Page MenuHomePhabricator
Create Task
Maniphest T170567

Support TLSv1.3
Closed, ResolvedPublic
Actions

Assigned To
Vgutierrez
Authored By
BBlack
Jul 13 2017, 1:59 PM
Tags
Referenced Files
F31836387: Screenshot 2020-05-22 at 01.38.51.png
May 22 2020, 12:47 AM
F31836392: Screenshot 2020-05-22 at 01.38.19.png
May 22 2020, 12:47 AM
F31836377: Screenshot 2020-05-22 at 01.37.37.png
May 22 2020, 12:47 AM
F31836384: Screenshot 2020-05-22 at 01.30.01.png
May 22 2020, 12:47 AM
F31761610: Screenshot 2020-04-17 at 15.17.45.png
Apr 17 2020, 1:18 PM
F31761606: Screenshot 2020-04-17 at 15.15.06.png
Apr 17 2020, 1:18 PM
F31761229: Screenshot 2020-04-17 at 10.15.46.png
Apr 17 2020, 8:17 AM
Subscribers
94rain
Aklapper
ayounsi
BBlack
CDanis
ema
faidon
View All 23 Subscribers
Tokens
"Mountain of Wealth" token, awarded by kolbert."Like" token, awarded by Ladsgroup.

Description

Task to track our eventual TLSv1.3 support. Currently we're blocked on deploying a stable OpenSSL-1.1.1 release, but there's some prep work to be done on the ciphersuite and nginx sides as well. see also T205378: Support ECH on Wikimedia servers

Details

SubjectRepoBranchLines +/-
ATS: Re-enable the TLS session ID based cacheoperations/puppetproduction+2 -2
ATS: Enable inbound TLSv1.3 globallyoperations/puppetproduction+22 -88
ATS: Enable inbound TLSv1.3 in text@eqsinoperations/puppetproduction+22 -0
ATS: Enable inbound TLSv1.3 in text@ulsfooperations/puppetproduction+22 -0
ATS: Enable inbound TLSv1.3 on the upload clusteroperations/puppetproduction+44 -187
ATS: Enable inbound TLSv1.3 in upload@codfwoperations/puppetproduction+42 -0
ATS: Enable inbound TLSv1.3 in upload@esamsoperations/puppetproduction+42 -0
Release 8.0.6-1wm4operations/debs/trafficservermaster+23 -0
ATS: Enable inbound TLSv1.3 on upload@eqsinoperations/puppetproduction+21 -0
ATS: Disable TLS Session tickets in ulsfooperations/puppetproduction+2 -4
prometheus: Add TLSv1.3 ciphersuites on ATS exporteroperations/puppetproduction+6 -0
ATS: Enable inbound TLSv1.3 for upload@ulsfooperations/puppetproduction+22 -0
varnish: Consider TLSv1.3 on log_xcps_infooperations/puppetproduction+21 -0
ATS: Consider TLSv1.3 on tls.luaoperations/puppetproduction+17 -0
ATS: Add session_ticket_number to Inbound_TLS_settingsoperations/puppetproduction+10 -0
ATS: Enable TLSv1.3 for ats-be <--> applayer communicationoperations/puppetproduction+2 -12
ssl_ciphersuite: Enable TLSv1.3 where availableoperations/puppetproduction+16 -2
ssl_ciphersuite: Fix TLSv1.3 ciphersuites namesoperations/puppetproduction+3 -3
ATS: Use TLSv1.3 on ats-be <--> applayer on esamsoperations/puppetproduction+11 -11
ATS: Test TLSv1.3 on ats-be <--> applayer communication on cp3050operations/puppetproduction+11 -0
ciphersuites: add TLSv1.3 variants in "high" listoperations/puppetproduction+5 -2
Show related patches Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT92298 Investigate our mitigation strategy for HTTPS response length attacks
 ResolvedVgutierrezT170567 Support TLSv1.3
 ResolvedVgutierrezT220383 Evaluate ATS TLS stack
 ResolvedVgutierrezT221217 Allow running several ATS instances on the same server
 ResolvedVgutierrezT221594 Puppetize ATS TLS configuration for incoming traffic
 ResolvedVgutierrezT231286 Track TLS related ATS metrics in prometheus
 ResolvedVgutierrezT228135 ATS lacks the possibility of reporting SSL stats to an origin server via HTTP Headers
 ResolvedVgutierrezT231262 TLS handshake issues with ATS 8.0.5-1wm2
 ResolvedVgutierrezT231433 Move cache upload cluster from nginx to ats-tls
 ResolvedVgutierrezT232209 ats-tls is performing 3k DNS queries per second on cp5001
 ResolvedVgutierrezT232298 Investigate segfaults on ats-tls running on cp5001
ResolvedVgutierrezT232724 ATS SSL session cache doesn't work
 ResolvedVgutierrezT233205 Higher failed fetches error rate on some caching servers
ResolvedVgutierrezT236120 Get rid of nginx puppetization for cache upload
 ResolvedVgutierrezT231627 Move cache text cluster from nginx to ats-tls
 ResolvedVgutierrezT233667 varnish-fe is handling X-Forwarded-For differently when ats is in front of it
 InvalidVgutierrezT234887 ATS-tls nodes on the text cluster have a slightly higher rate of failed fetches on varnish-fe
 ResolvedVgutierrezT236458 ats-tls shows a huge amount of ESTABLISHED sockets even when the server is depooled
 ResolvedVgutierrezT236755 Enforce POST size limit on ats-tls
 DeclinedVgutierrezT245419 Session resumption seems to be broken in ATS for TLSv1.3
 ResolvedVgutierrezT245502 ATS TLS session cache efficiency reduced in TLSv1.3
 ResolvedVgutierrezT245616 Provide a simple and automated SSL Ticket key generation system for ATS

