Add metrics about TLS

2020-03-05 13:30:05 +01:00 · 2020-03-05 13:30:05 +01:00 · ad6bf936d5
parent a6040c623b
commit ad6bf936d5
6 changed files with 178 additions and 37 deletions
--- a/pkg/metrics/metrics.go
+++ b/pkg/metrics/metrics.go
@ -20,11 +20,13 @@ type Registry interface {

 	// entry point metrics
 	EntryPointReqsCounter() metrics.Counter
+	EntryPointReqsTLSCounter() metrics.Counter
 	EntryPointReqDurationHistogram() metrics.Histogram
 	EntryPointOpenConnsGauge() metrics.Gauge

 	// service metrics
 	ServiceReqsCounter() metrics.Counter
+	ServiceReqsTLSCounter() metrics.Counter
 	ServiceReqDurationHistogram() metrics.Histogram
 	ServiceOpenConnsGauge() metrics.Gauge
 	ServiceRetriesCounter() metrics.Counter
@ -46,9 +48,11 @@ func NewMultiRegistry(registries []Registry) Registry {
 	var lastConfigReloadSuccessGauge []metrics.Gauge
 	var lastConfigReloadFailureGauge []metrics.Gauge
 	var entryPointReqsCounter []metrics.Counter
+	var entryPointReqsTLSCounter []metrics.Counter
 	var entryPointReqDurationHistogram []metrics.Histogram
 	var entryPointOpenConnsGauge []metrics.Gauge
 	var serviceReqsCounter []metrics.Counter
+	var serviceReqsTLSCounter []metrics.Counter
 	var serviceReqDurationHistogram []metrics.Histogram
 	var serviceOpenConnsGauge []metrics.Gauge
 	var serviceRetriesCounter []metrics.Counter
@ -70,6 +74,9 @@ func NewMultiRegistry(registries []Registry) Registry {
 		if r.EntryPointReqsCounter() != nil {
 			entryPointReqsCounter = append(entryPointReqsCounter, r.EntryPointReqsCounter())
 		}
+		if r.EntryPointReqsTLSCounter() != nil {
+			entryPointReqsTLSCounter = append(entryPointReqsTLSCounter, r.EntryPointReqsTLSCounter())
+		}
 		if r.EntryPointReqDurationHistogram() != nil {
 			entryPointReqDurationHistogram = append(entryPointReqDurationHistogram, r.EntryPointReqDurationHistogram())
 		}
@ -79,6 +86,9 @@ func NewMultiRegistry(registries []Registry) Registry {
 		if r.ServiceReqsCounter() != nil {
 			serviceReqsCounter = append(serviceReqsCounter, r.ServiceReqsCounter())
 		}
+		if r.ServiceReqsTLSCounter() != nil {
+			serviceReqsTLSCounter = append(serviceReqsTLSCounter, r.ServiceReqsTLSCounter())
+		}
 		if r.ServiceReqDurationHistogram() != nil {
 			serviceReqDurationHistogram = append(serviceReqDurationHistogram, r.ServiceReqDurationHistogram())
 		}
@ -101,9 +111,11 @@ func NewMultiRegistry(registries []Registry) Registry {
 		lastConfigReloadSuccessGauge:   multi.NewGauge(lastConfigReloadSuccessGauge...),
 		lastConfigReloadFailureGauge:   multi.NewGauge(lastConfigReloadFailureGauge...),
 		entryPointReqsCounter:          multi.NewCounter(entryPointReqsCounter...),
+		entryPointReqsTLSCounter:       multi.NewCounter(entryPointReqsTLSCounter...),
 		entryPointReqDurationHistogram: multi.NewHistogram(entryPointReqDurationHistogram...),
 		entryPointOpenConnsGauge:       multi.NewGauge(entryPointOpenConnsGauge...),
 		serviceReqsCounter:             multi.NewCounter(serviceReqsCounter...),
+		serviceReqsTLSCounter:          multi.NewCounter(serviceReqsTLSCounter...),
 		serviceReqDurationHistogram:    multi.NewHistogram(serviceReqDurationHistogram...),
 		serviceOpenConnsGauge:          multi.NewGauge(serviceOpenConnsGauge...),
 		serviceRetriesCounter:          multi.NewCounter(serviceRetriesCounter...),
@ -119,9 +131,11 @@ type standardRegistry struct {
 	lastConfigReloadSuccessGauge   metrics.Gauge
 	lastConfigReloadFailureGauge   metrics.Gauge
 	entryPointReqsCounter          metrics.Counter
+	entryPointReqsTLSCounter       metrics.Counter
 	entryPointReqDurationHistogram metrics.Histogram
 	entryPointOpenConnsGauge       metrics.Gauge
 	serviceReqsCounter             metrics.Counter
+	serviceReqsTLSCounter          metrics.Counter
 	serviceReqDurationHistogram    metrics.Histogram
 	serviceOpenConnsGauge          metrics.Gauge
 	serviceRetriesCounter          metrics.Counter
@ -156,6 +170,10 @@ func (r *standardRegistry) EntryPointReqsCounter() metrics.Counter {
 	return r.entryPointReqsCounter
 }

