[MediaWiki-commits] [Gerrit] operations/puppet[production]: ssl_ciphersuite: remove SHA256 "mid" options

Sun, 04 Sep 2016 07:23:59 -0700 

BBlack has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/308434

Change subject: ssl_ciphersuite: remove SHA256 "mid" options
......................................................................

ssl_ciphersuite: remove SHA256 "mid" options

In our ciphersuite simulations and known information about all the
statistically-significant browsers, anything currently negotiating
these SHA256 options will fall back to the equivalent SHA1 options
that remain.  There's no functional security difference between
the two as HMACs (and SHA1 is slightly faster, not that it will
matter much in practice).  This further shortens the list of bad
ciphers that we only support for compatibility reasons, and thus
further reduces the line noise in looking at cipher stats and
such.

Change-Id: I11b6245dfc71892f1e997934eb63e43a488bdf1b
---
M modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
1 file changed, 1 insertion(+), 4 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/34/308434/1

diff --git a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb 
b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
index 66fe4f6..60e0727 100644
--- a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
+++ b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
@@ -100,11 +100,8 @@
     ],
     # Forward-Secret, but not AEAD
     'mid' => [
-      'ECDHE-ECDSA-AES128-SHA256', # Mostly Safari 6-8
-      'ECDHE-ECDSA-AES128-SHA',    # Unpatched IE<11, Android 4.[0-3]
-      'ECDHE-RSA-AES128-SHA256',
+      'ECDHE-ECDSA-AES128-SHA',
       'ECDHE-RSA-AES128-SHA',
-      'DHE-RSA-AES128-SHA256',
       'DHE-RSA-AES128-SHA',   # Android 2.x, openssl-0.9.8
     ],
     # not-forward-secret compat for ancient stuff

-- 
To view, visit https://gerrit.wikimedia.org/r/308434
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I11b6245dfc71892f1e997934eb63e43a488bdf1b
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <bbl...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to