[MediaWiki-commits] [Gerrit] operations/puppet[production]: ciphersuites: use dhe+3des in compat list

Wed, 27 Jul 2016 14:57:06 -0700 

BBlack has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/301501

Change subject: ciphersuites: use dhe+3des in compat list
......................................................................

ciphersuites: use dhe+3des in compat list

Keeping this out of compat doesn't seem to make a good tradeoff
anymore as we continue to push harder for forward secrecy.  The
odds are vanishingly small that there's any singificant client
population which has this cipher but nothing better and doesn't
support >1024-bit DHE.  We don't know of any such cases, and I
can't seem to dig any up.  Our cipher graphs will tell us if we
need to revert.

Change-Id: Ie9643678e279ed2b594b26a999b296395bec6099
---
M modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
1 file changed, 1 insertion(+), 7 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/01/301501/1

diff --git a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb 
b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
index 9a2f850..0961195 100644
--- a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
+++ b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
@@ -97,12 +97,6 @@
       'DHE-RSA-AES256-SHA256',
       'DHE-RSA-AES128-SHA',
       'DHE-RSA-AES256-SHA',
-    ],
-    # Only include this in "mid" for the mid-spec, because including it in
-    # "compat" might block a successful negotiation by "upgrading" a working
-    # compat option to a DHE-based mid option for clients that are probably
-    # likely to fail on >1024-bit DHE.
-    'mid-only-tail' => [
       'EDH-RSA-DES-CBC3-SHA', # EDH == DHE here, confusingly
     ],
     # not-forward-secret compat for ancient stuff
@@ -117,7 +111,7 @@
   # Final lists exposed to callers
   ciphersuites = {
     'strong'     => basic['strong'],
-    'mid'        => basic['strong'] + basic['mid'] + basic['mid-only-tail'],
+    'mid'        => basic['strong'] + basic['mid'],
     'compat'     => basic['strong'] + basic['mid'] + basic['compat'],
   }
 

-- 
To view, visit https://gerrit.wikimedia.org/r/301501
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie9643678e279ed2b594b26a999b296395bec6099
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to