+func (r *standardRegistry) EntryPointReqsTLSCounter() metrics.Counter {
+	return r.entryPointReqsTLSCounter
+}
+
 func (r *standardRegistry) EntryPointReqDurationHistogram() metrics.Histogram {
 	return r.entryPointReqDurationHistogram
 }
@ -168,6 +186,10 @@ func (r *standardRegistry) ServiceReqsCounter() metrics.Counter {
 	return r.serviceReqsCounter
 }

+func (r *standardRegistry) ServiceReqsTLSCounter() metrics.Counter {
+	return r.serviceReqsTLSCounter
+}
+
 func (r *standardRegistry) ServiceReqDurationHistogram() metrics.Histogram {
 	return r.serviceReqDurationHistogram
 }
--- a/pkg/metrics/prometheus.go
+++ b/pkg/metrics/prometheus.go
@ -28,16 +28,18 @@ const (
 	configLastReloadFailureName    = metricConfigPrefix + "last_reload_failure"

 	// entry point
-	metricEntryPointPrefix    = MetricNamePrefix + "entrypoint_"
-	entryPointReqsTotalName   = metricEntryPointPrefix + "requests_total"
-	entryPointReqDurationName = metricEntryPointPrefix + "request_duration_seconds"
-	entryPointOpenConnsName   = metricEntryPointPrefix + "open_connections"
+	metricEntryPointPrefix     = MetricNamePrefix + "entrypoint_"
+	entryPointReqsTotalName    = metricEntryPointPrefix + "requests_total"
+	entryPointReqsTLSTotalName = metricEntryPointPrefix + "requests_tls_total"
+	entryPointReqDurationName  = metricEntryPointPrefix + "request_duration_seconds"
+	entryPointOpenConnsName    = metricEntryPointPrefix + "open_connections"

 	// service level.

 	// MetricServicePrefix prefix of all service metric names
 	MetricServicePrefix     = MetricNamePrefix + "service_"
 	serviceReqsTotalName    = MetricServicePrefix + "requests_total"
+	serviceReqsTLSTotalName = MetricServicePrefix + "requests_tls_total"
 	serviceReqDurationName  = MetricServicePrefix + "request_duration_seconds"
 	serviceOpenConnsName    = MetricServicePrefix + "open_connections"
 	serviceRetriesTotalName = MetricServicePrefix + "retries_total"
@ -136,6 +138,10 @@ func initStandardRegistry(config *types.Prometheus) Registry {
 			Name: entryPointReqsTotalName,
 			Help: "How many HTTP requests processed on an entrypoint, partitioned by status code, protocol, and method.",
 		}, []string{"code", "method", "protocol", "entrypoint"})
+		entryPointReqsTLS := newCounterFrom(promState.collectors, stdprometheus.CounterOpts{
+			Name: entryPointReqsTLSTotalName,
+			Help: "How many HTTP requests with TLS processed on an entrypoint, partitioned by TLS Version and TLS cipher Used.",
+		}, []string{"tls_version", "tls_cipher", "entrypoint"})
 		entryPointReqDurations := newHistogramFrom(promState.collectors, stdprometheus.HistogramOpts{
 			Name:    entryPointReqDurationName,
 			Help:    "How long it took to process the request on an entrypoint, partitioned by status code, protocol, and method.",
@ -148,10 +154,12 @@ func initStandardRegistry(config *types.Prometheus) Registry {

