[MediaWiki-commits] [Gerrit] operations/puppet[production]: ssl_ciphersuite: prefer ECDSA certs more-strongly

Thu, 14 Sep 2017 08:21:59 -0700 

BBlack has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/378045 )

Change subject: ssl_ciphersuite: prefer ECDSA certs more-strongly
......................................................................


ssl_ciphersuite: prefer ECDSA certs more-strongly

We've flip-flopped on this two or three times in the past, whether
to order the core high-sec suites by cipher then auth, or auth
then cipher.  At this point preferring the auth part (ECDSA)
more-strongly probably makes the most sense.  I don't think this
will affect chapoly (or other) percentages by very much today, but
killng RSA auth will eventually be on our radar once TLSv1.0 dies,
and this helps establish better historical data about its slow
demise as a requirement in our ciphersuite stats.

Change-Id: I1ba1351ccb9bb9e85c78ec373ee9b03e1f1e89ff
---
M modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
1 file changed, 6 insertions(+), 6 deletions(-)

Approvals:
  BBlack: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb 
b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
index 6d643c1..c97ffc8 100644
--- a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
+++ b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
@@ -67,10 +67,10 @@
   # 0) Enc:  3DES < ALL       (SWEET32)
   # 1) Kx:   (EC)DHE > RSA    (Forward Secrecy)
   # 2) Mac:  AEAD > ALL       (AES-GCM/CHAPOLY > Others)
-  # 3) Enc:  CHAPOLY > AESGCM (Old client perf, sec)
-  # 4) Kx:   ECDHE > DHE      (Perf, mostly)
-  # 5) Enc:  AES256 > AES128  (sec)
-  # 6) Auth: ECDSA > RSA      (Perf, mostly)
+  # 3) Auth: ECDSA > RSA      (Perf, mostly)
+  # 4) Enc:  CHAPOLY > AESGCM (Old client perf, sec)
+  # 5) Enc:  AES256 > AES128  (sec, batch attacks?)
+  # 6) Kx:   ECDHE > DHE      (Perf, mostly)
   #
   # After all of that, the fullest list of reasonably-acceptable mid/compat
   # ciphers has been filtered further to reduce pointless clutter:
@@ -93,10 +93,10 @@
       'TLS13-AES-256-GCM-SHA384',
       'TLS13-AES-128-GCM-SHA256',
       'ECDHE-ECDSA-CHACHA20-POLY1305',
-      'ECDHE-RSA-CHACHA20-POLY1305',
       'ECDHE-ECDSA-AES256-GCM-SHA384',
-      'ECDHE-RSA-AES256-GCM-SHA384',
       'ECDHE-ECDSA-AES128-GCM-SHA256',
+      'ECDHE-RSA-CHACHA20-POLY1305',
+      'ECDHE-RSA-AES256-GCM-SHA384',
       'ECDHE-RSA-AES128-GCM-SHA256',
     ],
     # Forward-Secret, but not AEAD

-- 
To view, visit https://gerrit.wikimedia.org/r/378045
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I1ba1351ccb9bb9e85c78ec373ee9b03e1f1e89ff
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>
Gerrit-Reviewer: BBlack <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to