From ff3442d92d7298381b71513b2c489f90ae81ddf0 Mon Sep 17 00:00:00 2001 From: David Anderson Date: Fri, 21 Jan 2022 14:07:40 -0800 Subject: [PATCH] cmd/derper: record TLS versions used for requests. Surveying the fleet prior to turning off old/unused/insecure TLS versions. Updates tailscale/corp#3615 Signed-off-by: David Anderson --- cmd/derper/derper.go | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/cmd/derper/derper.go b/cmd/derper/derper.go index d7007ed78..748fa333f 100644 --- a/cmd/derper/derper.go +++ b/cmd/derper/derper.go @@ -51,9 +51,11 @@ var ( ) var ( - stats = new(metrics.Set) - stunDisposition = &metrics.LabelMap{Label: "disposition"} - stunAddrFamily = &metrics.LabelMap{Label: "family"} + stats = new(metrics.Set) + stunDisposition = &metrics.LabelMap{Label: "disposition"} + stunAddrFamily = &metrics.LabelMap{Label: "family"} + tlsRequestVersion = &metrics.LabelMap{Label: "version"} + tlsActiveVersion = &metrics.LabelMap{Label: "version"} stunReadError = stunDisposition.Get("read_error") stunNotSTUN = stunDisposition.Get("not_stun") @@ -67,6 +69,8 @@ var ( func init() { stats.Set("counter_requests", stunDisposition) stats.Set("counter_addrfamily", stunAddrFamily) + stats.Set("tls_request_version", tlsRequestVersion) + stats.Set("gauge_tls_active_version", tlsActiveVersion) expvar.Publish("stun", stats) } @@ -238,6 +242,23 @@ func main() { return cert, nil } httpsrv.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if r.TLS != nil { + label := "unknown" + switch r.TLS.Version { + case tls.VersionTLS10: + label = "1.0" + case tls.VersionTLS11: + label = "1.1" + case tls.VersionTLS12: + label = "1.2" + case tls.VersionTLS13: + label = "1.3" + } + tlsRequestVersion.Add(label, 1) + tlsActiveVersion.Add(label, 1) + defer tlsActiveVersion.Add(label, -1) + } + // Set HTTP headers to appease automated security scanners. // // Security automation gets cranky when HTTPS sites don't