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
gerritbot added a comment.Feb 13 2020, 2:35 PM

Change 571985 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ssl_ciphersuite: Enable TLSv1.3 where available

https://gerrit.wikimedia.org/r/571985

gerritbot added a comment.Feb 13 2020, 2:43 PM

Change 571988 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Test TLSv1.3 on ats-be <--> applayer communication on cp3050

https://gerrit.wikimedia.org/r/571988

gerritbot added a comment.Feb 13 2020, 2:50 PM

Change 571988 merged by Vgutierrez:
[operations/puppet@production] ATS: Test TLSv1.3 on ats-be <--> applayer communication on cp3050

https://gerrit.wikimedia.org/r/571988

Stashbot added a comment.Feb 13 2020, 2:51 PM

Mentioned in SAL (#wikimedia-operations) [2020-02-13T14:51:09Z] <vgutierrez> test TLSv1.3 between ats-be and applayer in cp3050 - T170567

gerritbot added a comment.Feb 13 2020, 3:21 PM

Change 572004 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Use TLSv1.3 on ats-be <--> applayer on esams

https://gerrit.wikimedia.org/r/572004

gerritbot added a comment.Feb 13 2020, 3:23 PM

Change 572004 merged by Vgutierrez:
[operations/puppet@production] ATS: Use TLSv1.3 on ats-be <--> applayer on esams

https://gerrit.wikimedia.org/r/572004

Stashbot added a comment.Feb 13 2020, 3:27 PM

Mentioned in SAL (#wikimedia-operations) [2020-02-13T15:27:19Z] <vgutierrez> turning on TLSv1.3 between ats-be and applayer in cp30[51-52] - T170567

Stashbot added a comment.Feb 13 2020, 3:42 PM

Mentioned in SAL (#wikimedia-operations) [2020-02-13T15:42:20Z] <vgutierrez> rolling restart of ats-be on esams - T170567

gerritbot added a comment.Feb 14 2020, 6:44 AM

Change 571978 merged by Vgutierrez:
[operations/puppet@production] ssl_ciphersuite: Fix TLSv1.3 ciphersuites names

https://gerrit.wikimedia.org/r/571978

gerritbot added a comment.Feb 14 2020, 7:30 AM

Change 571985 merged by Vgutierrez:
[operations/puppet@production] ssl_ciphersuite: Enable TLSv1.3 where available

https://gerrit.wikimedia.org/r/571985

Vgutierrez added a comment.Feb 14 2020, 7:50 AM

Sites running nginx or apache outside the caching cluster that have been upgraded to buster are now offering TLSv1.3: a few examples:

