BBlack has submitted this change and it was merged. Change subject: ssl_ciphersite: bugfix for apache-2.4.8+ DHE selection ......................................................................
ssl_ciphersite: bugfix for apache-2.4.8+ DHE selection Change-Id: I4101b7a1b962854e5decfc4003e547f2d9c46e85 --- M modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb 1 file changed, 4 insertions(+), 1 deletion(-) Approvals: JanZerebecki: Looks good to me, but someone else must approve BBlack: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb index 78f0d49..5e0fb81 100644 --- a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb +++ b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb @@ -176,7 +176,10 @@ # append dhe params to the server cert file, which would be difficult to # factor in with sslcert puppetization and such. Possible TODO if we're # really stuck on this? - if server == 'apache' && lookupvar('lsbdistrelease').capitalize != 'Jessie' + # + # what we really want here is a check on the actual installed apache + # version >= 2.4.8, rather than checking for exactly Debian Jessie. + if server == 'apache' && lookupvar('lsbdistcodename').capitalize != 'Jessie' Puppet.warning('ssl_ciphersuite(): DHE ciphers disabled - upgrade to Jessie+Apache2.4!') cipherlist = ciphersuites[ciphersuite].reject{|x| x =~ /^DHE-/}.join(":") set_dhparam = false -- To view, visit https://gerrit.wikimedia.org/r/234512 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I4101b7a1b962854e5decfc4003e547f2d9c46e85 Gerrit-PatchSet: 2 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: BBlack <bbl...@wikimedia.org> Gerrit-Reviewer: BBlack <bbl...@wikimedia.org> Gerrit-Reviewer: JanZerebecki <jan.wikime...@zerebecki.de> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits