BBlack has submitted this change and it was merged.
Change subject: ssl_ciphersuite: add DHE+3DES option only for "mid"
......................................................................
ssl_ciphersuite: add DHE+3DES option only for "mid"
This is similar in nature to I0dd877c3 aka 96e1b2d9 where we added
ECDHE+3DES options. There's also a DHE+3DES option which is
confusingly named EDH by OpenSSL.
This should be roughly similar to e.g. DHE-RSA-AES128-SHA in
security terms (forward secret, reasonable data cipher), and in
our ClientHello data samples there are clients for which this is
the only "mid" or higher cipher they support at all.
However, such clients are probably more likely than most to have
DHE >1024-bit compatibility issues, so we don't want to include
this in the full "compat" final list, as it might increase
handshake failures vs getting a compat option that works at all.
For that reason the "mid-only-tail" category is created so that
this is only included at the end for servers using the "mid"
output option, not "compat".
Change-Id: I07715405b20e5021e5a1b0c2f4b842cefc25f78c
---
M modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
1 file changed, 9 insertions(+), 2 deletions(-)
Approvals:
BBlack: Looks good to me, approved
jenkins-bot: Verified
diff --git a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
index f542e0a..37f2161 100644
--- a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
+++ b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
@@ -103,6 +103,13 @@
'DHE-RSA-CAMELLIA128-SHA',
'DHE-RSA-CAMELLIA256-SHA',
],
+ # Only include this in "mid" for the mid-spec, because including it in
+ # "compat" might block a successful negotiation by "upgrading" a working
+ # compat option to a DHE-based mid option for clients that are probably
+ # likely to fail on >1024-bit DHE.
+ 'mid-only-tail' => [
+ 'EDH-RSA-DES-CBC3-SHA', # EDH == DHE here, confusingly
+ ],
# not-forward-secret compat for ancient stuff
'compat' => [
'AES128-GCM-SHA256', # AEAD, but not forward-secret
@@ -118,7 +125,7 @@
# Final lists exposed to callers
ciphersuites = {
'strong' => basic['strong'],
- 'mid' => basic['strong'] + basic['mid'],
+ 'mid' => basic['strong'] + basic['mid'] + basic['mid-only-tail'],
'compat' => basic['strong'] + basic['mid'] + basic['compat'],
}
@@ -176,7 +183,7 @@
# builds, actually, because they weren't built against openssl-1.0.2.
# Disabling for now, until we come up with a better way to configure this
if server == 'apache'
- cipherlist = ciphersuites[ciphersuite].reject{|x| x =~ /^DHE-/}.join(":")
+ cipherlist = ciphersuites[ciphersuite].reject{|x| x =~
/^(DHE|EDH)-/}.join(":")
set_dhparam = false
else
cipherlist = ciphersuites[ciphersuite].join(":")
--
To view, visit https://gerrit.wikimedia.org/r/251153
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I07715405b20e5021e5a1b0c2f4b842cefc25f78c
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>
Gerrit-Reviewer: BBlack <[email protected]>
Gerrit-Reviewer: Chmarkine <[email protected]>
Gerrit-Reviewer: Dzahn <[email protected]>
Gerrit-Reviewer: Faidon Liambotis <[email protected]>
Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: JanZerebecki <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
