BBlack has submitted this change and it was merged. Change subject: ssl_ciphersuite: drop CAMELLIA ......................................................................
ssl_ciphersuite: drop CAMELLIA Rationale: 1. Major browsers don't support it 2. A lot of servers don't support it 3. The few browsers customized to support it must support other cipher options (commonly AES). It seems very unlikely a browser implements DHE-CAMELLIA and doesn't support DHE-AES (or something better that's AEAD). 4. It's not currently available to us as an FS+AEAD option, therefore if a browser is customized to prioritize selecting Camellia over all other factors (by probing cipher selection), having it enabled here reduces the security of connections to that browser. 5. Our TLS cipher-selection stats over the past ~9 months (all available data) show that it's selected in practice almost never. We often go weeks without a single use of it, and in the sporadic cases where it's used, it's clearly only a small handful of clients at best, possibly only in TLS testing software and such. If OpenSSL ever implements GCM modes for Camellia, we could consider adding those to our 'high' list, but that may or may not ever happen. See also the whole thread in: https://github.com/openssl/openssl/issues/320 Change-Id: I4f956f15e8ad4dd7edd6fd325913e2628fdd061d --- M modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb 1 file changed, 1 insertion(+), 3 deletions(-) Approvals: BBlack: Verified; Looks good to me, approved diff --git a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb index e253027..5db7bbc 100644 --- a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb +++ b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb @@ -69,7 +69,7 @@ # 1) Mac: AEAD > ALL (GCM > CBC) # 2) Kx: ECDHE > DHE (Server Perf, may help with DH>1024 compat) # 3) Mac: SHA-2 > SHA-1 - # 4) Enc: AES128 > AES256 (>CAMELLIA128 > CAMELLIA256) + # 4) Enc: AES128 > AES256 # 5) Auth: ECDSA > RSA (Server Performance) basic = { # Forward-Secret + AEAD @@ -98,8 +98,6 @@ 'DHE-RSA-AES256-SHA256', 'DHE-RSA-AES128-SHA', 'DHE-RSA-AES256-SHA', - 'DHE-RSA-CAMELLIA128-SHA', - 'DHE-RSA-CAMELLIA256-SHA', ], # Only include this in "mid" for the mid-spec, because including it in # "compat" might block a successful negotiation by "upgrading" a working -- To view, visit https://gerrit.wikimedia.org/r/288952 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I4f956f15e8ad4dd7edd6fd325913e2628fdd061d Gerrit-PatchSet: 2 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: BBlack <[email protected]> Gerrit-Reviewer: BBlack <[email protected]> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