$ /usr/local/opt/openssl@1.1/bin/openssl s_client -connect gerrit.wikimedia.org:443 2>&1 < /dev/null |grep -i Cipher
New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
$ /usr/local/opt/openssl@1.1/bin/openssl s_client -connect netbox.wikimedia.org:443 2>&1 < /dev/null |grep -i Cipher
New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
$ /usr/local/opt/openssl@1.1/bin/openssl s_client -connect en.wikipedia.com:443 2>&1 < /dev/null |grep -i Cipher
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
gerritbot added a comment.Feb 14 2020, 10:10 AM

Change 571976 merged by Vgutierrez:
[operations/puppet@production] ATS: Enable TLSv1.3 for ats-be <--> applayer communication

https://gerrit.wikimedia.org/r/571976

Stashbot added a comment.Feb 14 2020, 10:14 AM

Mentioned in SAL (#wikimedia-operations) [2020-02-14T10:14:42Z] <vgutierrez> rolling restart of ats-be to enable TLSv1.3 against origin servers - T170567

Vgutierrez closed subtask T245419: Session resumption seems to be broken in ATS for TLSv1.3 as Declined.Feb 18 2020, 6:49 AM
CDanis subscribed.Mar 2 2020, 9:32 AM
gerritbot added a comment.Mar 17 2020, 7:23 AM

Change 580174 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Add session_ticket_number to Inbound_TLS_settings

https://gerrit.wikimedia.org/r/580174

gerritbot added a comment.Mar 17 2020, 10:07 AM

Change 580288 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Consider TLSv1.3 on tls.lua

https://gerrit.wikimedia.org/r/580288

gerritbot added a comment.Mar 17 2020, 10:08 AM

Change 580174 merged by Vgutierrez:
[operations/puppet@production] ATS: Add session_ticket_number to Inbound_TLS_settings

https://gerrit.wikimedia.org/r/580174

gerritbot added a comment.Mar 17 2020, 1:49 PM

Change 580326 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] varnish: Consider TLSv1.3 on log_xcps_info

https://gerrit.wikimedia.org/r/580326

gerritbot added a comment.Mar 17 2020, 4:25 PM

Change 580288 merged by Vgutierrez:
[operations/puppet@production] ATS: Consider TLSv1.3 on tls.lua

https://gerrit.wikimedia.org/r/580288

gerritbot added a comment.Mar 17 2020, 5:14 PM

Change 580326 merged by Vgutierrez:
[operations/puppet@production] varnish: Consider TLSv1.3 on log_xcps_info

https://gerrit.wikimedia.org/r/580326

gerritbot added a comment.Mar 18 2020, 7:49 AM

Change 580742 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Enable inbound TLSv1.3 for upload@ulsfo

https://gerrit.wikimedia.org/r/580742

Stashbot added a comment.Mar 18 2020, 8:14 AM

Mentioned in SAL (#wikimedia-operations) [2020-03-18T08:14:32Z] <vgutierrez> upgrade ATS to 8.0.6-1wm3 in ulsfo - T170567

gerritbot added a comment.Mar 18 2020, 9:16 AM

Change 580742 merged by Vgutierrez:
[operations/puppet@production] ATS: Enable inbound TLSv1.3 for upload@ulsfo

https://gerrit.wikimedia.org/r/580742

Stashbot added a comment.Mar 18 2020, 9:18 AM

Mentioned in SAL (#wikimedia-operations) [2020-03-18T09:18:15Z] <vgutierrez> enabling inbound TLSv1.3 in cp4026 - T170567

gerritbot added a comment.Mar 18 2020, 9:31 AM

Change 580868 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] prometheus: Add TLSv1.3 ciphersuites on ATS exporter

