[MediaWiki-commits] [Gerrit] ssl_ciphersite: bugfix for apache-2.4.8+ DHE selection - change (operations/puppet)

Fri, 28 Aug 2015 05:34:18 -0700 

BBlack has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/234512

Change subject: ssl_ciphersite: bugfix for apache-2.4.8+ DHE selection
......................................................................

ssl_ciphersite: bugfix for apache-2.4.8+ DHE selection

Change-Id: I4101b7a1b962854e5decfc4003e547f2d9c46e85
---
M modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
1 file changed, 4 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/12/234512/1

diff --git a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb 
b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
index 78f0d49..5e0fb81 100644
--- a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
+++ b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
@@ -176,7 +176,10 @@
     # append dhe params to the server cert file, which would be difficult to
     # factor in with sslcert puppetization and such.  Possible TODO if we're
     # really stuck on this?
-    if server == 'apache' && lookupvar('lsbdistrelease').capitalize != 'Jessie'
+    #
+    # what we really want here is a check on the actual installed apache
+    # version >= 2.4.8, rather than checking for exactly Debian Jessie.
+    if server == 'apache' && lookupvar('lsbdistcodename').capitalize != 
'Jessie'
       Puppet.warning('ssl_ciphersuite(): DHE ciphers disabled - upgrade to 
Jessie+Apache2.4!')
       cipherlist = ciphersuites[ciphersuite].reject{|x| x =~ /^DHE-/}.join(":")
       set_dhparam = false

-- 
To view, visit https://gerrit.wikimedia.org/r/234512
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I4101b7a1b962854e5decfc4003e547f2d9c46e85
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to