[MediaWiki-commits] [Gerrit] ssl_ciphersuite: disable DHE for apache for now - change (operations/puppet)

Fri, 28 Aug 2015 08:17:31 -0700 

BBlack has submitted this change and it was merged.

Change subject: ssl_ciphersuite: disable DHE for apache for now
......................................................................


ssl_ciphersuite: disable DHE for apache for now

Change-Id: I80ada9fb7c4b2f55731bd1de2bddd14f6f38b877
---
M modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
1 file changed, 4 insertions(+), 10 deletions(-)

Approvals:
  BBlack: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb 
b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
index 5e0fb81..709e906 100644
--- a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
+++ b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
@@ -171,16 +171,10 @@
       fail(ArgumentError, 'ssl_ciphersuite(): apache 2.2 can only be used with 
"compat"')
     end
 
-    # no DHE for apache unless jessie (2.4.10)
-    # trusty's apache-2.4.7 can technically do it as well, but only if we
-    # append dhe params to the server cert file, which would be difficult to
-    # factor in with sslcert puppetization and such.  Possible TODO if we're
-    # really stuck on this?
-    #
-    # what we really want here is a check on the actual installed apache
-    # version >= 2.4.8, rather than checking for exactly Debian Jessie.
-    if server == 'apache' && lookupvar('lsbdistcodename').capitalize != 
'Jessie'
-      Puppet.warning('ssl_ciphersuite(): DHE ciphers disabled - upgrade to 
Jessie+Apache2.4!')
+    # We can't do proper DH params for DHE suites on any of our current apache
+    # builds, actually, because they weren't built against openssl-1.0.2.
+    # Disabling for now, until we come up with a better way to configure this
+    if server == 'apache'
       cipherlist = ciphersuites[ciphersuite].reject{|x| x =~ /^DHE-/}.join(":")
       set_dhparam = false
     else

-- 
To view, visit https://gerrit.wikimedia.org/r/234551
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I80ada9fb7c4b2f55731bd1de2bddd14f6f38b877
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <bbl...@wikimedia.org>
Gerrit-Reviewer: BBlack <bbl...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to