 		promState.describers = append(promState.describers, []func(chan<- *stdprometheus.Desc){
 			entryPointReqs.cv.Describe,
+			entryPointReqsTLS.cv.Describe,
 			entryPointReqDurations.hv.Describe,
 			entryPointOpenConns.gv.Describe,
 		}...)
 		reg.entryPointReqsCounter = entryPointReqs
+		reg.entryPointReqsTLSCounter = entryPointReqsTLS
 		reg.entryPointReqDurationHistogram = entryPointReqDurations
 		reg.entryPointOpenConnsGauge = entryPointOpenConns
 	}
@ -160,6 +168,10 @@ func initStandardRegistry(config *types.Prometheus) Registry {
 			Name: serviceReqsTotalName,
 			Help: "How many HTTP requests processed on a service, partitioned by status code, protocol, and method.",
 		}, []string{"code", "method", "protocol", "service"})
+		serviceReqsTLS := newCounterFrom(promState.collectors, stdprometheus.CounterOpts{
+			Name: serviceReqsTLSTotalName,
+			Help: "How many HTTP requests with TLS processed on a service, partitioned by TLS version and TLS cipher.",
+		}, []string{"tls_version", "tls_cipher", "service"})
 		serviceReqDurations := newHistogramFrom(promState.collectors, stdprometheus.HistogramOpts{
 			Name:    serviceReqDurationName,
 			Help:    "How long it took to process the request on a service, partitioned by status code, protocol, and method.",
@ -180,6 +192,7 @@ func initStandardRegistry(config *types.Prometheus) Registry {

 		promState.describers = append(promState.describers, []func(chan<- *stdprometheus.Desc){
 			serviceReqs.cv.Describe,
+			serviceReqsTLS.cv.Describe,
 			serviceReqDurations.hv.Describe,
 			serviceOpenConns.gv.Describe,
 			serviceRetries.cv.Describe,
@ -187,6 +200,7 @@ func initStandardRegistry(config *types.Prometheus) Registry {
 		}...)

 		reg.serviceReqsCounter = serviceReqs
+		reg.serviceReqsTLSCounter = serviceReqsTLS
 		reg.serviceReqDurationHistogram = serviceReqDurations
 		reg.serviceOpenConnsGauge = serviceOpenConns
 		reg.serviceRetriesCounter = serviceRetries
--- a/pkg/middlewares/metrics/metrics.go
+++ b/pkg/middlewares/metrics/metrics.go
@ -2,6 +2,7 @@ package metrics

 import (
 	"context"
+	"crypto/tls"
 	"net/http"
 	"strconv"
 	"strings"
@ -13,6 +14,7 @@ import (
 	"github.com/containous/traefik/v2/pkg/metrics"
 	"github.com/containous/traefik/v2/pkg/middlewares"
 	"github.com/containous/traefik/v2/pkg/middlewares/retry"
+	traefiktls "github.com/containous/traefik/v2/pkg/tls"
 	gokitmetrics "github.com/go-kit/kit/metrics"
 )

@ -28,6 +30,7 @@ const (
 type metricsMiddleware struct {
 	next                 http.Handler
 	reqsCounter          gokitmetrics.Counter
+	reqsTLSCounter       gokitmetrics.Counter
 	reqDurationHistogram gokitmetrics.Histogram
 	openConnsGauge       gokitmetrics.Gauge
 	baseLabels           []string
@ -40,6 +43,7 @@ func NewEntryPointMiddleware(ctx context.Context, next http.Handler, registry me
 	return &metricsMiddleware{
 		next:                 next,
 		reqsCounter:          registry.EntryPointReqsCounter(),
+		reqsTLSCounter:       registry.EntryPointReqsTLSCounter(),
 		reqDurationHistogram: registry.EntryPointReqDurationHistogram(),
 		openConnsGauge:       registry.EntryPointOpenConnsGauge(),
 		baseLabels:           []string{"entrypoint", entryPointName},
@ -53,6 +57,7 @@ func NewServiceMiddleware(ctx context.Context, next http.Handler, registry metri
 	return &metricsMiddleware{
 		next:                 next,
 		reqsCounter:          registry.ServiceReqsCounter(),
+		reqsTLSCounter:       registry.ServiceReqsTLSCounter(),
 		reqDurationHistogram: registry.ServiceReqDurationHistogram(),
 		openConnsGauge:       registry.ServiceOpenConnsGauge(),
 		baseLabels:           []string{"service", serviceName},
@ -81,6 +86,15 @@ func (m *metricsMiddleware) ServeHTTP(rw http.ResponseWriter, req *http.Request)
 	m.openConnsGauge.With(labels...).Add(1)
 	defer m.openConnsGauge.With(labels...).Add(-1)

+	// TLS metrics
+	if req.TLS != nil {
+		var tlsLabels []string
+		tlsLabels = append(tlsLabels, m.baseLabels...)
+		tlsLabels = append(tlsLabels, "tls_version", getRequestTLSVersion(req), "tls_cipher", getRequestTLSCipher(req))
+
+		m.reqsTLSCounter.With(tlsLabels...).Add(1)
+	}
+
 	recorder := newResponseRecorder(rw)
 	start := time.Now()
 	m.next.ServeHTTP(recorder, req)
@ -131,6 +145,29 @@ func getMethod(r *http.Request) string {
 	return r.Method
 }

+func getRequestTLSVersion(req *http.Request) string {
+	switch req.TLS.Version {
+	case tls.VersionTLS10:
+		return "1.0"
+	case tls.VersionTLS11:
+		return "1.1"
+	case tls.VersionTLS12:
+		return "1.2"
+	case tls.VersionTLS13:
+		return "1.3"
+	default:
+		return "unknown"
+	}
+}
+
+func getRequestTLSCipher(req *http.Request) string {
+	if version, ok := traefiktls.CipherSuitesReversed[req.TLS.CipherSuite]; ok {
+		return version
+	}
+
+	return "unknown"
+}
+
 type retryMetrics interface {
 	ServiceRetriesCounter() gokitmetrics.Counter
 }
--- a/pkg/tls/certificate.go
+++ b/pkg/tls/certificate.go
@ -30,39 +30,6 @@ var (
 		`VersionTLS13`: tls.VersionTLS13,
 	}

-	// CipherSuites Map of TLS CipherSuites from crypto/tls
-	// Available CipherSuites defined at https://golang.org/pkg/crypto/tls/#pkg-constants
-	CipherSuites = map[string]uint16{
-		`TLS_RSA_WITH_RC4_128_SHA`:                      tls.TLS_RSA_WITH_RC4_128_SHA,
-		`TLS_RSA_WITH_3DES_EDE_CBC_SHA`:                 tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-		`TLS_RSA_WITH_AES_128_CBC_SHA`:                  tls.TLS_RSA_WITH_AES_128_CBC_SHA,
-		`TLS_RSA_WITH_AES_256_CBC_SHA`:                  tls.TLS_RSA_WITH_AES_256_CBC_SHA,
-		`TLS_RSA_WITH_AES_128_CBC_SHA256`:               tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
-		`TLS_RSA_WITH_AES_128_GCM_SHA256`:               tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
-		`TLS_RSA_WITH_AES_256_GCM_SHA384`:               tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
-		`TLS_ECDHE_ECDSA_WITH_RC4_128_SHA`:              tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
-		`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`:          tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-		`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`:          tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-		`TLS_ECDHE_RSA_WITH_RC4_128_SHA`:                tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
-		`TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`:           tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-		`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`:            tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-		`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`:            tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-		`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`:       tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
-		`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`:         tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
-		`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`:         tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-		`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`:       tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-		`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`:         tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-		`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`:       tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-		`TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305`:          tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-		`TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`:   tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-		`TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305`:        tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-		`TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`: tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
-		"TLS_AES_128_GCM_SHA256":                        tls.TLS_AES_128_GCM_SHA256,
-		"TLS_AES_256_GCM_SHA384":                        tls.TLS_AES_256_GCM_SHA384,
-		"TLS_CHACHA20_POLY1305_SHA256":                  tls.TLS_CHACHA20_POLY1305_SHA256,
-		"TLS_FALLBACK_SCSV":                             tls.TLS_FALLBACK_SCSV,
-	}
-
 	// CurveIDs is a Map of TLS elliptic curves from crypto/tls
 	// Available CurveIDs defined at https://godoc.org/crypto/tls#CurveID,
 	// also allowing rfc names defined at https://tools.ietf.org/html/rfc8446#section-4.2.7
--- a/pkg/tls/cipher.go
+++ b/pkg/tls/cipher.go
@ -0,0 +1,71 @@
+package tls
+
+import (
+	"crypto/tls"
+)
+
+var (
+	// CipherSuites Map of TLS CipherSuites from crypto/tls
+	// Available CipherSuites defined at https://golang.org/pkg/crypto/tls/#pkg-constants
+	CipherSuites = map[string]uint16{
+		`TLS_RSA_WITH_RC4_128_SHA`:                      tls.TLS_RSA_WITH_RC4_128_SHA,
+		`TLS_RSA_WITH_3DES_EDE_CBC_SHA`:                 tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+		`TLS_RSA_WITH_AES_128_CBC_SHA`:                  tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+		`TLS_RSA_WITH_AES_256_CBC_SHA`:                  tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+		`TLS_RSA_WITH_AES_128_CBC_SHA256`:               tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
+		`TLS_RSA_WITH_AES_128_GCM_SHA256`:               tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+		`TLS_RSA_WITH_AES_256_GCM_SHA384`:               tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+		`TLS_ECDHE_ECDSA_WITH_RC4_128_SHA`:              tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+		`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`:          tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+		`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`:          tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+		`TLS_ECDHE_RSA_WITH_RC4_128_SHA`:                tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+		`TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`:           tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+		`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`:            tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+		`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`:            tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+		`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`:       tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+		`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`:         tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+		`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`:         tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`:       tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`:         tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`:       tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		`TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305`:          tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		`TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`:   tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+		`TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305`:        tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		`TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`: tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+		`TLS_AES_128_GCM_SHA256`:                        tls.TLS_AES_128_GCM_SHA256,
+		`TLS_AES_256_GCM_SHA384`:                        tls.TLS_AES_256_GCM_SHA384,
+		`TLS_CHACHA20_POLY1305_SHA256`:                  tls.TLS_CHACHA20_POLY1305_SHA256,
+		`TLS_FALLBACK_SCSV`:                             tls.TLS_FALLBACK_SCSV,
+	}
+
+	// CipherSuitesReversed Map of TLS CipherSuites from crypto/tls
+	// Available CipherSuites defined at https://golang.org/pkg/crypto/tls/#pkg-constants
+	CipherSuitesReversed = map[uint16]string{
+		tls.TLS_RSA_WITH_RC4_128_SHA:                      `TLS_RSA_WITH_RC4_128_SHA`,
+		tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA:                 `TLS_RSA_WITH_3DES_EDE_CBC_SHA`,
+		tls.TLS_RSA_WITH_AES_128_CBC_SHA:                  `TLS_RSA_WITH_AES_128_CBC_SHA`,
+		tls.TLS_RSA_WITH_AES_256_CBC_SHA:                  `TLS_RSA_WITH_AES_256_CBC_SHA`,
+		tls.TLS_RSA_WITH_AES_128_CBC_SHA256:               `TLS_RSA_WITH_AES_128_CBC_SHA256`,
+		tls.TLS_RSA_WITH_AES_128_GCM_SHA256:               `TLS_RSA_WITH_AES_128_GCM_SHA256`,
+		tls.TLS_RSA_WITH_AES_256_GCM_SHA384:               `TLS_RSA_WITH_AES_256_GCM_SHA384`,
+		tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:              `TLS_ECDHE_ECDSA_WITH_RC4_128_SHA`,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:          `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:          `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`,
+		tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA:                `TLS_ECDHE_RSA_WITH_RC4_128_SHA`,
+		tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:           `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:            `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:            `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:       `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:         `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:         `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:       `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:         `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:       `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`,
+		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:   `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`,
+		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`,
+		tls.TLS_AES_128_GCM_SHA256:                        `TLS_AES_128_GCM_SHA256`,
+		tls.TLS_AES_256_GCM_SHA384:                        `TLS_AES_256_GCM_SHA384`,
+		tls.TLS_CHACHA20_POLY1305_SHA256:                  `TLS_CHACHA20_POLY1305_SHA256`,
+		tls.TLS_FALLBACK_SCSV:                             `TLS_FALLBACK_SCSV`,
+	}
+)
--- a/pkg/tls/cipher_test.go
+++ b/pkg/tls/cipher_test.go
@ -0,0 +1,30 @@
+package tls
+
+import (
+	"testing"
+)
+
+func TestCiphersMapsSync(t *testing.T) {
+	for k, v := range CipherSuites {
+		// Following names are legacy aliases.
+		// We do not test for their presence in CipherSuitesReversed
+		switch k {
+		case "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305":
+			continue
+		}
+
+		if rv, ok := CipherSuitesReversed[v]; !ok {
+			t.Errorf("Maps not in sync: `%d` key is missing in tls.CipherSuitesReversed", v)
+		} else if k != rv {
+			t.Errorf("Maps not in sync: tls.CipherSuites[%s] = `%d` AND tls.CipherSuitesReversed[`%d`] = `%v`", k, v, v, rv)
+		}
+	}
+
+	for k, v := range CipherSuitesReversed {
+		if rv, ok := CipherSuites[v]; !ok {
+			t.Errorf("Maps not in sync: `%s` key is missing in tls.CipherSuites", v)
+		} else if k != rv {
+			t.Errorf("Maps not in sync: tls.CipherSuitesReversed[`%d`] = `%s` AND tls.CipherSuites[`%s`] = `%d`", k, v, v, rv)
+		}
+	}
+}