You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The list of cipher names and curves supported by BoringSSL is larger than the set that Envoy exports stats for ("cluster.[cluster_name].ssl.ciphers.[cipher]" and ("cluster.[cluster_name].ssl.curves.[cipher]"). The list in Envoy is currently hard-coded and separate from the list of actual supported stats.
It's easy enough to use the configured ciphers; should've done that in the first place. Moreover we should probably log (rate-limited) when we see one we didn't expect, otherwise you can't learn from production what it was.
Commit Message: Stats are only kept for a set of known SSL ciphers, to bound memory use. That set was previously determined by running unit tests and capturing which ciphers were referenced. This PR changes it to use the configured ciphers.
Additional Description:
Risk Level: medium
Testing: //test/...
Docs Changes: n/a
Release Notes: n/a
Fixes: #14524
Signed-off-by: Joshua Marantz <jmarantz@google.com>
The list of cipher names and curves supported by BoringSSL is larger than the set that Envoy exports stats for ("cluster.[cluster_name].ssl.ciphers.[cipher]" and ("cluster.[cluster_name].ssl.curves.[cipher]"). The list in Envoy is currently hard-coded and separate from the list of actual supported stats.
/cc @jmarantz @PiotrSikora
The text was updated successfully, but these errors were encountered: