Add: Server-side TLS handshake milestones and timing fixes

[bryancall]

Description

Add TS_MILESTONE_SERVER_TLS_HANDSHAKE_START and TS_MILESTONE_SERVER_TLS_HANDSHAKE_END milestones to capture origin-side TLS handshake timing. Previously, only client-side TLS timing was available via TS_MILESTONE_TLS_HANDSHAKE_START/END, making it impossible to measure origin TLS handshake overhead in the slow log or via the milestone API.

Changes

New server-side TLS milestones (commit 1)

• Add TS_MILESTONE_SERVER_TLS_HANDSHAKE_START/END enum values in apidefs.h.in (ABI compatible — appended before TS_MILESTONE_LAST_ENTRY)
• Capture server TLS timing in HttpSM::state_http_server_open() for both the direct (VC_EVENT_WRITE_COMPLETE) and multiplexed (CONNECT_EVENT_TXN) connection paths
• Fix: SSLNetVConnection::sslClientHandShakeEvent() was recording TLS handshake start time for outbound connections but never calling _record_tls_handshake_end_time() — outbound TLS end time was always 0
• Rename slow log field tls_handshake → ua_tls_handshake for clarity, add new server_tls_handshake field in logical position after server_connect_end
• Update LogField.cc milestone-to-string mappings for custom log fields
• Add Lua plugin milestone constants (TS_LUA_MILESTONE_SERVER_TLS_HANDSHAKE_START/END)
• Update TSHttpTxnMilestoneGet API documentation
• Update slow_log_report.pl to parse new field names

Fix difference_msec() milestone check (commit 2)

• difference_msec() only checked if ms_end == 0 (unset) before returning the missing sentinel. If ms_start was unset but ms_end was set, the subtraction would produce a garbage value. Now checks both ms_start and ms_end for 0.

Use SM_START as base for server_tls_handshake (commit 3)

• Change server_tls_handshake from a duration to an offset from SM_START, consistent with all other server-side fields in the slow log timeline.

Add comments explaining connection paths (commit 4)

• Clarify that CONNECT_EVENT_TXN is the multiplexed path (HTTP/2) and VC_EVENT_WRITE_COMPLETE is the direct path (HTTP/1).

Make slow_log_report.pl backward compatible (commit 5)

• The tls_handshake → ua_tls_handshake rename broke parsing of old-format logs. The report script now accepts both field names.

Use pre-remap URL in slow log (commit 6)

• The slow log was printing the post-remap (origin-facing) URL. Changed to use t_state.unmapped_url (the pre-remap URL) so the log shows the URL the client actually requested.

Behavior Notes

• When no server TLS handshake occurs (non-TLS origin, connection reuse), the milestones remain 0 and the slow log reports -0.001 (the "missing" sentinel), consistent with other unset milestones.
• The tls_handshake → ua_tls_handshake rename is a slow log text change only — it does not affect ABI.
• Existing TS_MILESTONE_TLS_HANDSHAKE_START/END enum values and behavior are unchanged.

Testing

• Build passes (including ASAN build)
• Manual testing with client-side and server-side TLS verified both milestone pairs populate correctly
• slow_log_report.pl correctly parses and reports both ua_tls_handshake and server_tls_handshake
• Verified milestones remain 0 for non-TLS and connection-reuse scenarios

[Copilot]

Pull request overview

This pull request adds server-side TLS handshake milestones to Apache Traffic Server, enabling measurement of origin TLS handshake overhead. The PR addresses two main issues: (1) missing visibility into server-side TLS handshake timing, and (2) bugs in milestone timing capture and calculation.

Changes:

• Adds TS_MILESTONE_SERVER_TLS_HANDSHAKE_START/END enum values and captures server TLS timing in both direct and multiplexed connection paths
• Fixes missing TLS handshake end time recording for outbound connections in SSLNetVConnection::sslClientHandShakeEvent()
• Fixes difference_msec() to check both start and end milestones for 0 before computing difference
• Renames slow log field tls_handshake to ua_tls_handshake for clarity and adds server_tls_handshake field

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
include/ts/apidefs.h.in	Adds TS_MILESTONE_SERVER_TLS_HANDSHAKE_START/END enum values before TS_MILESTONE_LAST_ENTRY (ABI-compatible)
include/proxy/Milestones.h	Fixes difference_msec() to check both start and end for zero before subtraction
src/iocore/net/SSLNetVConnection.cc	Adds missing _record_tls_handshake_end_time() call for outbound TLS connections
src/proxy/http/HttpSM.cc	Captures server TLS milestones in both connection paths (direct and multiplexed); renames slow log field to ua_tls_handshake and adds server_tls_handshake
src/proxy/logging/LogField.cc	Adds milestone string mappings for new server TLS milestones with TODO comments for ATS 11 rename
plugins/lua/ts_lua_http_milestone.cc	Adds Lua plugin constants for server TLS handshake milestones
doc/developer-guide/api/functions/TSHttpTxnMilestoneGet.en.rst	Updates API documentation to clarify client vs. server TLS handshake milestones
doc/admin-guide/plugins/lua.en.rst	Documents new Lua milestone constants
tools/slow_log_report.pl	Updates regex to parse renamed ua_tls_handshake field and new server_tls_handshake field

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[cmcfarlen]

I see the milestones are set in two places, but it's not clear why or which is correct. Can you clarify this for me?

[cmcfarlen]

Why was this added? This function seems to deal with the client side, but the comment mentions outbound connections. And, if this were the outbound side, are we expecting the metrics this function updates to include both sides TLS?

[bryancall]

The naming in this file is from the TLS role perspective, not the ATS role. sslClientHandShakeEvent() handles the outbound side where ATS acts as the TLS client connecting to the origin. sslServerHandShakeEvent() handles the inbound side where ATS acts as the TLS server accepting client connections.

The inbound side already records the end time (line 1383), but the outbound side was missing it — this is a bug fix. Without this, get_tls_handshake_end_time() returns zero when HttpSM tries to copy the timestamps into milestones.

I've updated the comment to clarify the naming convention and the two-stage pattern.

[cmcfarlen]

This sets both milestones after the end time is known. Should we set the start milestone when it starts vs here? As it is, if this code isn't reached, the start milestone won't be set.

[bryancall]

The HttpSM doesn't have access to the netvc during the handshake in the multiplexed path — ConnectingEntry owns the connection and dispatches CONNECT_EVENT_TXN after the handshake completes. So this is the earliest point the SM can grab the timestamps.

The actual start/end times are captured in real-time at the netvc layer (sslClientHandShakeEvent() records the end time, and the begin time is set when the handshake starts). We're just copying them into milestones here. If this code isn't reached (e.g. connection failure), the milestones stay at zero, which is correct — difference_msec() checks for zero before computing the difference.

Updated the comments to make this clearer.

[cmcfarlen]

Why are these set again?

[bryancall]

These aren't duplicates — they're two mutually exclusive connection paths. CONNECT_EVENT_TXN fires for multiplexed connections (H2/H3) where ConnectingEntry manages the connection. VC_EVENT_WRITE_COMPLETE fires for direct connections (H1) where the SM owns the netvc. A given connection goes through one path or the other, never both.

Updated both comments to cross-reference each other and explicitly state they're mutually exclusive.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated no new comments.

[bryancall]

[approve ci autest 1]