Create a decoder for incoming TLS Error Report data in the new data pipeline

RESOLVED FIXED

Status

Webtools
Telemetry Server
RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: mgoodwin, Assigned: mgoodwin)

Tracking

Trunk

Firefox Tracking Flags

(firefox47 affected)

Details

(Assignee)

Description

2 years ago
TLS Error reports are small JSON documents containing the following information:

{
"build":"20160105164030", // the build ID of the client
"channel":"release", // the release channel the client is on
"errorCode":-8054, // the error that cause the TLS failure
"failedCertChain":[], // if there's a cert chain, this will contain base64 encoded certs
"hostname":"fr.yahoo.com", // The hostname the client attempted to connect to
"port":"", // If the connection was to a non-standard port, what was it?
"product":"Firefox", // Which product is this?
"timestamp":1455192160, // At what time does the client think it sent the report
"userAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0", // The UA string
"version":1 // what version of the report schema is this?
}

There are two things we'd want to do to this data at collection time:
1) Record the difference between what time the client thinks it is and the server time (many TLS errors are as a result of clock issues on the client)
2) Unpack useful information from the certificate chain. In particular:
 - From the root; what is the subject, public key hash
 - From the end-entity; what is the subject, what are the SANs. Do any of the subject / SANs match the hostname.
(Assignee)

Comment 1

2 years ago
I have code. How do I get this deployed?
Flags: needinfo?(whd)

Comment 2

2 years ago
(In reply to Mark Goodwin [:mgoodwin] from comment #1)
> I have code. How do I get this deployed?

Please either attach it to this bug or send a pull request to the data-pipeline repo at
https://github.com/mozilla-services/data-pipeline

You'll want to put the new decoder into the 'heka/sandbox/decoders' directory.

Updated

2 years ago
Flags: needinfo?(whd)
(Assignee)

Comment 3

2 years ago
Changes were made to Lua-openssl to allow for the host checks. See https://github.com/zhaozg/lua-openssl/commit/f561a8c4fedd15acd5d89e8f6825ee0b391f5dba

The PR for the data-pipeline additions is here: https://github.com/mozilla-services/data-pipeline/pull/210
(Assignee)

Comment 4

a year ago
PR was merged
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.