[MediaWiki-commits] [Gerrit] operations/puppet[production]: varnishxcps: generate new hierarchical TLS stats

Fri, 15 Sep 2017 08:19:03 -0700 

BBlack has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/378246 )

Change subject: varnishxcps: generate new hierarchical TLS stats
......................................................................


varnishxcps: generate new hierarchical TLS stats

One of the main problems with our current TLS stats is that the
TLS attributes of a given request are counted up independently.

For example, with the current stats we know these two independent
facts:
1) That 0.7% of clients use DHE-RSA-AES128-SHA
2) That 95.6% use TLSv1.2, 0.3% use TLSv1.1, and 4.1% use TLSv1.0

But we can't answer questions like: "What percentage of
DHE-RSA-AES128-SHA negotiators used TLSv1.0?"

This hierarchical dataset can answer that question, and many
others like it (e.g. what percentage of chapoly negotiators also
use x25519?).  It will require a few new grafana boards to make
sense of it in different ways.

Change-Id: I7a1d33ff3c195a9b9c218910ede6b1b2160e7da3
---
M modules/varnish/files/varnishxcps
1 file changed, 41 insertions(+), 5 deletions(-)

Approvals:
  BBlack: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/varnish/files/varnishxcps 
b/modules/varnish/files/varnishxcps
index 9fbaf85..5b40f79 100755
--- a/modules/varnish/files/varnishxcps
+++ b/modules/varnish/files/varnishxcps
@@ -34,6 +34,19 @@
 from cachestats import CacheStatsSender
 
 
+# Our newer hierarchical stats are structured like:
+# tls.<tls-version>.<key-exchange>.<auth>.<cipher>
+# Where the legal values look like:
+# tls-version: tlsv1, tlsv1_1, tlsv1_2, tlsv1_3
+# key-exchange: x25519, prime256v1, ffdheNNNN (?), dhe, rsa
+# auth: ecdsa, rsa
+# cipher: aes128-gcm-sha256 (stripped of kx-auth|tls13- prefix)
+# Note also that our current parsing and interpretation assumes:
+# 1) TLSv1.3 clients use ECDSA exclusively (we'll need to modify some nginx
+#    stuff to do any differently...), or at least are capable...
+# 2) That if TLSv1.3+FFDHE gets used, the ffdhe will show up as the named curve
+#    via openssl? (unlikely to be a problem?)
+
 class XcpsCacheStatsSender(CacheStatsSender):
 
     cmd = ['/usr/bin/varnishncsa', '-n', 'frontend',
@@ -47,19 +60,42 @@
     def __init__(self, argument_list):
         super(XcpsCacheStatsSender, self).__init__(argument_list)
         self.key_value_pairs = re.compile('([A-Z][A-Z0-9]*)=([^;]+)')
+        self.kxa = re.compile('^(ecdhe-(ecdsa|rsa)|dhe-rsa|tls13)-')
 
     def gen_stats(self, record):
-        for k, v in self.key_value_pairs.findall(record):
-            if k == 'SSR':
+        d = {k.lower(): v.lower() for
+             (k, v) in self.key_value_pairs.findall(record)}
+        if 'ssl' not in d:
+            return
+        # This creates the legacy split stats:
+        for (k, v) in d.items():
+            if k == 'ssr':
                 k = 'ssl_sessions'
                 v = 'reused' if v == '1' else 'negotiated'
-            elif k == 'C':
+            elif k == 'c':
                 k = 'ssl_cipher'
-            elif k == 'EC':
+            elif k == 'ec':
                 k = 'ssl_ecdhe_curve'
             v = v.replace('.', '_')
-            s = '.'.join((k, v)).lower()
+            s = '.'.join((k, v))
             self.stats[s] = self.stats.get(s, 0) + 1
+        # This creates the new hierarchical stats (one stat bump per record)
+        parts = ('tls', d['ssl'].replace('.', '_'))
+        kxam = self.kxa.match(d['c'])
+        if kxam:
+            ciph = self.kxa.sub('', d['c'])
+            if kxam.group(1) == 'ecdhe-ecdsa':
+                parts += (d['ec'], 'ecdsa', ciph)
+            elif kxam.group(1) == 'ecdhe-rsa':
+                parts += (d['ec'], 'rsa', ciph)
+            elif kxam.group(1) == 'dhe-rsa':
+                parts += ('dhe', 'rsa', ciph)
+            else:  # TLS13
+                parts += (d['ec'], 'ecdsa', ciph)
+        else:
+            parts += ('rsa', 'rsa', d['c'])
+        s = '.'.join(parts)
+        self.stats[s] = self.stats.get(s, 0) + 1
 
 
 if __name__ == "__main__":

-- 
To view, visit https://gerrit.wikimedia.org/r/378246
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I7a1d33ff3c195a9b9c218910ede6b1b2160e7da3
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <bbl...@wikimedia.org>
Gerrit-Reviewer: BBlack <bbl...@wikimedia.org>
Gerrit-Reviewer: Ema <e...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to