This repository has been archived by the owner on Dec 3, 2019. It is now read-only.
Add functions to httparchive.go to restrict certificate SANs #4651
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Merge catapult latest
WPR requests get served from a single server on playback which leads to connection reuse that would otherwise not be possible in production. e.g.The SSL cert for www.msn.com is valid for *.msn.com. This also matches c.msn.com & otf.msn.com. When testing with WPR – requests to these domains can all be served on one TCP connection. In production , this would never occur as these domains are actually different servers (having different IP addresses). Why is this a problem ? • This results in fewer connections and alters the behavior of the waterfall . In cases where the additional connection set-up is on the critical path for a primary metric it could result in faster web perf metrics with WPR. What does the fix do – • The functions for transforming certificates records the IP addresses of the actual servers when it makes a connection to them. • Then we edit their Subject Alternative Names fields so that only those requests which are to the same destination IP can be served on the same connection.
|
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed (or fixed any issues), please reply here with What to do if you already signed the CLAIndividual signers
Corporate signers
ℹ️ Googlers: Go here for more info. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
WPR requests get served from a single server on playback which leads to connection reuse that would otherwise not be possible in production. e.g.The SSL cert for www.msn.com is valid for *.msn.com. This also matches c.msn.com & otf.msn.com. When testing with WPR – requests to these domains can all be served on one TCP connection.
In production , this would never occur as these domains are actually different servers (having different IP addresses).
Why is this a problem ?
• This results in fewer connections and alters the behavior of the waterfall . In cases where the additional connection set-up is on the critical path for a primary metric it could result in faster web perf metrics with WPR.
What does the change do –
• The functions for transforming certificates records the IP addresses of the actual servers when it makes a connection to them.
• Then we edit their Subject Alternative Names fields so that only those requests which are to the same destination IP can be served on the same connection.