Merge remote-tracking branch 'origin/master' into node_health_should_change_service_index

2018-03-22 13:07:11 +01:00 · 2018-03-22 13:07:11 +01:00 · 90d2f7bca1
parent 9cc9dce848 bf2b3f8d88
commit 90d2f7bca1
45 changed files with 156 additions and 103 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -5,6 +5,7 @@ IMPROVEMENTS:
 * agent: Blocking queries on service-specific health and catalog endpoints now return a per-service `X-Consul-Index` improving watch performance on very busy clusters. [[GH-3890](https://github.com/hashicorp/consul/issues/3890)]. **Note this may break blocking clients that relied on undocumented implementation details** as noted in the [upgrade docs](https://github.com/hashicorp/consul/blob/master/website/source/docs/upgrading.html.md#upgrade-from-version-106-to-higher).
 * agent: All endpoints now respond to OPTIONS requests. [[GH-3885](https://github.com/hashicorp/consul/issues/3885)]
 * dns: Introduced a new config param to limit the number of A/AAAA records returned. [[GH-3940](https://github.com/hashicorp/consul/issues/3940)]
+* agent: supported TLS cipher suites updated to include newer options, [[GH-3962](https://github.com/hashicorp/consul/pull/3962)]

 BUG FIXES:

--- a/INTERNALS.md
+++ b/INTERNALS.md
@ -38,7 +38,7 @@ The components in this section are only used by Consul servers.
 | --------- | -------- |
 | [agent/consul](https://github.com/hashicorp/consul/tree/master/agent/consul) | This is where the Consul server object is defined, and the top-level `consul` package has all of the functionality that's used by server agents. This includes things like the internal RPC endpoints. |
 | [agent/consul/fsm](https://github.com/hashicorp/consul/tree/master/agent/consul/fsm), [agent/consul/state](https://github.com/hashicorp/consul/tree/master/agent/consul/state) | These components make up Consul's finite state machine (updated by the Raft consensus algorithm) and backed by the state store (based on immutable radix trees). All updates of Consul's consistent state is handled by the finite state machine, and all read queries to the Consul servers are serviced by the state store's data structures. |
-| [agent/consul/autopulot](https://github.com/hashicorp/consul/tree/master/agent/consul/autopilot) | This contains a package of functions that provide Consul's [Autopilot](https://www.consul.io/docs/guides/autopilot.html) features. |
+| [agent/consul/autopilot](https://github.com/hashicorp/consul/tree/master/agent/consul/autopilot) | This contains a package of functions that provide Consul's [Autopilot](https://www.consul.io/docs/guides/autopilot.html) features. |

 ### Other Components

--- a/acl/acl.go
+++ b/acl/acl.go
@ -96,7 +96,7 @@ type ACL interface {
 	// functions can be used.
 	OperatorWrite() bool

-	// PrepardQueryRead determines if a specific prepared query can be read
+	// PreparedQueryRead determines if a specific prepared query can be read
 	// to show its contents (this is not used for execution).
 	PreparedQueryRead(string) bool

--- a/acl/errors.go
+++ b/acl/errors.go
@ -37,7 +37,7 @@ func IsErrNotFound(err error) bool {
 	return err != nil && strings.Contains(err.Error(), errNotFound)
 }

-// IsErrRootDenied checks if the given error messge is comparable to
+// IsErrRootDenied checks if the given error message is comparable to
 // ErrRootDenied.
 func IsErrRootDenied(err error) bool {
 	return err != nil && strings.Contains(err.Error(), errRootDenied)
--- a/agent/ae/ae.go
+++ b/agent/ae/ae.go
@ -47,7 +47,7 @@ type SyncState interface {
 // The state is synchronized on a regular basis or on demand when either
 // the state has changed or a new Consul server has joined the cluster.
 //
-// The regular state sychronization provides a self-healing mechanism
+// The regular state synchronization provides a self-healing mechanism
 // for the cluster which is also called anti-entropy.
 type StateSyncer struct {
 	// State contains the data that needs to be synchronized.
--- a/agent/agent.go
+++ b/agent/agent.go
@ -1204,7 +1204,7 @@ func (a *Agent) ShutdownAgent() error {
 }

 // ShutdownEndpoints terminates the HTTP and DNS servers. Should be
-// preceeded by ShutdownAgent.
+// preceded by ShutdownAgent.
 func (a *Agent) ShutdownEndpoints() {
 	a.shutdownLock.Lock()
 	defer a.shutdownLock.Unlock()
@ -1400,7 +1400,7 @@ func (a *Agent) reapServicesInternal() {
 		}

 		// See if there's a timeout.
-		// todo(fs): this looks fishy... why is there anoter data structure in the agent with its own lock?
+		// todo(fs): this looks fishy... why is there another data structure in the agent with its own lock?
 		a.checkLock.Lock()
 		timeout := a.checkReapAfter[checkID]
 		a.checkLock.Unlock()
--- a/agent/agent_endpoint.go
+++ b/agent/agent_endpoint.go
@ -506,7 +506,7 @@ func (s *HTTPServer) AgentRegisterService(resp http.ResponseWriter, req *http.Re
 	}

 	// Check the service address here and in the catalog RPC endpoint
-	// since service registration isn't sychronous.
+	// since service registration isn't synchronous.
 	if ipaddr.IsAny(args.Address) {
 		resp.WriteHeader(http.StatusBadRequest)
 		fmt.Fprintf(resp, "Invalid service address")
--- a/agent/agent_endpoint_test.go
+++ b/agent/agent_endpoint_test.go
@ -1228,7 +1228,7 @@ func TestAgent_RegisterService(t *testing.T) {
 		t.Fatalf("bad: %v", obj)
 	}

-	// Ensure the servie
+	// Ensure the service
 	if _, ok := a.State.Services()["test"]; !ok {
 		t.Fatalf("missing test service")
 	}
--- a/agent/config/builder.go
+++ b/agent/config/builder.go
@ -1163,7 +1163,7 @@ func (b *Builder) expandFirstAddr(name string, s *string) net.Addr {
 	return addrs[0]
 }

-// expandFirstIP exapnds the go-sockaddr template in s and returns the
+// expandFirstIP expands the go-sockaddr template in s and returns the
 // first address if it is not a unix socket address. If the template
 // expands to multiple addresses an error is set and nil is returned.
 func (b *Builder) expandFirstIP(name string, s *string) *net.IPAddr {
--- a/agent/config/runtime.go
+++ b/agent/config/runtime.go
@ -181,7 +181,7 @@ type RuntimeConfig struct {
 	// AutopilotUpgradeVersionTag is the node tag to use for version info when
 	// performing upgrade migrations. If left blank, the Consul version will be used.
 	//
-	// (Entrprise-only)
+	// (Enterprise-only)
 	//
 	// hcl: autopilot { upgrade_version_tag = string }
 	AutopilotUpgradeVersionTag string
@ -322,7 +322,7 @@ type RuntimeConfig struct {
 	// metric management is enabled.
 	// Default: none
 	//
-	// hcl: telemetry { circonous_api_token = string }
+	// hcl: telemetry { circonus_api_token = string }
 	TelemetryCirconusAPIToken string

 	// TelemetryCirconusAPIURL is the base URL to use for contacting the Circonus API.
@ -359,7 +359,7 @@ type RuntimeConfig struct {

 	// TelemetryCirconusCheckForceMetricActivation will force enabling metrics, as they are encountered,
 	// if the metric already exists and is NOT active. If check management is enabled, the default
-	// behavior is to add new metrics as they are encoutered. If the metric already exists in the
+	// behavior is to add new metrics as they are encountered. If the metric already exists in the
 	// check, it will *NOT* be activated. This setting overrides that behavior.
 	// Default: "false"
 	//
@ -1060,7 +1060,7 @@ type RuntimeConfig struct {
 	//     name = string
 	//     tags = []string
 	//     address = string
-	//     check = { check definiton }
+	//     check = { check definition }
 	//     checks = [ { check definition}, ... ]
 	//     token = string
 	//     enable_tag_override = (true|false)
@ -1107,23 +1107,28 @@ type RuntimeConfig struct {
 	//
 	// The values should be a list of the following values:
 	//
-	//   TLS_RSA_WITH_RC4_128_SHA
-	//   TLS_RSA_WITH_3DES_EDE_CBC_SHA
-	//   TLS_RSA_WITH_AES_128_CBC_SHA
-	//   TLS_RSA_WITH_AES_256_CBC_SHA
-	//   TLS_RSA_WITH_AES_128_GCM_SHA256
-	//   TLS_RSA_WITH_AES_256_GCM_SHA384
-	//   TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
-	//   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
-	//   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
-	//   TLS_ECDHE_RSA_WITH_RC4_128_SHA
-	//   TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
-	//   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
-	//   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+	//   TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+	//   TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
 	//   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 	//   TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 	//   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 	//   TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+	//   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+	//   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+	//   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+	//   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+	//   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+	//   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+	//   TLS_RSA_WITH_AES_128_GCM_SHA256
+	//   TLS_RSA_WITH_AES_256_GCM_SHA384
+	//   TLS_RSA_WITH_AES_128_CBC_SHA256
+	//   TLS_RSA_WITH_AES_128_CBC_SHA
+	//   TLS_RSA_WITH_AES_256_CBC_SHA
+	//   TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+	//   TLS_RSA_WITH_3DES_EDE_CBC_SHA
+	//   TLS_RSA_WITH_RC4_128_SHA
+	//   TLS_ECDHE_RSA_WITH_RC4_128_SHA
+	//   TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
 	//
 	// todo(fs): IMHO, we should also support the raw 0xNNNN values from
 	// todo(fs): https://golang.org/pkg/crypto/tls/#pkg-constants
--- a/agent/config/runtime_test.go
+++ b/agent/config/runtime_test.go
@ -2581,7 +2581,7 @@ func TestFullConfig(t *testing.T) {
 				"statsd_address": "drce87cy",
 				"statsite_address": "HpFwKB8R"
 			},
-			"tls_cipher_suites": "TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+			"tls_cipher_suites": "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
 			"tls_min_version": "pAOWafkR",
 			"tls_prefer_server_cipher_suites": true,
 			"translate_wan_addrs": true,
@ -3017,7 +3017,7 @@ func TestFullConfig(t *testing.T) {
 				statsd_address = "drce87cy"
 				statsite_address = "HpFwKB8R"
 			}
-			tls_cipher_suites = "TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA"
+			tls_cipher_suites = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
 			tls_min_version = "pAOWafkR"
 			tls_prefer_server_cipher_suites = true
 			translate_wan_addrs = true
@ -3575,7 +3575,7 @@ func TestFullConfig(t *testing.T) {
 		TelemetryMetricsPrefix:                      "ftO6DySn",
 		TelemetryStatsdAddr:                         "drce87cy",
 		TelemetryStatsiteAddr:                       "HpFwKB8R",
-		TLSCipherSuites:                             []uint16{tls.TLS_RSA_WITH_RC4_128_SHA, tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA},
+		TLSCipherSuites:                             []uint16{tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
 		TLSMinVersion:                               "pAOWafkR",
 		TLSPreferServerCipherSuites:                 true,
 		TaggedAddresses: map[string]string{
@ -3703,7 +3703,7 @@ func nonZero(name string, uniq map[interface{}]string, v interface{}) error {

