simpleinfra icon indicating copy to clipboard operation
simpleinfra copied to clipboard
verified publisher icon rust-lang

Move to newer TLS policies on CloudFront

Open Mark-Simulacrum opened this issue 7 months ago • 1 comments

Policy docs are here - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html

I suspect we want to choose TLSv1.2_2021, but I don't know if there's a good way to evaluate whether we're cutting anyone off. Anything routed through Fastly should be pretty safe to switch to the newer policy I think.

Our Fastly configuration is currently "TLS v1.2 & TLS v1.3 + 0RTT" across all 4 domains here -- afaict, that's limiting to 1.2 and 1.3 (with optional early data support).[^1]

[^1]: HTTP/3 is technically supported but seems to need a different domain (n.sni.global.fastly.net) which we don't CNAME to.

Current setup:

TLSv1:

  • static.crates.io
  • cloudfront-static.crates.io
  • static.staging.crates.io
  • cloudfront-static.staging.crates.io
  • staging.crates.io
  • crates.io
  • www.crates.io
  • cratesio.com
  • www.cratesio.com
  • www.docs.rs
  • www.docsrs.com
  • docsrs.com
  • arewewebyet.org
  • package.metadata.docs.rs
  • index.crates.io
  • index.staging.crates.io
  • cfp.rustconf.com

TLSv1.1_2016:

  • dev-static.rust-lang.org
  • cloudfront-dev-static.rust-lang.org
  • static.rust-lang.org
  • cloudfront-static.rust-lang.org
  • rust-lang.org
  • www.rustlang.net
  • www.rustlang.org
  • www.rustlang.com
  • www.rust-lang.com
  • www.rust-lang.net
  • win.rustup.rs
  • sh.rustup.rs
  • www.rustup.rs
  • rustup.net
  • www.rustup.org
  • rustup.org
  • www.rustup.net
  • rustup.rs
  • doc.rust-lang.org
  • rustlang.net
  • rustlang.com
  • rustlang.org
  • rust-lang.com
  • rust-lang.net
  • docs.rust-lang.org
  • dev-doc.rust-lang.org
  • beta.rust-lang.org
  • www.rust-lang.org
  • docs.rs
  • thanks.rust-lang.org
  • reach.rust-lang.org
  • test.docs.rs
  • dev.rustup.rs
  • play.rust-lang.org
  • dev-win.rustup.rs
  • rustup-builds.rust-lang.org"

TLSv1.2_2021:

  • prev.rust-lang.org
  • forge.rust-lang.org
  • ci-mirrors.rust-lang.org
  • ci-caches.rust-lang.org
  • ci-artifacts.rust-lang.org
  • perf-data.rust-lang.org
  • crates-io-index-temp.rust-lang.org
  • static.docs.rs

Mark-Simulacrum avatar May 10 '25 16:05 Mark-Simulacrum

When we rolled out Fastly, we started with their HTTP/3 & TLS v1.3 + 0RTT (n.sni.global.fastly.net) configuration, given that TLS v1.1 has been deprecated since forever. But that caused issues with cargo on Windows XP (https://github.com/rust-lang/cargo/issues/12296), so Fastly enabled a legacy configuration for us with TLS v1.2 and more cipher suites.

jdno avatar Jul 14 '25 10:07 jdno

index.crates.io (dualstack.n.sni.global.fastly.net) now only supports TLS 1.3 (2025) and TLS 1.2 with the following three cipher suites:

  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-CHACHA20-POLY1305

This configuration is even more restrictive than CloudFront’s TLSv1.2_2025 policy.

Is this change intentional? As a result, Cargo no longer works on any version of Windows older than Windows 10 unless a proxy/tunnel is used or the slower Git-based index fallback is enabled.

i486 avatar Dec 25 '25 03:12 i486

I don't think that was intentional. We'll need to look at adjusting the configuration to match what our other Fastly endpoints use.

Mark-Simulacrum avatar Dec 25 '25 04:12 Mark-Simulacrum