| 2 Jun 2025 |
 Arian | Some interesting things I noticed looking at Fastly dashboard:
We have 0 requests using TLS 1.3. They’re all using TLS 1.2. Is this some limitation in the nix codebase in how we setup openssl?
half of the requests are HTTP1.1 and the other half HTTP2. I would expect way more (maybe even all) to be HTTP2. Where is all that HTTP1.1 traffic coming from?
| 20:39:52 |
 hexa | our config does not support tls1.3 | 20:48:04 |
| hexa | it supports 1.1 and 1.2 and all clients use 1.2 | 20:48:11 |
| hexa | at least the last time I checked, which was early januar | 20:48:29 |
| hexa | * at least the last time I checked, which was early january | 20:48:30 |
| hexa | interesting profiles would support h2/h3 with 0rtt, but the offered ones lack ipv6 | 20:49:02 |
| hexa | see https://manage.fastly.com/network/subscriptions | 20:50:51 |
| Arian | having to choose between TLS1.3 and Ipv6 is wild | 20:51:18 |
| hexa | hm, no … that's not it | 20:51:20 |
| hexa | https://manage.fastly.com/network/tls-configurations | 20:51:31 |
| Arian | Okay that’s one mystery down. But why is half our traffic HTTP 1.1? | 20:51:39 |
| hexa | that is surprising to me | 20:52:08 |
| Arian | https://manage.fastly.com/observability/dashboard/system/overview/details/Tb10gX/7mNUQGZO6YxAd2jpokgWxS?mode=historic&view=data | 20:53:15 |
| hexa | oh, I confused h1/h2 with tls11/12 | 20:54:39 |
| hexa | and while we offer tls11/12 all clients use tls12 | 20:54:50 |
| hexa | * oh, I misremembered the numbers for tls11/12 as h1/h2 | 20:55:11 |
| hexa | so one thing we could add is a https record with alpn information | 20:55:34 |
| hexa | and see if that makes a dent, though I would be surprised if it did | 20:55:54 |
 emily | does Nix itself speak h2? | 20:58:23 |
| hexa | I would hope so, since it relies on curl | 20:58:43 |
| Arian | Yes. it has been speaking H2 for ages
https://github.com/NixOS/nix/blob/e72f19eb28189c9aaaa051423d3c35c93a591fad/src/libstore/filetransfer.cc#L353-L357
unless you disable it explicitly in the config
| 20:58:56 |
| Arian | but this would mean half our users opted out of using it? that seems odd to me | 20:59:18 |
| hexa | unlikely | 20:59:28 |
 K900 | There's also corporate proxies | 20:59:38 |
 edef | split it out by user agent | 20:59:39 |
| K900 | And DPI bullshit | 20:59:42 |
| edef | and maybe origin AS | 20:59:55 |
| hexa | at least the dashboard does not seem to offer that granularity | 21:00:51 |
| hexa | * at least their dashboard does not seem to offer that granularity | 21:00:58 |
| edef | okay, maybe after i've had coffee | 21:01:10 |
