[MediaWiki-commits] [Gerrit] ssl_ciphersite: bugfix for apache-2.4.8+ DHE selection - change (operations/puppet)

Fri, 28 Aug 2015 08:02:15 -0700 

BBlack has submitted this change and it was merged.

Change subject: ssl_ciphersite: bugfix for apache-2.4.8+ DHE selection
......................................................................


ssl_ciphersite: bugfix for apache-2.4.8+ DHE selection

Change-Id: I4101b7a1b962854e5decfc4003e547f2d9c46e85
---
M modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
1 file changed, 4 insertions(+), 1 deletion(-)

Approvals:
  JanZerebecki: Looks good to me, but someone else must approve
  BBlack: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb 
b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
index 78f0d49..5e0fb81 100644
--- a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
+++ b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
@@ -176,7 +176,10 @@
     # append dhe params to the server cert file, which would be difficult to
     # factor in with sslcert puppetization and such.  Possible TODO if we're
     # really stuck on this?
-    if server == 'apache' && lookupvar('lsbdistrelease').capitalize != 'Jessie'
+    #
+    # what we really want here is a check on the actual installed apache
+    # version >= 2.4.8, rather than checking for exactly Debian Jessie.
+    if server == 'apache' && lookupvar('lsbdistcodename').capitalize != 
'Jessie'
       Puppet.warning('ssl_ciphersuite(): DHE ciphers disabled - upgrade to 
Jessie+Apache2.4!')
       cipherlist = ciphersuites[ciphersuite].reject{|x| x =~ /^DHE-/}.join(":")
       set_dhparam = false

-- 
To view, visit https://gerrit.wikimedia.org/r/234512
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I4101b7a1b962854e5decfc4003e547f2d9c46e85
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <bbl...@wikimedia.org>
Gerrit-Reviewer: BBlack <bbl...@wikimedia.org>
Gerrit-Reviewer: JanZerebecki <jan.wikime...@zerebecki.de>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to