 	isUnique := func(v interface{}) error {
 		if other := uniq[v]; other != "" {
-			return fmt.Errorf("%q and %q both use vaule %q", name, other, v)
+			return fmt.Errorf("%q and %q both use value %q", name, other, v)
 		}
 		uniq[v] = name
 		return nil
--- a/agent/consul/acl_replication.go
+++ b/agent/consul/acl_replication.go
@ -255,7 +255,7 @@ func (s *Server) IsACLReplicationEnabled() bool {

 // updateACLReplicationStatus safely updates the ACL replication status.
 func (s *Server) updateACLReplicationStatus(status structs.ACLReplicationStatus) {
-	// Fixup the times to shed some useless precision to ease formattting,
+	// Fixup the times to shed some useless precision to ease formatting,
 	// and always report UTC.
 	status.LastError = status.LastError.Round(time.Second).UTC()
 	status.LastSuccess = status.LastSuccess.Round(time.Second).UTC()
--- a/agent/consul/catalog_endpoint.go
+++ b/agent/consul/catalog_endpoint.go
@ -59,7 +59,7 @@ func (c *Catalog) Register(args *structs.RegisterRequest, reply *struct{}) error
 		}

 		// Check the service address here and in the agent endpoint
-		// since service registration isn't sychronous.
+		// since service registration isn't synchronous.
 		if ipaddr.IsAny(args.Service.Address) {
 			return fmt.Errorf("Invalid service address")
 		}
--- a/agent/consul/leader_test.go
+++ b/agent/consul/leader_test.go
@ -441,7 +441,7 @@ func TestLeader_Reconcile_Races(t *testing.T) {
 	})

 	// Add in some metadata via the catalog (as if the agent synced it
-	// there). We also set the serfHealth check to failing so the reconile
+	// there). We also set the serfHealth check to failing so the reconcile
 	// will attempt to flip it back
 	req := structs.RegisterRequest{
 		Datacenter: s1.config.Datacenter,
--- a/agent/consul/server_test.go
+++ b/agent/consul/server_test.go
@ -629,7 +629,7 @@ func TestServer_globalRPCErrors(t *testing.T) {
 		t.Fatalf("should have errored")
 	}
 	if !strings.Contains(err.Error(), "Bad.Method") {
-		t.Fatalf("unexpcted error: %s", err)
+		t.Fatalf("unexpected error: %s", err)
 	}
 }

--- a/agent/consul/state/catalog_test.go
+++ b/agent/consul/state/catalog_test.go
@ -2210,10 +2210,10 @@ func ensureIndexForService(t *testing.T, s *Store, ws memdb.WatchSet, serviceNam
 	}
 }

-// TestIndexIndependance test that changes on a given service does not impact the
+// TestIndexIndependence test that changes on a given service does not impact the
 // index of other services. It allows to have huge benefits for watches since
 // watchers are notified ONLY when there are changes in the given service
-func TestIndexIndependance(t *testing.T) {
+func TestIndexIndependence(t *testing.T) {
 	s := testStateStore(t)

 	// Querying with no matches gives an empty response
--- a/agent/consul/state/delay.go
+++ b/agent/consul/state/delay.go
@ -7,7 +7,7 @@ import (

 // Delay is used to mark certain locks as unacquirable. When a lock is
 // forcefully released (failing health check, destroyed session, etc.), it is
-// subject to the LockDelay impossed by the session. This prevents another
+// subject to the LockDelay imposed by the session. This prevents another
 // session from acquiring the lock for some period of time as a protection
 // against split-brains. This is inspired by the lock-delay in Chubby. Because
 // this relies on wall-time, we cannot assume all peers perceive time as flowing
--- a/agent/coordinate_endpoint_test.go
+++ b/agent/coordinate_endpoint_test.go
@ -138,7 +138,7 @@ func TestCoordinate_Nodes(t *testing.T) {
 		t.Fatalf("bad: %v", coordinates)
 	}

-	// Filter on a nonexistant node segment
+	// Filter on a nonexistent node segment
 	req, _ = http.NewRequest("GET", "/v1/coordinate/nodes?segment=nope", nil)
 	resp = httptest.NewRecorder()
 	obj, err = a.srv.CoordinateNodes(resp, req)
@ -245,7 +245,7 @@ func TestCoordinate_Node(t *testing.T) {
 		t.Fatalf("bad: %v", coordinates)
 	}

-	// Filter on a nonexistant node segment
+	// Filter on a nonexistent node segment
 	req, _ = http.NewRequest("GET", "/v1/coordinate/node/foo?segment=nope", nil)
 	resp = httptest.NewRecorder()
 	obj, err = a.srv.CoordinateNode(resp, req)
--- a/agent/dns_test.go
+++ b/agent/dns_test.go
@ -3082,7 +3082,7 @@ func TestDNS_ServiceLookup_ARecordLimits(t *testing.T) {
 		name               string
 		aRecordLimit       int
 		expectedAResults   int
-		expectedAAAAResuls int
+		expectedAAAAResults int
 		expectedSRVResults int
 		numNodesTotal      int
 		udpSize            uint16
--- a/agent/local/state.go
+++ b/agent/local/state.go
@ -746,7 +746,7 @@ func (l *State) updateSyncState() error {
 // and synchronizes the changes.
 func (l *State) SyncFull() error {
 	// note that we do not acquire the lock here since the methods
-	// we are calling will do that themself.
+	// we are calling will do that themselves.
 	//
 	// Also note that we don't hold the lock for the entire operation
 	// but release it between the two calls. This is not an issue since
--- a/agent/router/router.go
+++ b/agent/router/router.go
@ -308,7 +308,7 @@ func (r *Router) FailServer(areaID types.AreaID, s *metadata.Server) error {
 // cases this may return a best-effort unhealthy server that can be used for a
 // connection attempt. If any problem occurs with the given server, the caller
 // should feed that back to the manager associated with the server, which is
-// also returned, by calling NofifyFailedServer().
+// also returned, by calling NotifyFailedServer().
 func (r *Router) FindRoute(datacenter string) (*Manager, *metadata.Server, bool) {
 	return r.routeFn(datacenter)
 }
@ -380,7 +380,7 @@ func (n *datacenterSorter) Less(i, j int) bool {
 	return n.Vec[i] < n.Vec[j]
 }

-// GetDatacentersByDeistance returns a list of datacenters known to the router,
+// GetDatacentersByDistance returns a list of datacenters known to the router,
 // sorted by median RTT from this server to the servers in each datacenter. If
 // there are multiple areas that reach a given datacenter, this will use the
 // lowest RTT for the sort.
--- a/agent/testagent.go
+++ b/agent/testagent.go
@ -207,7 +207,7 @@ func (a *TestAgent) Start() *TestAgent {
 			resp := httptest.NewRecorder()
 			_, err := a.httpServers[0].AgentSelf(resp, req)
 			if err != nil || resp.Code != 200 {
-				r.Fatal(a.Name, "failed OK respose", err)
+				r.Fatal(a.Name, "failed OK response", err)
 			}
 		}
 	})
@ -282,7 +282,7 @@ func (a *TestAgent) consulConfig() *consul.Config {

 // pickRandomPorts selects random ports from fixed size random blocks of
 // ports. This does not eliminate the chance for port conflict but
-// reduces it significanltly with little overhead. Furthermore, asking
+// reduces it significantly with little overhead. Furthermore, asking
 // the kernel for a random port by binding to port 0 prolongs the test
 // execution (in our case +20sec) while also not fully eliminating the
 // chance of port conflicts for concurrently executed test binaries.
--- a/agent/user_event.go
+++ b/agent/user_event.go
@ -254,7 +254,7 @@ func (a *Agent) UserEvents() []*UserEvent {
 	return out
 }

-// LastUserEvent is used to return the lastest user event.
+// LastUserEvent is used to return the last user event.
 // This will return nil if there is no recent event.
 func (a *Agent) LastUserEvent() *UserEvent {
 	a.eventLock.RLock()
--- a/api/acl.go
+++ b/api/acl.go
@ -5,7 +5,7 @@ import (
 )

 const (
-	// ACLCLientType is the client type token
+	// ACLClientType is the client type token
 	ACLClientType = "client"

 	// ACLManagementType is the management type token
--- a/api/api.go
+++ b/api/api.go
@ -137,7 +137,7 @@ type WriteOptions struct {
 	// which overrides the agent's default token.
 	Token string

-	// RelayFactor is used in keyring operations to cause reponses to be
+	// RelayFactor is used in keyring operations to cause responses to be
 	// relayed back to the sender through N other random nodes. Must be
 	// a value from 0 to 5 (inclusive).
 	RelayFactor uint8
--- a/api/prepared_query.go
+++ b/api/prepared_query.go
@ -61,7 +61,7 @@ type QueryTemplate struct {
 	Regexp string
 }

-// PrepatedQueryDefinition defines a complete prepared query.
+// PreparedQueryDefinition defines a complete prepared query.
 type PreparedQueryDefinition struct {
 	// ID is this UUID-based ID for the query, always generated by Consul.
 	ID string
--- a/command/kv/put/kv_put.go
+++ b/command/kv/put/kv_put.go
@ -94,7 +94,7 @@ func (c *cmd) Run(args []string) int {
 		}
 	}

-	// Session is reauired for release or acquire
+	// Session is required for release or acquire
 	if (c.release || c.acquire) && c.session == "" {
 		c.UI.Error("Error! Missing -session (required with -acquire and -release)")
 		return 1
--- a/command/monitor/monitor_test.go
+++ b/command/monitor/monitor_test.go
@ -12,7 +12,7 @@ import (
 	"github.com/mitchellh/cli"
 )

-func TestMonitorCommand_exitssOnSignalBeforeLinesArrive(t *testing.T) {
+func TestMonitorCommand_exitsOnSignalBeforeLinesArrive(t *testing.T) {
 	t.Parallel()
 	logWriter := logger.NewLogWriter(512)
 	a := &agent.TestAgent{
--- a/command/snapshot/inspect/snapshot_inspect_test.go
+++ b/command/snapshot/inspect/snapshot_inspect_test.go
@ -12,7 +12,7 @@ import (
 	"github.com/mitchellh/cli"
 )

-func TestSnapshotInpectCommand_noTabs(t *testing.T) {
+func TestSnapshotInspectCommand_noTabs(t *testing.T) {
 	t.Parallel()
 	if strings.ContainsRune(New(cli.NewMockUi()).Help(), '\t') {
 		t.Fatal("help has tabs")
--- a/terraform/digitalocean/variables.tf
+++ b/terraform/digitalocean/variables.tf
@ -21,6 +21,6 @@ variable "centos" {
 }

 variable "coreos" {
-  description = "Defaut Coreos"
+  description = "Default Coreos"
  default     = "coreos-899.17.0"
 }
--- a/testutil/server.go
+++ b/testutil/server.go
@ -314,7 +314,7 @@ func (s *TestServer) waitForAPI() error {
 		}
 		defer resp.Body.Close()
 		if err := s.requireOK(resp); err != nil {
-			r.Fatal("failed OK respose", err)
+			r.Fatal("failed OK response", err)
 		}
 	})
 	if f.failed {
--- a/tlsutil/config.go
+++ b/tlsutil/config.go
@ -361,23 +361,28 @@ func ParseCiphers(cipherStr string) ([]uint16, error) {
 	ciphers := strings.Split(cipherStr, ",")

 	cipherMap := map[string]uint16{
-		"TLS_RSA_WITH_RC4_128_SHA":                tls.TLS_RSA_WITH_RC4_128_SHA,
-		"TLS_RSA_WITH_3DES_EDE_CBC_SHA":           tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-		"TLS_RSA_WITH_AES_128_CBC_SHA":            tls.TLS_RSA_WITH_AES_128_CBC_SHA,
-		"TLS_RSA_WITH_AES_256_CBC_SHA":            tls.TLS_RSA_WITH_AES_256_CBC_SHA,
-		"TLS_RSA_WITH_AES_128_GCM_SHA256":         tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
-		"TLS_RSA_WITH_AES_256_GCM_SHA384":         tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
-		"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA":        tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
-		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA":    tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-		"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA":    tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-		"TLS_ECDHE_RSA_WITH_RC4_128_SHA":          tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
-		"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA":     tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA":      tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-		"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA":      tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+		"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305":    tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305":  tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
 		"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256":   tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 		"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384":   tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 		"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256":   tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA":      tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA":    tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+		"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA":      tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+		"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA":    tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+		"TLS_RSA_WITH_AES_128_GCM_SHA256":         tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+		"TLS_RSA_WITH_AES_256_GCM_SHA384":         tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+		"TLS_RSA_WITH_AES_128_CBC_SHA256":         tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
+		"TLS_RSA_WITH_AES_128_CBC_SHA":            tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+		"TLS_RSA_WITH_AES_256_CBC_SHA":            tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+		"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA":     tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+		"TLS_RSA_WITH_3DES_EDE_CBC_SHA":           tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+		"TLS_RSA_WITH_RC4_128_SHA":                tls.TLS_RSA_WITH_RC4_128_SHA,
+		"TLS_ECDHE_RSA_WITH_RC4_128_SHA":          tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+		"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA":        tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
 	}
 	for _, cipher := range ciphers {
 		if v, ok := cipherMap[cipher]; ok {
--- a/tlsutil/config_test.go
+++ b/tlsutil/config_test.go
@ -513,32 +513,52 @@ func TestConfig_IncomingTLS_TLSMinVersion(t *testing.T) {

 func TestConfig_ParseCiphers(t *testing.T) {
 	testOk := strings.Join([]string{
-		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
-		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-		"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
-		"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+		"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
 		"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-		"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
 		"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-		"TLS_RSA_WITH_AES_128_CBC_SHA",
+		"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+		"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+		"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
 		"TLS_RSA_WITH_AES_128_GCM_SHA256",
-		"TLS_RSA_WITH_AES_256_CBC_SHA",
 		"TLS_RSA_WITH_AES_256_GCM_SHA384",
+		"TLS_RSA_WITH_AES_128_CBC_SHA256",
+		"TLS_RSA_WITH_AES_128_CBC_SHA",
+		"TLS_RSA_WITH_AES_256_CBC_SHA",
+		"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+		"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+		"TLS_RSA_WITH_RC4_128_SHA",
+		"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+		"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
 	}, ",")
 	ciphers := []uint16{
-		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
 		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-		tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
 		tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
-		tls.TLS_RSA_WITH_AES_256_CBC_SHA,
 		tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
+		tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+		tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+		tls.TLS_RSA_WITH_RC4_128_SHA,
+		tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+		tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
 	}
 	v, err := ParseCiphers(testOk)
 	if err != nil {
--- a/ui/javascripts/app/models.js
+++ b/ui/javascripts/app/models.js
@ -120,7 +120,7 @@ App.Node = Ember.Object.extend({
 // A key/value object
 //
 App.Key = Ember.Object.extend(Ember.Validations.Mixin, {
-  // Validates using the Ember.Valdiations library
+  // Validates using the Ember.Validations library
  validations: {
    Key: { presence: true }
  },
@ -254,7 +254,7 @@ App.Key = Ember.Object.extend(Ember.Validations.Mixin, {
    var parts = this.get('keyParts').toArray();

    // Remove the last item, essentially going up a level
-    // in hiearchy
+    // in hierarchy
    parts.pop();

    return parts.join("/") + "/";
--- a/ui/javascripts/app/routes.js
+++ b/ui/javascripts/app/routes.js
@ -90,7 +90,7 @@ App.DcRoute = App.BaseRoute.extend({
  model: function(params) {
    var token = App.get('settings.token');

-    // Return a promise hash to retreieve the
+    // Return a promise hash to retrieve the
    // dcs and nodes used in the header
    return Ember.RSVP.hash({
      dc: params.dc,
--- a/ui/javascripts/fixtures.js
+++ b/ui/javascripts/fixtures.js
@ -124,7 +124,7 @@ fixtures.services_full = {
          "Notes": "",
          "Output": "200 ok",
          "Status": "passing",
-          "Name": "Foo Heathly",
+          "Name": "Foo Healthy",
          "CheckID": "fooHealth",
          "Node": "node-10-0-1-102"
        }
--- a/website/source/api/health.html.md
+++ b/website/source/api/health.html.md
@ -265,7 +265,7 @@ The table below shows this endpoint's support for

 ### Parameters

- `state` `(string: <required>)` - Specifies the state to query. Spported states
+- `state` `(string: <required>)` - Specifies the state to query. Supported states
  are `any`, `passing`, `warning`, or `critical`. The `any` state is a wildcard
  that can be used to return all checks.

--- a/website/source/api/operator/area.html.md
+++ b/website/source/api/operator/area.html.md
@ -52,7 +52,7 @@ The table below shows this endpoint's support for
  the datacenter of the agent being queried. This is specified as a URL query
  parameter.

- `PeerDatacenter` `(string: <required>)` - Specifes the name of the Consul
+- `PeerDatacenter` `(string: <required>)` - Specifies the name of the Consul
  datacenter that will be joined the Consul servers in the current datacenter to
  form the area. Only one area is allowed for each possible `PeerDatacenter`,
  and a datacenter cannot form an area with itself.
@ -285,7 +285,7 @@ The table below shows this endpoint's support for
  the datacenter of the agent being queried. This is specified as a URL query
  parameter.

-### Sample Palyoad
+### Sample Payload

 ```json
 ["10.1.2.3", "10.1.2.4", "10.1.2.5"]
--- a/website/source/api/operator/autopilot.html.md
+++ b/website/source/api/operator/autopilot.html.md
@ -84,7 +84,7 @@ The table below shows this endpoint's support for

 | Blocking Queries | Consistency Modes | ACL Required     |
 | ---------------- | ----------------- | ---------------- |
-| `NO`             | `none`            | `opreator:write` |
+| `NO`             | `none`            | `operator:write` |

 ### Parameters

@ -156,7 +156,7 @@ The table below shows this endpoint's support for

 | Blocking Queries | Consistency Modes | ACL Required    |
 | ---------------- | ----------------- | --------------- |
-| `NO`             | `none`            | `opreator:read` |
+| `NO`             | `none`            | `operator:read` |

 ### Parameters

--- a/website/source/api/operator/raft.html.md
+++ b/website/source/api/operator/raft.html.md
@ -41,7 +41,7 @@ The table below shows this endpoint's support for
 - `stale` `(bool: false)` - If the cluster does not currently have a leader an
  error will be returned. You can use the `?stale` query parameter to read the
  Raft configuration from any of the Consul servers. Not setting this will choose
-  the default consistency mode which will forward the reqest to the leader for
+  the default consistency mode which will forward the request to the leader for
  processing but not re-confirm the server is still the leader before returning
  results. See [default consistency](/api/index.html#default) for more details.

--- a/website/source/docs/agent/options.html.md
+++ b/website/source/docs/agent/options.html.md
@ -555,7 +555,7 @@ will exit with an error at startup.
  - Metadata keys must contain only alphanumeric, `-`, and `_` characters.
  - Metadata keys must not begin with the `consul-` prefix; that is reserved for internal use by Consul.
  - Metadata values must be between 0 and 512 (inclusive) characters in length.
-  - Metadata values for keys begining with `rfc1035-` are encoded verbatim in DNS TXT requests, otherwise
+  - Metadata values for keys beginning with `rfc1035-` are encoded verbatim in DNS TXT requests, otherwise
    the metadata kv-pair is encoded according [RFC1464](https://www.ietf.org/rfc/rfc1464.txt).

 * <a name="_pid_file"></a><a href="#_pid_file">`-pid-file`</a> - This flag provides the file
@ -1108,7 +1108,7 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
        performance.

        By default, Consul will use a lower-performance timing that's suitable
-        for [minimal Consul servers](/docs/guides/performance.html#minumum), currently equivalent
+        for [minimal Consul servers](/docs/guides/performance.html#minimum), currently equivalent
        to setting this to a value of 5 (this default may be changed in future versions of Consul,
        depending if the target minimum server profile changes). Setting this to a value of 1 will
        configure Raft to its highest-performance mode, equivalent to the default timing of Consul
@ -1259,7 +1259,7 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
      The Check ID (not **check bundle**) from a previously created HTTPTRAP check. The numeric portion of the `check._cid` field in the Check API object.

    * <a name="telemetry-circonus_check_force_metric_activation"></a><a href="#telemetry-circonus_check_force_metric_activation">`circonus_check_force_metric_activation`</a>
-      Force activation of metrics which already exist and are not currently active. If check management is enabled, the default behavior is to add new metrics as they are encoutered. If the metric already exists in the check, it will **not** be activated. This setting overrides that behavior. By default, this is set to false.
+      Force activation of metrics which already exist and are not currently active. If check management is enabled, the default behavior is to add new metrics as they are encountered. If the metric already exists in the check, it will **not** be activated. This setting overrides that behavior. By default, this is set to false.

    * <a name="telemetry-circonus_check_instance_id"></a><a href="#telemetry-circonus_check_instance_id">`circonus_check_instance_id`</a>
      Uniquely identifies the metrics coming from this *instance*. It can be used to maintain metric continuity with transient or ephemeral instances as they move around within an infrastructure. By default, this is set to hostname:application name (e.g. "host123:consul").
@ -1341,7 +1341,7 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass

 * <a name="tls_cipher_suites"></a><a href="#tls_cipher_suites">`tls_cipher_suites`</a> Added in Consul
  0.8.2, this specifies the list of supported ciphersuites as a comma-separated-list. The list of all
-  available ciphersuites is available in the [Golang TLS documentation](https://golang.org/src/crypto/tls/cipher_suites.go).
+  supported ciphersuites is available in the [source code](https://github.com/hashicorp/consul/blob/master/tlsutil/config.go#L363).

 * <a name="tls_prefer_server_cipher_suites"></a><a href="#tls_prefer_server_cipher_suites">
  `tls_prefer_server_cipher_suites`</a> Added in Consul 0.8.2, this will cause Consul to prefer the
--- a/website/source/docs/commands/operator.html.markdown.erb
+++ b/website/source/docs/commands/operator.html.markdown.erb
@ -22,7 +22,7 @@ if required, so this can be run from any Consul node in a cluster. See the
 [ACL Guide](/docs/guides/acl.html#operator) for more information.

 See the [Outage Recovery](/docs/guides/outage.html) guide for some examples of how
-this command is used. For an API to perform these operations programatically,
+this command is used. For an API to perform these operations programmatically,
 please see the documentation for the [Operator](/api/operator.html)
 endpoint.

--- a/website/source/docs/guides/acl.html.md
+++ b/website/source/docs/guides/acl.html.md
@ -482,6 +482,28 @@ default.
 If using [`acl_token`](/docs/agent/options.html#acl_token), then it's likely the anonymous
 token will have a more restrictive policy than shown in the examples here.

+#### Create Tokens for UI Use (Optional)
+
+If you utilize the Consul UI with a restrictive ACL policy, as above, the UI will
+not function fully using the anonymous ACL token. It is recommended
+that a UI-specific ACL token is used, which can be set in the UI during the
+web browser session to authenticate the interface.
+
+```text
+$ curl \
+    --request PUT \
+    --header "X-Consul-Token: b1gs33cr3t" \
+    --data \
+'{
+  "Name": "UI Token",
+  "Type": "client",
+  "Rules": "key \"\" { policy = \"write\" } node \"\" { policy = \"read\" } service \"\" { policy = \"read\" }"
+}' http://127.0.0.1:8500/v1/acl/create
+{"ID":"d0a9f330-2f9d-0a8c-d2af-1e9ceda354e6"}
+```
+
+The token can then be set on the "settings" page of the UI.
+
 #### Next Steps

 The examples above configure a basic ACL environment with the ability to see all nodes
--- a/website/source/docs/guides/bootstrapping.html.md
+++ b/website/source/docs/guides/bootstrapping.html.md
@ -52,7 +52,7 @@ To trigger leader election, we must join these machines together and create a cl
 Choose the method which best suits your environment and specific use case.

 ~> **Notice:** The hosted version of Consul Enterprise was deprecated on
-  March 7th, 2017 and the Atlas `auto-join` feature is no longer available. For details, see https://atlas.hashicorp.com/help/consul/alternatives.
+  March 7th, 2017 and the Atlas `auto-join` feature is no longer available. 

 ### Manually Creating a Cluster

--- a/website/source/docs/upgrade-specific.html.md
+++ b/website/source/docs/upgrade-specific.html.md
@ -30,7 +30,7 @@ Consul 1.0 has several important breaking changes that are documented here. Plea

 The [`-raft-protocol`](/docs/agent/options.html#_raft_protocol) default has been changed from 2 to 3, enabling all [Autopilot](/docs/guides/autopilot.html) features by default.

-Raft protocol version 3 requires Consul running 0.8.0 or newer on all servers in order to work, so if you are upgrading with older servers in a cluster then you will need to set this back to 2 in order to upgrade. See [Raft Protocol Version Compatibility](/docs/upgrade-specific.html#raft-protocol-version-compatibility) for more details. Also the format of `peers.json` used for outage recovery is different when running with the lastest Raft protocol. See [Manual Recovery Using peers.json](/docs/guides/outage.html#manual-recovery-using-peers-json) for a description of the required format.
+Raft protocol version 3 requires Consul running 0.8.0 or newer on all servers in order to work, so if you are upgrading with older servers in a cluster then you will need to set this back to 2 in order to upgrade. See [Raft Protocol Version Compatibility](/docs/upgrade-specific.html#raft-protocol-version-compatibility) for more details. Also the format of `peers.json` used for outage recovery is different when running with the latest Raft protocol. See [Manual Recovery Using peers.json](/docs/guides/outage.html#manual-recovery-using-peers-json) for a description of the required format.

 Please note that the Raft protocol is different from Consul's internal protocol as described on the [Protocol Compatibility Promise](/docs/compatibility.html) page, and as is shown in commands like `consul members` and `consul version`. To see the version of the Raft protocol in use on each server, use the `consul operator raft list-peers` command.

@ -299,7 +299,7 @@ configuration:
 Consul also 0.7 introduced support for tuning Raft performance using a new
 [performance configuration block](/docs/agent/options.html#performance). Also,
 the default Raft timing is set to a lower-performance mode suitable for
-[minimal Consul servers](/docs/guides/performance.html#minumum).
+[minimal Consul servers](/docs/guides/performance.html#minimum).

 To continue to use the high-performance settings that were the default prior to
 Consul 0.7 (recommended for production servers), add the following configuration