[MediaWiki-commits] [Gerrit] tlsproxy: document safe/unsafe TFO usage - change (operations/puppet)

Fri, 24 Jun 2016 07:33:15 -0700 

Ema has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/295925

Change subject: tlsproxy: document safe/unsafe TFO usage
......................................................................

tlsproxy: document safe/unsafe TFO usage

Mention that using TFO is not necessarily always safe, with references
to the relevant RFC section.

Bug: T108827
Change-Id: I7309033da3c2673985940b716e5f8133be7f3617
---
M modules/tlsproxy/templates/localssl.erb
1 file changed, 7 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/25/295925/1

diff --git a/modules/tlsproxy/templates/localssl.erb 
b/modules/tlsproxy/templates/localssl.erb
index 553c7eb..9c6dd3f 100644
--- a/modules/tlsproxy/templates/localssl.erb
+++ b/modules/tlsproxy/templates/localssl.erb
@@ -9,6 +9,9 @@
 
 # SSL proxying
 server {
+       # Enabling TCP Fast Open is safe for HTTP over TLS. There is no 
idempotency
+       # concern replaying TLS Client Hello.
+       # https://tools.ietf.org/html/rfc7413#section-6.3.2
        listen [::]:443 <%= @default_server ? "default_server deferred 
backlog=16384 reuseport ipv6only=on fastopen=#{fastopen_pending_max} " : "" 
%>ssl http2;
        listen 443 <%= @default_server ? "default_server deferred backlog=16384 
reuseport fastopen=#{fastopen_pending_max} " : "" %>ssl http2;
        ssl on;
@@ -62,6 +65,10 @@
 }
 <% if @redir_port -%>
 server {
+       # Enable TCP Fast Open for http -> https redirects since there are no
+       # idempotency concerns with HTTPS.
+       # Note that TFO is *not* safe in general for non-TLS HTTP. See
+       # https://tools.ietf.org/html/rfc7413#section-6.3.1
        listen [::]:<%= @redir_port %> <%= @default_server ? "default_server 
deferred backlog=4096 reuseport ipv6only=on fastopen=#{fastopen_pending_max} " 
: "" %>;
        listen <%= @redir_port %> <%= @default_server ? "default_server 
deferred backlog=4096 reuseport fastopen=#{fastopen_pending_max} " : "" %>;
        server_name <%= ([@server_name] + @server_aliases).join(" ") %>;

-- 
To view, visit https://gerrit.wikimedia.org/r/295925
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I7309033da3c2673985940b716e5f8133be7f3617
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ema <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to