List of SSL cipher stat names is incomplete #14524
Assignees
Labels
Comments
|
It's easy enough to use the configured ciphers; should've done that in the first place. Moreover we should probably log (rate-limited) when we see one we didn't expect, otherwise you can't learn from production what it was. |
mattklein123
added
area/stats
area/tls
help wanted
jmarantz
added a commit
that referenced
this issue
Jan 6, 2021
Commit Message: Stats are only kept for a set of known SSL ciphers, to bound memory use. That set was previously determined by running unit tests and capturing which ciphers were referenced. This PR changes it to use the configured ciphers. Additional Description: Risk Level: medium Testing: //test/... Docs Changes: n/a Release Notes: n/a Fixes: #14524 Signed-off-by: Joshua Marantz <jmarantz@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The list of cipher names and curves supported by BoringSSL is larger than the set that Envoy exports stats for ("cluster.[cluster_name].ssl.ciphers.[cipher]" and ("cluster.[cluster_name].ssl.curves.[cipher]"). The list in Envoy is currently hard-coded and separate from the list of actual supported stats.
/cc @jmarantz @PiotrSikora
The text was updated successfully, but these errors were encountered: