[MediaWiki-commits] [Gerrit] planet -- update cipher suite list to support PFS - change (operations/puppet)

Wed, 23 Jul 2014 02:48:13 -0700 

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/148624

Change subject: planet -- update cipher suite list to support PFS
......................................................................

planet -- update cipher suite list to support PFS

This patch changes cipher suite list for planet.wikimedia.org and
*.planet.wikimedia.org to support Forward Secrecy.

Bug: 53259
Change-Id: Ia698be9cca4f3df13c76ff544bba58a05f12efa9
---
M modules/planet/templates/apache/planet-language.erb
M modules/planet/templates/apache/planet.erb
2 files changed, 4 insertions(+), 4 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/24/148624/1

diff --git a/modules/planet/templates/apache/planet-language.erb 
b/modules/planet/templates/apache/planet-language.erb
index 9e31fdf..45a9917 100644
--- a/modules/planet/templates/apache/planet-language.erb
+++ b/modules/planet/templates/apache/planet-language.erb
@@ -15,8 +15,8 @@
 
         ServerName <%= @name %>.planet.<%= 
scope.lookupvar('planet::planet_domain_name') %>
         SSLEngine on
-        SSLProtocol -ALL +SSLv3 +TLSv1
-        SSLCipherSuite 
AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA
+        SSLProtocol +ALL -SSLv2
+        SSLCipherSuite 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH
         SSLHonorCipherOrder on
         SSLCertificateFile /etc/ssl/certs/star.planet.<%= 
scope.lookupvar('planet::planet_domain_name') %>.pem
         SSLCertificateChainFile /etc/ssl/certs/star.planet.<%= 
scope.lookupvar('planet::planet_domain_name') %>.chained.pem
diff --git a/modules/planet/templates/apache/planet.erb 
b/modules/planet/templates/apache/planet.erb
index 56ba1cd..fca91b3 100644
--- a/modules/planet/templates/apache/planet.erb
+++ b/modules/planet/templates/apache/planet.erb
@@ -4,8 +4,8 @@
 <VirtualHost *:443>
     ServerName planet.<%= scope.lookupvar('planet::planet_domain_name') %>
     SSLEngine on
-    SSLProtocol -ALL +SSLv3 +TLSv1
-    SSLCipherSuite 
AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA
+    SSLProtocol +ALL -SSLv2
+    SSLCipherSuite 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH
     SSLHonorCipherOrder on
     SSLCertificateFile /etc/ssl/certs/star.planet.<%= 
scope.lookupvar('planet::planet_domain_name') %>.pem
     SSLCertificateChainFile /etc/ssl/certs/star.planet.<%= 
scope.lookupvar('planet::planet_domain_name') %>.chained.pem

-- 
To view, visit https://gerrit.wikimedia.org/r/148624
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ia698be9cca4f3df13c76ff544bba58a05f12efa9
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to