @return std::string the failure reason of the underlying transport socket, if no failure
+   *         occurred an empty string is returned.
+   */
+  virtual absl::string_view transportFailureReason() const PURE;
 };
 
 typedef std::unique_ptr<Connection> ConnectionPtr;
 
@@ -105,6 +105,12 @@ class TransportSocket {
    */
   virtual std::string protocol() const PURE;
 
+  /**
+   * @return std::string the last failure reason occurred on the transport socket. If no failure
+   *         has been occurred the empty string is returned.
+   */
+  virtual absl::string_view failureReason() const PURE;
+
   /**
    * @return bool whether the socket can be flushed and closed.
    */
 
@@ -364,6 +364,17 @@ class StreamInfo {
    * @return SNI value for downstream host.
    */
   virtual const std::string& requestedServerName() const PURE;
+
+  /**
+   * @param failure_reason the upstream transport failure reason.
+   */
+  virtual void setUpstreamTransportFailureReason(absl::string_view failure_reason) PURE;
+
+  /**
+   * @return const std::string& the upstream transport failure reason, e.g. certificate validation
+   *         failed.
+   */
+  virtual const std::string& upstreamTransportFailureReason() const PURE;
 };
 
 } // namespace StreamInfo
 
@@ -350,6 +350,14 @@ StreamInfoFormatter::StreamInfoFormatter(const std::string& field_name) {
         return UnspecifiedValueString;
       }
     };
+  } else if (field_name == "UPSTREAM_TRANSPORT_FAILURE_REASON") {
+    field_extractor_ = [](const StreamInfo::StreamInfo& stream_info) {
+      if (!stream_info.upstreamTransportFailureReason().empty()) {
+        return stream_info.upstreamTransportFailureReason();
+      } else {
+        return UnspecifiedValueString;
+      }
+    };
   } else {
     throw EnvoyException(fmt::format("Not supported field in StreamInfo: {}", field_name));
   }