Cloudflare 同時支援 TLS 1.2 與 TLS 1.3 的過程

Cloudflare 算是很早就參與 TLS 1.3 發展的廠商。在參與過程中他們希望讓支援 TLS 1.3 draft 的瀏覽器可以開始使用 TLS 1.3 draft,但又不希望因為 draft 頻繁修改而導致本來的使用者受到影響,所以就找了方法讓兩者並存:「Know your SCM_RIGHTS」。

這個方法就是 SCM_RIGHTS,可以讓另外一個 process 存取自己的 file description。

You can use UNIX-domain sockets to pass file descriptors between applications, and like everything else in UNIX connections are files.

所以他們的作法就是先讀取 TLS 裡 Client Hello 的資料,如果裡面有看到想要使用 TLS 1.3 的訊息,就透過前面提到的 SCM_RIGHTS 丟進 Golang 寫的程式跑:

We let OpenSSL read the “Client Hello” message from an established TCP connection. If the “Client Hello” indicated TLS version 1.3, we would use SCM_RIGHTS to send it to the Go process. The Go process would in turn try to parse the rest of the “Client Hello”, if it were successful it would proceed with TLS 1.3 connection, and upon failure it would give the file descriptor back to OpenSSL, to handle regularly.

這樣本來的 stack 就只要修改一小段程式碼,將當時還很頻繁修改的 TLS 1.3 draft 丟到另外一個 process 跑,就比較不用擔心本來的 stack 會有狀況了。

新墨西哥州禁止因為學童付不起營養午餐,就要求他們以勞力付出

禁止這類變相的羞辱行為:「New Mexico Outlaws School ‘Lunch Shaming’」。

In some schools, children are forced to clean cafeteria tables in front of their peers to pay the debt. Other schools require cafeteria workers to take a child’s hot food and throw it in the trash if he doesn’t have the money to pay for it.

法案包括了所有有接受補助的學校:

On Thursday, Gov. Susana Martinez signed the Hunger-Free Students’ Bill of Rights, which directs schools to work with parents to pay their debts or sign up for federal meal assistance and puts an end to practices meant to embarrass children. It applies to public, private and religious schools that receive federal subsidies for students’ breakfasts and lunches.