https://gerrit.wikimedia.org/r/580868

gerritbot added a comment.Mar 18 2020, 9:39 AM

Change 580868 merged by Vgutierrez:
[operations/puppet@production] prometheus: Add TLSv1.3 ciphersuites on ATS exporter

https://gerrit.wikimedia.org/r/580868

Stashbot added a comment.Mar 18 2020, 9:43 AM

Mentioned in SAL (#wikimedia-operations) [2020-03-18T09:43:57Z] <vgutierrez> enabling inbound TLSv1.3 in upload@ulsfo - T170567

gerritbot added a comment.Mar 18 2020, 2:24 PM

Change 580951 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Disable TLS Session tickets in ulsfo

https://gerrit.wikimedia.org/r/580951

gerritbot added a comment.Mar 18 2020, 2:37 PM

Change 580951 merged by Vgutierrez:
[operations/puppet@production] ATS: Disable TLS Session tickets in ulsfo

https://gerrit.wikimedia.org/r/580951

Stashbot mentioned this in T245616: Provide a simple and automated SSL Ticket key generation system for ATS.Mar 18 2020, 2:41 PM

Mentioned in SAL (#wikimedia-operations) [2020-03-18T14:41:32Z] <vgutierrez> disable TLS session tickets in ulsfo - T245616 T170567

gerritbot added a comment.Mar 25 2020, 9:05 AM

Change 583292 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Enable inbound TLSv1.3 on upload@eqsin

https://gerrit.wikimedia.org/r/583292

Stashbot added a comment.Mar 25 2020, 9:23 AM

Mentioned in SAL (#wikimedia-operations) [2020-03-25T09:23:34Z] <vgutierrez> upgrade ATS to 8.0.6-1wm3 on upload@eqsin - T170567

gerritbot added a comment.Mar 25 2020, 9:53 AM

Change 583292 merged by Vgutierrez:
[operations/puppet@production] ATS: Enable inbound TLSv1.3 on upload@eqsin

https://gerrit.wikimedia.org/r/583292

Stashbot added a comment.Mar 25 2020, 9:54 AM

Mentioned in SAL (#wikimedia-operations) [2020-03-25T09:54:36Z] <vgutierrez> Enable inbound TLSv1.3 on upload@eqsin - T170567

gerritbot added a comment.Mar 26 2020, 6:06 PM

Change 583715 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/debs/trafficserver@master] Release 8.0.6-1wm4

https://gerrit.wikimedia.org/r/583715

gerritbot added a comment.Mar 27 2020, 9:00 AM

Change 583715 merged by Vgutierrez:
[operations/debs/trafficserver@master] Release 8.0.6-1wm4

https://gerrit.wikimedia.org/r/583715

Stashbot added a comment.Mar 27 2020, 10:04 AM

Mentioned in SAL (#wikimedia-operations) [2020-03-27T10:04:31Z] <vgutierrez> upload trafficserver 8.0.6-1wm4 to apt.wm.o (buster) - T245616 T170567

Vgutierrez closed subtask T245502: ATS TLS session cache efficiency reduced in TLSv1.3 as Resolved.Apr 2 2020, 7:33 AM
gerritbot added a comment.Apr 2 2020, 7:35 AM

Change 585426 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Enable inbound TLSv1.3 in upload@esams

https://gerrit.wikimedia.org/r/585426

gerritbot added a comment.Apr 2 2020, 8:17 AM

Change 585426 merged by Vgutierrez:
[operations/puppet@production] ATS: Enable inbound TLSv1.3 in upload@esams

https://gerrit.wikimedia.org/r/585426

Stashbot added a comment.Apr 2 2020, 8:22 AM

Mentioned in SAL (#wikimedia-operations) [2020-04-02T08:22:19Z] <vgutierrez> Enable inbound TLSv1.3 in upload@esams - T170567

gerritbot added a comment.Apr 2 2020, 1:37 PM

Change 585492 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Enable inbound TLSv1.3 in upload@codfw

https://gerrit.wikimedia.org/r/585492

gerritbot added a comment.Apr 2 2020, 2:28 PM

Change 585492 merged by Vgutierrez:
[operations/puppet@production] ATS: Enable inbound TLSv1.3 in upload@codfw

https://gerrit.wikimedia.org/r/585492

Stashbot added a comment.Apr 2 2020, 2:33 PM

Mentioned in SAL (#wikimedia-operations) [2020-04-02T14:33:56Z] <vgutierrez> Enable inbound TLSv1.3 in upload@codfw - T170567

gerritbot added a comment.Apr 3 2020, 8:27 AM

Change 585697 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Enable inbound TLSv1.3 on the upload cluster

https://gerrit.wikimedia.org/r/585697

gerritbot added a comment.Apr 6 2020, 5:11 AM

Change 585697 merged by Vgutierrez:
[operations/puppet@production] ATS: Enable inbound TLSv1.3 on the upload cluster

https://gerrit.wikimedia.org/r/585697

Stashbot added a comment.Apr 6 2020, 5:16 AM

Mentioned in SAL (#wikimedia-operations) [2020-04-06T05:16:42Z] <vgutierrez> Enable inbound TLSv1.3 in upload@eqiad - T170567

Gilles mentioned this in T238494: 15% response start regression as of 2019-11-11 (Varnish->ATS).Apr 6 2020, 10:08 AM
gerritbot added a comment.Apr 8 2020, 6:27 AM

Change 587423 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Enable inbound TLSv1.3 in text@ulsfo

https://gerrit.wikimedia.org/r/587423

gerritbot added a comment.Apr 8 2020, 1:16 PM

Change 587423 merged by Vgutierrez:
[operations/puppet@production] ATS: Enable inbound TLSv1.3 in text@ulsfo

https://gerrit.wikimedia.org/r/587423

Stashbot added a comment.Apr 8 2020, 1:22 PM

Mentioned in SAL (#wikimedia-operations) [2020-04-08T13:22:14Z] <vgutierrez> enable inbound TLSv1.3 in text@ulsfo - T170567

gerritbot added a comment.Apr 14 2020, 12:21 PM

Change 588678 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Enable inbound TLSv1.3 in text@eqsin

https://gerrit.wikimedia.org/r/588678

gerritbot added a comment.Apr 14 2020, 12:49 PM

Change 588678 merged by Vgutierrez:
[operations/puppet@production] ATS: Enable inbound TLSv1.3 in text@eqsin

https://gerrit.wikimedia.org/r/588678

Stashbot added a comment.Apr 14 2020, 12:50 PM

Mentioned in SAL (#wikimedia-operations) [2020-04-14T12:50:39Z] <vgutierrez> Enable inbound TLSv1.3 in text@eqsin - T170567

gerritbot added a comment.Apr 15 2020, 2:44 PM

Change 589030 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Enable inbound TLSv1.3 globally

https://gerrit.wikimedia.org/r/589030

gerritbot added a comment.Apr 16 2020, 10:41 AM

Change 589030 merged by Vgutierrez:
[operations/puppet@production] ATS: Enable inbound TLSv1.3 globally

https://gerrit.wikimedia.org/r/589030

Stashbot added a comment.Apr 16 2020, 10:44 AM

Mentioned in SAL (#wikimedia-operations) [2020-04-16T10:44:08Z] <vgutierrez> rolling restart of ats-tls to enable TLSv1.3 globally and disable the old TLS session cache - T170567

Vgutierrez closed this task as Resolved.Apr 16 2020, 1:02 PM

TLSv1.3 is now available on both text and upload clusters :)

Krenair subscribed.Apr 16 2020, 8:46 PM
kolbert awarded a token.Apr 17 2020, 2:32 AM
Maintenance_bot removed a project: Patch-For-Review.Apr 17 2020, 3:10 AM
Gilles subscribed.Apr 17 2020, 8:17 AM
In T170567#6062022, @Stashbot wrote:

