letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

publisher: disable HTTP/2 support. (#4239) 

In Boulder Issue 3821[0] we found that HTTP/2 support was causing hard
to diagnose intermittent freezes in CT submission. Disabling HTTP/2 with
an environment variable resolved the freezes but is not a stable fix.

Per the Go `http` package docs we can make this change persistent by
changing the `http.Transport` config:

  Programs that must disable HTTP/2 can do so by setting
  Transport.TLSNextProto (for clients) or Server.TLSNextProto (for
  servers) to a non-nil, empty map"

[0]: https://github.com/letsencrypt/boulder/issues/3821
This commit is contained in:
Daniel McCarney 2019-05-30 14:17:18 -04:00 committed by GitHub
parent dc11681faa
commit 3c66732bd8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
publisher/publisher.go
View File

@ -5,6 +5,7 @@ import (
"crypto/ecdsa" "crypto/ecdsa"
"crypto/rand" "crypto/rand"
"crypto/sha256" "crypto/sha256"
"crypto/tls"
"crypto/x509" "crypto/x509"
"encoding/asn1" "encoding/asn1"
"encoding/base64" "encoding/base64"
@ -20,7 +21,6 @@ import (
"github.com/google/certificate-transparency-go" "github.com/google/certificate-transparency-go"
ctClient "github.com/google/certificate-transparency-go/client" ctClient "github.com/google/certificate-transparency-go/client"
"github.com/google/certificate-transparency-go/jsonclient" "github.com/google/certificate-transparency-go/jsonclient"
"github.com/google/certificate-transparency-go/tls"
cttls "github.com/google/certificate-transparency-go/tls" cttls "github.com/google/certificate-transparency-go/tls"
"github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus"
@ -131,6 +131,18 @@ func NewLog(uri, b64PK string, logger blog.Logger) (*Log, error) {
MaxIdleConns: http.DefaultTransport.(*http.Transport).MaxIdleConns, MaxIdleConns: http.DefaultTransport.(*http.Transport).MaxIdleConns,
IdleConnTimeout: http.DefaultTransport.(*http.Transport).IdleConnTimeout, IdleConnTimeout: http.DefaultTransport.(*http.Transport).IdleConnTimeout,
TLSHandshakeTimeout: http.DefaultTransport.(*http.Transport).TLSHandshakeTimeout, TLSHandshakeTimeout: http.DefaultTransport.(*http.Transport).TLSHandshakeTimeout,
// In Boulder Issue 3821[0] we found that HTTP/2 support was causing hard
// to diagnose intermittent freezes in CT submission. Disabling HTTP/2 with
// an environment variable resolved the freezes but is not a stable fix.
//
// Per the Go `http` package docs we can make this change persistent by
// changing the `http.Transport` config:
// "Programs that must disable HTTP/2 can do so by setting
// Transport.TLSNextProto (for clients) or Server.TLSNextProto (for
// servers) to a non-nil, empty map"
//
// [0]: https://github.com/letsencrypt/boulder/issues/3821
TLSNextProto: map[string]func(string, *tls.Conn) http.RoundTripper{},
}, },
} }
client, err := ctClient.New(url.String(), httpClient, opts) client, err := ctClient.New(url.String(), httpClient, opts)
@ -266,7 +278,7 @@ func (pub *Impl) SubmitToSingleCTWithResult(ctx context.Context, req *pubpb.Requ
return nil, err return nil, err
} }
sctBytes, err := tls.Marshal(*sct) sctBytes, err := cttls.Marshal(*sct)
if err != nil { if err != nil {
return nil, err return nil, err
} }