Page MenuHomePhabricator
Create Task
Maniphest T231859

ATS-tls isn't enforcing the same list of curves as nginx during TLS handshake
Closed, ResolvedPublic
Actions

Description

nginx only allows P-256 and X25519 while ats-tls is currently accepting other curves:

vgutierrez@cp5001:~$ openssl s_client -connect 127.0.0.1:443 -curves secp521r1 2>&1 </dev/null |egrep "Server Temp Key|Cipher"
Server Temp Key: ECDH, P-521, 521 bits
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
vgutierrez@cp5001:~$ openssl s_client -connect 127.0.0.1:4443 -curves secp521r1 2>&1 </dev/null |egrep "Server Temp Key|Cipher" # nginx is currently listening on port 4443
Server Temp Key: DH, 2048 bits
New, SSLv3, Cipher is DHE-RSA-AES128-SHA
    Cipher    : DHE-RSA-AES128-SHA

Details

SubjectRepoBranchLines +/-
ATS: Configure a list of curves to be offered during the TLS handshakeoperations/puppetproduction+1 -0
Release 8.0.5-1wm5operations/debs/trafficservermaster+239 -1
Customize query in gerrit

Related Objects

Event Timeline

Vgutierrez created this task.Sep 3 2019, 9:15 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 3 2019, 9:15 AM
Vgutierrez triaged this task as Medium priority.Sep 3 2019, 9:16 AM
Vgutierrez moved this task from Backlog to TLS on the Traffic board.
gerritbot added a comment.Sep 3 2019, 9:26 AM

Change 534118 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/debs/trafficserver@master] Release 8.0.5-1wm5

https://gerrit.wikimedia.org/r/534118

gerritbot added a project: Patch-For-Review.Sep 3 2019, 9:26 AM
gerritbot added a comment.Sep 3 2019, 9:33 AM

Change 534123 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Configure a list of curves to be offered during the TLS handshake

https://gerrit.wikimedia.org/r/534123

gerritbot added a comment.Sep 4 2019, 9:22 AM

Change 534118 merged by Vgutierrez:
[operations/debs/trafficserver@master] Release 8.0.5-1wm5

https://gerrit.wikimedia.org/r/534118

Stashbot mentioned this in T231533: Improve ATS prometheus metrics.Sep 4 2019, 10:09 AM

Mentioned in SAL (#wikimedia-operations) [2019-09-04T10:09:11Z] <vgutierrez> uploaded trafficserver 8.0.5-1wm5 to apt.wikimedia.org (stretch) - T231533 T231859

Stashbot added a comment.Sep 4 2019, 10:12 AM

Mentioned in SAL (#wikimedia-operations) [2019-09-04T10:12:34Z] <vgutierrez> upgrading ATS to 8.0.5-1wm5 on cp5001 - T231859

gerritbot added a comment.Sep 4 2019, 10:15 AM

Change 534123 merged by Vgutierrez:
[operations/puppet@production] ATS: Configure a list of curves to be offered during the TLS handshake

https://gerrit.wikimedia.org/r/534123

Vgutierrez closed this task as Resolved.Sep 4 2019, 10:21 AM
Vgutierrez claimed this task.

Solved, now ATS has the same behaviour as nginx:

vgutierrez@cp5001:~$ openssl s_client -connect 127.0.0.1:443 -curves secp521r1 2>&1 </dev/null |egrep "Server Temp Key|Cipher"
Server Temp Key: DH, 2048 bits
New, SSLv3, Cipher is DHE-RSA-AES128-SHA
    Cipher    : DHE-RSA-AES128-SHA
vgutierrez@cp5001:~$ openssl s_client -connect 127.0.0.1:4443 -curves secp521r1 2>&1 </dev/null |egrep "Server Temp Key|Cipher" # nginx is currently listening on port 4443
Server Temp Key: DH, 2048 bits
New, SSLv3, Cipher is DHE-RSA-AES128-SHA
    Cipher    : DHE-RSA-AES128-SHA
Stashbot added a comment.Sep 4 2019, 10:23 AM

Mentioned in SAL (#wikimedia-operations) [2019-09-04T10:23:01Z] <vgutierrez> upgrading ATS to 8.0.5-1wm5 on cp2002 - T231859

Maintenance_bot removed a project: Patch-For-Review.Sep 4 2019, 11:10 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL