Ema has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/398311 )
Change subject: vcl: add hash function name to CHACHA20-POLY1305 cipher ...................................................................... vcl: add hash function name to CHACHA20-POLY1305 cipher The hash function used by all ciphersuites described in rfc7905 is SHA-256. Starting with TLSv1.3, CHACHA20-POLY1305 will be renamed into CHACHA20-POLY1305-SHA256. Do the renaming now in our VCL to avoid stats getting skewed later on. Ref: https://tools.ietf.org/html/rfc7905#section-2 Change-Id: I9dec5f879c1b53be2232da83bbbf76170b49a18c --- M modules/mtail/files/test/logs/varnish.test M modules/mtail/files/test/varnish_test.py M modules/varnish/files/tests/upload/16-x-connection-properties.vtc M modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb 4 files changed, 22 insertions(+), 2 deletions(-) Approvals: Ema: Verified; Looks good to me, approved diff --git a/modules/mtail/files/test/logs/varnish.test b/modules/mtail/files/test/logs/varnish.test index e5155da..205e671 100644 --- a/modules/mtail/files/test/logs/varnish.test +++ b/modules/mtail/files/test/logs/varnish.test @@ -1,5 +1,5 @@ url / cache_status int-front http_status 301 http_method GET cache_control - inm - h2 0 tls_version session_reused 0 key_exchange auth cipher full_cipher -url /w/index.php cache_status hit-front http_status 304 http_method GET cache_control private, s-maxage=0, max-age=0, must-revalidate inm - h2 1 tls_version TLSv1.2 session_reused 1 key_exchange X25519 auth ECDSA cipher CHACHA20-POLY1305 full_cipher ECDHE-ECDSA-CHACHA20-POLY1305 +url /w/index.php cache_status hit-front http_status 304 http_method GET cache_control private, s-maxage=0, max-age=0, must-revalidate inm - h2 1 tls_version TLSv1.2 session_reused 1 key_exchange X25519 auth ECDSA cipher CHACHA20-POLY1305-SHA256 full_cipher ECDHE-ECDSA-CHACHA20-POLY1305-SHA256 url /api/rest_v1/metrics/pageviews/per-article/fr.wikipedia.org/all-access/user/S%C3%A9lection_sexuelle/daily/20171126/20171201 cache_status hit-front http_status 200 http_method HEAD cache_control s-maxage=86400, max-age=86400 inm - url /w/load.php cache_status hit-front http_status 200 http_method GET cache_control public, max-age=2592000, s-maxage=2592000 inm - url /w/load.php cache_status hit-front http_status 200 http_method HEAD cache_control public, max-age=2592000, s-maxage=2592000 inm - diff --git a/modules/mtail/files/test/varnish_test.py b/modules/mtail/files/test/varnish_test.py index 0abe36e..bc584aa 100644 --- a/modules/mtail/files/test/varnish_test.py +++ b/modules/mtail/files/test/varnish_test.py @@ -60,7 +60,7 @@ 'version=TLSv1.2', 'key_exchange=X25519', 'auth=ECDSA', - 'cipher=CHACHA20-POLY1305', + 'cipher=CHACHA20-POLY1305-SHA256', ] for value in expected: self.assertIn(value, labels) diff --git a/modules/varnish/files/tests/upload/16-x-connection-properties.vtc b/modules/varnish/files/tests/upload/16-x-connection-properties.vtc index eaa4037..e100dec 100644 --- a/modules/varnish/files/tests/upload/16-x-connection-properties.vtc +++ b/modules/varnish/files/tests/upload/16-x-connection-properties.vtc @@ -52,6 +52,18 @@ expect req.http.X-CP-Full-Cipher == "AES128-SHA" txresp + + rxreq + expect req.url == "/5" + + expect req.http.X-CP-HTTP2 == "1" + expect req.http.X-CP-TLS-Version == "TLSv1.2" + expect req.http.X-CP-TLS-Session-Reused == 0 + expect req.http.X-CP-Key-Exchange == "X25519" + expect req.http.X-CP-Auth == "ECDSA" + expect req.http.X-CP-Cipher == "CHACHA20-POLY1305-SHA256" + + txresp } -start varnish v1 -arg "-p vcc_err_unref=false -p vcc_allow_inline_c=true" -vcl+backend { @@ -74,4 +86,7 @@ txreq -url "/4" -hdr "X-Forwarded-Proto: https" -hdr "Host: upload.wikimedia.org" -hdr "X-Connection-Properties: H2=0; SSR=1; SSL=TLSv1; C=AES128-SHA; EC=UNDEF;" rxresp + + txreq -url "/5" -hdr "X-Forwarded-Proto: https" -hdr "Host: upload.wikimedia.org" -hdr "X-Connection-Properties: H2=1; SSR=0; SSL=TLSv1.2; C=ECDHE-ECDSA-CHACHA20-POLY1305; EC=X25519;" + rxresp } -run diff --git a/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb b/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb index e8c0153..65950d7 100644 --- a/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb +++ b/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb @@ -314,6 +314,11 @@ set req.http.X-CP-Key-Exchange = "RSA"; } + // Starting with TLSv1.3, CHACHA20-POLY1305 will be renamed into + // CHACHA20-POLY1305-SHA256. Do the renaming now in VCL to avoid stats skew + // later on. + set req.http.X-CP-Cipher = regsub(req.http.X-CP-Cipher, "^CHACHA20-POLY1305$", "CHACHA20-POLY1305-SHA256"); + // Log values to shared memory logs. They can be extracted with: // varnishncsa -F "%{VCL_Log:CP-TLS-Version}x" std.log("CP-HTTP2: " + req.http.X-CP-HTTP2); -- To view, visit https://gerrit.wikimedia.org/r/398311 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I9dec5f879c1b53be2232da83bbbf76170b49a18c Gerrit-PatchSet: 5 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Ema <[email protected]> Gerrit-Reviewer: BBlack <[email protected]> Gerrit-Reviewer: Ema <[email protected]> Gerrit-Reviewer: Volans <[email protected]> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