Mentioned in SAL (#wikimedia-operations) [2020-04-16T10:44:08Z] <vgutierrez> rolling restart of ats-tls to enable TLSv1.3 globally and disable the old TLS session cache - T170567

This, and/or the ATS version upgrade, appears to have caused an extra regression in response time:

https://grafana.wikimedia.org/d/000000143/navigation-timing?orgId=1&var-source=navtiming2&var-metric=responseStart&var-percentile=p50&from=1587009985039&to=1587111099058

Screenshot 2020-04-17 at 10.15.46.png (378×1 px, 78 KB)

Still a 6.5% regression on the week-over-week p75 22 hours after this deployment.

Ladsgroup added a comment.Apr 17 2020, 11:38 AM

That's weird, TLSv1.3 is famous for being faster than v1.2.

Gilles added a comment.Apr 17 2020, 1:18 PM

In theory with features like 0-RTT resumption of course, but that doesn't mean that implementation, configuration and the real world follow suite with the theory. I don't know if we've enabled 0-RTT in this deployment. If we didn't, then I don't know if there are other areas of 1.3 that are supposed to bring improvements. I imagine there might be new ciphers involved, which might actually perform worse on the client or ATS alike.

If the regression is related to this TLS 1.3 rollout (one very easy way to find out is to undo it temporarily), it's probably not with the handshake part, as the "ssl" section of navigation timing doesn't seem to change significantly around the time of that deployment. It was already doing better week-over-week prior to April 16:

https://grafana.wikimedia.org/d/000000143/navigation-timing?orgId=1&refresh=5m&var-source=navtiming2&var-metric=ssl&var-percentile=p50

I've since found something interesting, which is that while the response start time (when the first bytes from the server arrive) is delayed, the response time (between first and last byte) has reduced at the same time:

https://grafana.wikimedia.org/d/000000143/navigation-timing?orgId=1&refresh=5m&var-source=navtiming2&var-metric=response&var-percentile=p50

Screenshot 2020-04-17 at 15.15.06.png (377×1 px, 84 KB)

This might suggest that TLS 1.3's nature leads the client to measure the first byte received later (maybe it actually received it on the wire at the same time), but this is partially offset by a faster transfer after that.

That being said, it's not enough to offset the regression completely, as seen through loadEventEnd later down the line, which regresses exactly at the same time:

Screenshot 2020-04-17 at 15.17.45.png (380×1 px, 101 KB)

To sum up it seems like a regression overall, which some changes in the intermediary timeline that look like gains, that aren't enough to offset the overall regression.

Vgutierrez added a comment.Apr 17 2020, 1:43 PM

we haven't deployed 0-RTT at this time but even without it, a full TLSv1.3 handshake requires 1 RTT less than a full TLSv1.2 handshake. Thanks for the detailed report @Gilles, I'll hunt this down ASAP

Ladsgroup added a comment.Apr 17 2020, 1:44 PM
In T170567#6065576, @Gilles wrote:

In theory with features like 0-RTT resumption of course, but that doesn't mean that implementation, configuration and the real world follow suite with the theory. I don't know if we've enabled 0-RTT in this deployment. If we didn't, then I don't know if there are other areas of 1.3 that are supposed to bring improvements. I imagine there might be new ciphers involved, which might actually perform worse on the client or ATS alike.

No, even without 0-RTT, the handshakes are faster (twice, or in general 100ms faster): https://kinsta.com/blog/tls-1-3/

ssingh subscribed.Apr 17 2020, 3:56 PM
Krinkle reopened this task as Open.Apr 20 2020, 12:47 AM
Krinkle added a project: Wikimedia-Incident.
Krinkle subscribed.

Re-opening and tracking as on-going perf incident per the above. As @Gilles mentioned, it would help if we can at least isolate/validate the correlation by undoing this for a few hours (if that's feasible.) If the correlation holds up, I would suggest we keep it rolled back for now as this would otherwise make two major on-going perf incidents – noting that we haven't fixed the other one yet (T238494), and there's also numerous non-perf related incidents being worked on right now with higher priority.

Krinkle edited projects, added Performance-Team; removed Performance-Team (Radar).Apr 20 2020, 12:52 AM
Krinkle edited projects, added Performance-Team (Radar); removed Performance-Team.
Krinkle moved this task from Perf recommendation to Watching on the Performance-Team (Radar) board.
ema subscribed.Apr 20 2020, 2:23 PM
In T170567#6069972, @Krinkle wrote:

Re-opening and tracking as on-going perf incident per the above. As @Gilles mentioned, it would help if we can at least isolate/validate the correlation by undoing this for a few hours (if that's feasible.) If the correlation holds up, I would suggest we keep it rolled back for now as this would otherwise make two major on-going perf incidents – noting that we haven't fixed the other one yet (T238494), and there's also numerous non-perf related incidents being worked on right now with higher priority.

We really need to have per-host performance metrics (T238086) to evaluate the impact of changes like this on a single host, rather than having to spend hours to do/undo things fleet-wide.

gerritbot added a comment.Apr 29 2020, 8:56 AM

Change 593192 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Re-enable the session ID based cache

https://gerrit.wikimedia.org/r/593192

gerritbot added a project: Patch-For-Review.Apr 29 2020, 8:56 AM
gerritbot added a comment.Apr 29 2020, 9:05 AM

Change 593192 merged by Vgutierrez:
[operations/puppet@production] ATS: Re-enable the TLS session ID based cache

https://gerrit.wikimedia.org/r/593192

Stashbot added a comment.Apr 29 2020, 9:10 AM

Mentioned in SAL (#wikimedia-operations) [2020-04-29T09:10:18Z] <vgutierrez> starting rolling restart of ats-tls to enable the TLS session ID based cache - T170567

Maintenance_bot removed a project: Patch-For-Review.Apr 29 2020, 9:11 AM
Vgutierrez mentioned this in T251414: Support TLSv1.3 in IABot.Apr 29 2020, 2:19 PM
Krinkle added a comment.May 22 2020, 12:47 AM

(See also Navigation Timing metrics spec.)

request
(after dns+tcp+tls), delta from requestStart to requestStart).
Screenshot 2020-05-22 at 01.37.37.png (1×2 px, 291 KB)
response
delta from responseStart to responseEnd.
Screenshot 2020-05-22 at 01.38.19.png (1×2 px, 269 KB)
responseStart
overall time to first byte from the beginning (includes dns+tcp+tls+request)
Screenshot 2020-05-22 at 01.30.01.png (1×2 px, 463 KB)
domInteractive
overall time to end of parsed HTML response
(includes dns+tcp+tls+request+request+client-side HTML parsing)
Screenshot 2020-05-22 at 01.38.51.png (1×2 px, 375 KB)
Krinkle moved this task from Active investigation to Awaiting report on the Wikimedia-Incident board.Jul 10 2020, 1:55 PM
Aklapper removed Vgutierrez as the assignee of this task.Jul 2 2021, 5:22 AM

Removing task assignee due to inactivity, as this open task has been assigned for more than two years (see emails sent to assignee on May26 and Jun17, and T270544). Please assign this task to yourself again if you still realistically [plan to] work on this task - it would be very welcome!

(See https://www.mediawiki.org/wiki/Bug_management/Assignee_cleanup for tips how to best manage your individual work in Phabricator.)

Ladsgroup added a comment.Jul 2 2021, 9:51 AM

This is done, isn't it? The performance issues are being mitigated by migrating to nginx light I think (someone needs to double check)

Vgutierrez added a comment.Jul 2 2021, 9:54 AM

TLSv1.3 is up & running, performance issues are being mitigated by replacing ats-tls with envoy or haproxy in the short term :)

Izno subscribed.Sep 15 2021, 3:36 AM
BBlack closed this task as Resolved.Oct 8 2021, 5:02 PM
BBlack assigned this task to Vgutierrez.

TLSv1.3 has been working for quite some time! Any other issues should be in other tickets (and are, in some cases!).

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL