Page MenuHomePhabricator

ATS-tls isn't enforcing the same list of curves as nginx during TLS handshake
Closed, ResolvedPublic

Description

nginx only allows P-256 and X25519 while ats-tls is currently accepting other curves:

vgutierrez@cp5001:~$ openssl s_client -connect 127.0.0.1:443 -curves secp521r1 2>&1 </dev/null |egrep "Server Temp Key|Cipher"
Server Temp Key: ECDH, P-521, 521 bits
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
vgutierrez@cp5001:~$ openssl s_client -connect 127.0.0.1:4443 -curves secp521r1 2>&1 </dev/null |egrep "Server Temp Key|Cipher" # nginx is currently listening on port 4443
Server Temp Key: DH, 2048 bits
New, SSLv3, Cipher is DHE-RSA-AES128-SHA
    Cipher    : DHE-RSA-AES128-SHA

Event Timeline

Vgutierrez triaged this task as Medium priority.Sep 3 2019, 9:16 AM
Vgutierrez moved this task from Triage to TLS on the Traffic board.

Change 534118 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/debs/trafficserver@master] Release 8.0.5-1wm5

https://gerrit.wikimedia.org/r/534118

Change 534123 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Configure a list of curves to be offered during the TLS handshake

https://gerrit.wikimedia.org/r/534123

Change 534118 merged by Vgutierrez:
[operations/debs/trafficserver@master] Release 8.0.5-1wm5

https://gerrit.wikimedia.org/r/534118

Mentioned in SAL (#wikimedia-operations) [2019-09-04T10:09:11Z] <vgutierrez> uploaded trafficserver 8.0.5-1wm5 to apt.wikimedia.org (stretch) - T231533 T231859

Mentioned in SAL (#wikimedia-operations) [2019-09-04T10:12:34Z] <vgutierrez> upgrading ATS to 8.0.5-1wm5 on cp5001 - T231859

Change 534123 merged by Vgutierrez:
[operations/puppet@production] ATS: Configure a list of curves to be offered during the TLS handshake

https://gerrit.wikimedia.org/r/534123

Vgutierrez claimed this task.

Solved, now ATS has the same behaviour as nginx:

vgutierrez@cp5001:~$ openssl s_client -connect 127.0.0.1:443 -curves secp521r1 2>&1 </dev/null |egrep "Server Temp Key|Cipher"
Server Temp Key: DH, 2048 bits
New, SSLv3, Cipher is DHE-RSA-AES128-SHA
    Cipher    : DHE-RSA-AES128-SHA
vgutierrez@cp5001:~$ openssl s_client -connect 127.0.0.1:4443 -curves secp521r1 2>&1 </dev/null |egrep "Server Temp Key|Cipher" # nginx is currently listening on port 4443
Server Temp Key: DH, 2048 bits
New, SSLv3, Cipher is DHE-RSA-AES128-SHA
    Cipher    : DHE-RSA-AES128-SHA

Mentioned in SAL (#wikimedia-operations) [2019-09-04T10:23:01Z] <vgutierrez> upgrading ATS to 8.0.5-1wm5 on cp2002 - T231859