BBlack has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/384578 )
Change subject: ssl_ciphersuite: dump 3DES on 2017-11-17
......................................................................
ssl_ciphersuite: dump 3DES on 2017-11-17
Bug: T147199
Bug: T163251
Change-Id: I5843ec262d2ebe0419388d14412c19318a3f4a38
---
M modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
1 file changed, 5 insertions(+), 6 deletions(-)
Approvals:
BBlack: Looks good to me, approved
jenkins-bot: Verified
diff --git a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
index c97ffc8..e12ced2 100644
--- a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
+++ b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
@@ -64,7 +64,6 @@
module Puppet::Parser::Functions
# Basic list chunks, used to construct bigger lists
# General preference ordering for fullest combined list:
- # 0) Enc: 3DES < ALL (SWEET32)
# 1) Kx: (EC)DHE > RSA (Forward Secrecy)
# 2) Mac: AEAD > ALL (AES-GCM/CHAPOLY > Others)
# 3) Auth: ECDSA > RSA (Perf, mostly)
@@ -81,10 +80,11 @@
# AES256 performance differentials. SHA-2 HMAC variants were filtered
# similarly, as all clients that would negotiate x-SHA256 also negotiate
x-SHA
# and there's no effective security difference between the two.
- # *) The 'compat' list has been reduced to just the two weakest and
- # most-popular reasonable options there. The others were mostly
statistically
- # insignificant, and things are so bad at this level it's not worth worrying
- # about slight cipher strength gains.
+ # *) The 'compat' list has been reduced to just AES128-SHA after the removal
+ # of 3DES in Nov 2017. There are other possible entries here (AES256 and/or
+ # GCM), but in practice very few clients ever negotiate them anyways. All
+ # such clients fall back to AES128-SHA, and things are so bad at this level
+ # it's not worth worrying about slight cipher strength gains.
basic = {
# Forward-Secret + AEAD
'strong' => [
@@ -108,7 +108,6 @@
# not-forward-secret compat for ancient stuff
'compat' => [
'AES128-SHA', # Mostly evil proxies, also ancient devices
- 'DES-CBC3-SHA', # Mostly IE7-8 on XP, also ancient devices
],
}
--
To view, visit https://gerrit.wikimedia.org/r/384578
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I5843ec262d2ebe0419388d14412c19318a3f4a38
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>
Gerrit-Reviewer: BBlack <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
