Maniphest T220383

Evaluate ATS TLS stack
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Vgutierrez
	Apr 8 2019, 1:36 PM

Description

Our current cp nodes are using nginx for TLS termination. Over time several patches have been added to our custom packaging of nginx regarding TLS:

0100-dynamic-tls-records.patch: https://docs.trafficserver.apache.org/en/8.0.x/admin-guide/files/records.config.en.html#proxy-config-ssl-max-record-size --> allow proxy.config.ssl.max_record_size to be configured as part of the in the inbound TLS puppetization
0500-ssl-curve.patch: https://github.com/apache/trafficserver/pull/5197
0600-stapling-multi-file.patch: https://github.com/apache/trafficserver/pull/5228
0660-version-too-low.patch. Not needed as mentioned by @BBlack in the comments

We need to check what's the current status of ATS regarding these matters and if it can it be brought up to speed to use it as our TLS terminator

Details

	Subject	Repo	Branch	Lines +/-
	Backport required OCSP commits	operations/debs/trafficserver	master	+616 -0

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Open	None	T92298 Investigate our mitigation strategy for HTTPS response length attacks
Resolved	Vgutierrez	T170567 Support TLSv1.3
Resolved	Vgutierrez	T220383 Evaluate ATS TLS stack
Resolved	Vgutierrez	T221217 Allow running several ATS instances on the same server
Resolved	Vgutierrez	T221594 Puppetize ATS TLS configuration for incoming traffic
Resolved	Vgutierrez	T231286 Track TLS related ATS metrics in prometheus
Resolved	Vgutierrez	T228135 ATS lacks the possibility of reporting SSL stats to an origin server via HTTP Headers
Resolved	Vgutierrez	T231262 TLS handshake issues with ATS 8.0.5-1wm2

Event Timeline

Vgutierrez triaged this task as Medium priority.Apr 8 2019, 1:36 PM

Vgutierrez created this task.

Vgutierrez moved this task from Backlog to TLS on the Traffic board.

Vgutierrez updated the task description. (Show Details)Apr 8 2019, 1:39 PM

0100-dynamic-tls-records.patch - I don't think we ever managed to prove a significant benefit from this on initial deploy, but it's just one of those things that seemed like a "good idea" so long as it remained simple to leave it in. I'd be happy with dropping this initially and putting the ideas behind that patch (or even more-generalized than that patch) on the back burner for the future when we have more time.
0660-version-too-low.patch - This was a very nginx-specific thing about not having nginx spam error messages, shouldn't need to port it at all.

Vgutierrez added a subtask: T221217: Allow running several ATS instances on the same server.Apr 17 2019, 10:25 AM

We need to keep an eye on https://github.com/apache/trafficserver/issues/5084

In T220383#5133808, @Vgutierrez wrote:

We need to keep an eye on https://github.com/apache/trafficserver/issues/5084

Buster has OpenSSL 1.1.1b, so this affects ATS as shipped in Buster? Should we file a bug or does this only affect some ATS setups?

MoritzMuehlenhoff added a subscriber: • ema.Apr 24 2019, 8:25 AM

so I guess it's affected but right now I'm working under the assumption that we will use stretch in the cp nodes, using our own ATS packaging.
@ema can confirm that :)

Vgutierrez updated the task description. (Show Details)May 3 2019, 7:43 AM

Vgutierrez updated the task description. (Show Details)May 3 2019, 8:06 AM

Change 528716 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/debs/trafficserver@master] Backport prefetched OCSP stapling responses

https://gerrit.wikimedia.org/r/528716

gerritbot added a project: Patch-For-Review.Aug 7 2019, 8:42 AM

Change 528716 merged by Vgutierrez:
[operations/debs/trafficserver@master] Backport required OCSP commits

https://gerrit.wikimedia.org/r/528716

Mentioned in SAL (#wikimedia-operations) [2019-08-09T07:31:45Z] <vgutierrez> uploaded trafficserver-8.0.3wm3 to apt.wikimedia.org (stretch) - T220383 T228135