[MediaWiki-commits] [Gerrit] bugzilla, use SSLProtocol ALL -SSLv2 - change (operations/puppet)

Tue, 15 Apr 2014 23:46:26 -0700 

Dzahn has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/126206

Change subject: bugzilla, use SSLProtocol ALL -SSLv2
......................................................................

bugzilla, use SSLProtocol ALL -SSLv2

instead of disabling ALL and enabling
SSLv3 and TLSv1,
enable ALL and disable SSLv2

-       SSLProtocol -ALL +SSLv3 +TLSv1
+       SSLProtocol ALL -SSLv2

because we want to allow newer ciphers
and Mozilla recommends it

but is it really better to exclude
things instead of including them

Change-Id: Ibfcc19a32016ff3a74b73ae633d31cdc18a4ba30
---
M modules/bugzilla/templates/apache/bugzilla.wikimedia.org.erb
1 file changed, 3 insertions(+), 3 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/06/126206/1

diff --git a/modules/bugzilla/templates/apache/bugzilla.wikimedia.org.erb 
b/modules/bugzilla/templates/apache/bugzilla.wikimedia.org.erb
index 9f8d012..b51aeb2 100644
--- a/modules/bugzilla/templates/apache/bugzilla.wikimedia.org.erb
+++ b/modules/bugzilla/templates/apache/bugzilla.wikimedia.org.erb
@@ -49,7 +49,7 @@
        ServerName bugs.wikimedia.org
        Redirect permanent / https://<%= 
scope.lookupvar('bugzilla::apache::svc_name') %>/
        SSLEngine On
-       SSLProtocol -ALL +SSLv3 +TLSv1
+       SSLProtocol ALL -SSLv2
        SSLCipherSuite <%= scope.lookupvar('bugzilla::apache::cipher_suite') %>
        SSLHonorCipherOrder on
        SSLCertificateFile /etc/ssl/certs/<%= 
scope.lookupvar('bugzilla::apache::svc_name') %>.pem
@@ -65,7 +65,7 @@
        ServerName <%= scope.lookupvar('bugzilla::apache::svc_name') %>
        DocumentRoot <%= scope.lookupvar('bugzilla::apache::docroot') %>
        SSLEngine On
-       SSLProtocol -ALL +SSLv3 +TLSv1
+       SSLProtocol ALL -SSLv2
        SSLCipherSuite <%= scope.lookupvar('bugzilla::apache::cipher_suite') %>
        SSLHonorCipherOrder on
        SSLCertificateFile /etc/ssl/certs/<%= 
scope.lookupvar('bugzilla::apache::svc_name') %>.pem
@@ -178,7 +178,7 @@
        ServerName <%= scope.lookupvar('bugzilla::apache::attach_svc_name') %>
        DocumentRoot <%= scope.lookupvar('bugzilla::apache::docroot') %>
        SSLEngine On
-       SSLProtocol -ALL +SSLv3 +TLSv1
+       SSLProtocol ALL -SSLv2
        SSLCipherSuite <%= scope.lookupvar('bugzilla::apache::cipher_suite') %>
        SSLHonorCipherOrder on
        SSLCertificateFile /etc/ssl/certs/<%= 
scope.lookupvar('bugzilla::apache::attach_svc_name') %>.pem

-- 
To view, visit https://gerrit.wikimedia.org/r/126206
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ibfcc19a32016ff3a74b73ae633d31cdc18a4ba30
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn <dz...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to