BBlack has uploaded a new change for review. https://gerrit.wikimedia.org/r/308434
Change subject: ssl_ciphersuite: remove SHA256 "mid" options ...................................................................... ssl_ciphersuite: remove SHA256 "mid" options In our ciphersuite simulations and known information about all the statistically-significant browsers, anything currently negotiating these SHA256 options will fall back to the equivalent SHA1 options that remain. There's no functional security difference between the two as HMACs (and SHA1 is slightly faster, not that it will matter much in practice). This further shortens the list of bad ciphers that we only support for compatibility reasons, and thus further reduces the line noise in looking at cipher stats and such. Change-Id: I11b6245dfc71892f1e997934eb63e43a488bdf1b --- M modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb 1 file changed, 1 insertion(+), 4 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/34/308434/1 diff --git a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb index 66fe4f6..60e0727 100644 --- a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb +++ b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb @@ -100,11 +100,8 @@ ], # Forward-Secret, but not AEAD 'mid' => [ - 'ECDHE-ECDSA-AES128-SHA256', # Mostly Safari 6-8 - 'ECDHE-ECDSA-AES128-SHA', # Unpatched IE<11, Android 4.[0-3] - 'ECDHE-RSA-AES128-SHA256', + 'ECDHE-ECDSA-AES128-SHA', 'ECDHE-RSA-AES128-SHA', - 'DHE-RSA-AES128-SHA256', 'DHE-RSA-AES128-SHA', # Android 2.x, openssl-0.9.8 ], # not-forward-secret compat for ancient stuff -- To view, visit https://gerrit.wikimedia.org/r/308434 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I11b6245dfc71892f1e997934eb63e43a488bdf1b Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: BBlack <bbl...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits