Move to newer TLS policies on CloudFront #702
Description
Policy docs are here - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html
I suspect we want to choose TLSv1.2_2021, but I don't know if there's a good way to evaluate whether we're cutting anyone off. Anything routed through Fastly should be pretty safe to switch to the newer policy I think.
Our Fastly configuration is currently "TLS v1.2 & TLS v1.3 + 0RTT" across all 4 domains here -- afaict, that's limiting to 1.2 and 1.3 (with optional early data support).1
Current setup:
TLSv1:
- static.crates.io
- cloudfront-static.crates.io
- static.staging.crates.io
- cloudfront-static.staging.crates.io
- staging.crates.io
- crates.io
- www.crates.io
- cratesio.com
- www.cratesio.com
- www.docs.rs
- www.docsrs.com
- docsrs.com
- arewewebyet.org
- package.metadata.docs.rs
- index.crates.io
- index.staging.crates.io
- cfp.rustconf.com
TLSv1.1_2016:
- dev-static.rust-lang.org
- cloudfront-dev-static.rust-lang.org
- static.rust-lang.org
- cloudfront-static.rust-lang.org
- rust-lang.org
- www.rustlang.net
- www.rustlang.org
- www.rustlang.com
- www.rust-lang.com
- www.rust-lang.net
- win.rustup.rs
- sh.rustup.rs
- www.rustup.rs
- rustup.net
- www.rustup.org
- rustup.org
- www.rustup.net
- rustup.rs
- doc.rust-lang.org
- rustlang.net
- rustlang.com
- rustlang.org
- rust-lang.com
- rust-lang.net
- docs.rust-lang.org
- dev-doc.rust-lang.org
- beta.rust-lang.org
- www.rust-lang.org
- docs.rs
- thanks.rust-lang.org
- reach.rust-lang.org
- test.docs.rs
- dev.rustup.rs
- play.rust-lang.org
- dev-win.rustup.rs
- rustup-builds.rust-lang.org"
TLSv1.2_2021:
- prev.rust-lang.org
- forge.rust-lang.org
- ci-mirrors.rust-lang.org
- ci-caches.rust-lang.org
- ci-artifacts.rust-lang.org
- perf-data.rust-lang.org
- crates-io-index-temp.rust-lang.org
- static.docs.rs
Footnotes
-
HTTP/3 is technically supported but seems to need a different domain (n.sni.global.fastly.net) which we don't CNAME to. ↩