Page MenuHomePhabricator

multi-component wmflabs.org subdomains doesn't work under simple wildcard TLS cert
Open, NormalPublic

Description

An error occured: c.tiles.wmflabs.org uses an invalid security certificate.
The certificate is only valid for the following names: *.wmflabs.org, wmflabs.org
Error code: SSL_ERROR_BAD_CERT_DOMAIN

https://bugzilla.mozilla.org/show_bug.cgi?id=495339

RFC 2818, on page 4 :

Matching is performed using the matching rules specified by
[RFC2459].  If more than one identity of a given type is present in
the certificate (e.g., more than one dNSName name, a match in any one
of the set is considered acceptable.) Names may contain the wildcard
character * which is considered to match any single domain name
component or component fragment. E.g., *.a.com matches foo.a.com but
not bar.foo.a.com. f*.com matches foo.com but not bar.com.

Event Timeline

grin created this task.Mar 23 2017, 9:28 PM
Restricted Application added projects: Cloud-Services, Discovery, Traffic. · View Herald TranscriptMar 23 2017, 9:28 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
MaxSem added a subscriber: MaxSem.Mar 24 2017, 5:29 PM

These subdomains should just be removed. They made sense in the times of HTTP when browsers had a hard limit on the number of simultaneous requests per domain. Now, in the time of HTTP/2.0 over TLS, there are modern pipelining techniques that render multiple domains not needed. We should make a list of tools still using subdomains and work with their authors to migrate.

Restricted Application added a project: Operations. · View Herald TranscriptMar 24 2017, 5:29 PM
bd808 triaged this task as Normal priority.Mar 26 2017, 6:54 PM
bd808 moved this task from Triage to Backlog on the Cloud-Services board.
grin added a comment.Mar 27 2017, 9:29 AM

Now, in the time of HTTP/2.0 over TLS, there are modern pipelining techniques that render multiple domains not needed.

Just don't forget that we're talking about the Real World™, where Internet Exploder v5.0 is still reality. Not that I say I want to support that but SPDY/HTTP2 isn't that ubiquitous and older clients may well hit rate limits hard.
People with godmode flags may check how many requests are and are not using HTTP2, and help to make informed decisions.

ema moved this task from Triage to BadHerald on the Traffic board.Mar 28 2017, 9:37 AM

The only valid use for labs is WMF projects, and those don't support JS in IE under 9 (9 iS soon going to be deprecated too). No JS=no dynamic maps. And no, IE 5 is not supported in any way.

grin added a comment.Mar 28 2017, 7:54 PM

The only valid use for labs is WMF projects,

This is not true in its strictest sense, and it is definitely not true in the particular case, unless you intepret "WMF projects" as "projects supported by the WMF for the general public".

and those don't support JS in IE under 9 (9 iS soon going to be deprecated too). No JS=no dynamic maps. And no, IE 5 is not supported in any way.

I would expect some background check from you before answering. Let me do it then. HTTP/2 support by browser versions:

  • IE 11+ (limited suport)
  • Edge 14+
  • Firefox 51+
  • Chrome 49+
  • Safari 10+ (limited support)
  • Opera 9.3+
  • Opera Mini: NOT supported
  • Android browser 53+(!!)
  • Chrome/android 56+

Some of these are pretty recent versions. I don't really agree your optimism about coverage.

Peachey88 added a subscriber: Peachey88.EditedMar 28 2017, 8:17 PM

I would expect some background check from you before answering. Let me do it then. HTTP/2 support by browser versions:

Some of these are pretty recent versions. I don't really agree your optimism about coverage.

I believe @MaxSem was referring to MediaWiki official level of support for various internet browsers (see https://www.mediawiki.org/wiki/Compatibility) rather than browsers support levels for HTTP/2 processing.

And how the only use case for Labs, is to support to the Wikimedia projects so we don't need to have extended support for browsers where the official site doesn't no longer supports.

grin added a comment.Mar 29 2017, 10:13 AM

I would expect some background check from you before answering. Let me do it then. HTTP/2 support by browser versions:

Some of these are pretty recent versions. I don't really agree your optimism about coverage.

I believe @MaxSem was referring to MediaWiki official level of support for various internet browsers (see https://www.mediawiki.org/wiki/Compatibility) rather than browsers support levels for HTTP/2 processing.

I see. The root cause of my reply was the suggestion of "These subdomains should just be removed. ", since the removal would require HTTP/2 support from all browsers (including plenty of ancient mobile ones).
I do not want to get into the state where the domains get removed but the clients hit the rate limit wall and someone woudl react to the problem saying "well, that's the way it is" and the service would be useless for a huge amount of people.

But as I said the logfiles are there and it's rather simple to make a stat about usage, browser versions and expected rates. I do not have access to them, so I cannot help, but if nobody wants to do it offer access and I'll make some stats… Without it it's a blind guessing game, isn't it?

But the problem is there: over HTTPS it's not working right now, and browsers complain about mixed content, some to the extent of denying the connection.

TheDJ added a subscriber: TheDJ.Mar 29 2019, 8:42 PM

FYI, I have configured [abc].tiles.wmflabs.org webhosts to redirect to http://tiles.wmflabs.org during T204506: cloudvps: maps project trusty deprecation

These hosts are still in use however.