BBlack has submitted this change and it was merged. Change subject: ssl_ciphersuite: disable DHE for apache for now ......................................................................
ssl_ciphersuite: disable DHE for apache for now Change-Id: I80ada9fb7c4b2f55731bd1de2bddd14f6f38b877 --- M modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb 1 file changed, 4 insertions(+), 10 deletions(-) Approvals: BBlack: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb index 5e0fb81..709e906 100644 --- a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb +++ b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb @@ -171,16 +171,10 @@ fail(ArgumentError, 'ssl_ciphersuite(): apache 2.2 can only be used with "compat"') end - # no DHE for apache unless jessie (2.4.10) - # trusty's apache-2.4.7 can technically do it as well, but only if we - # append dhe params to the server cert file, which would be difficult to - # factor in with sslcert puppetization and such. Possible TODO if we're - # really stuck on this? - # - # what we really want here is a check on the actual installed apache - # version >= 2.4.8, rather than checking for exactly Debian Jessie. - if server == 'apache' && lookupvar('lsbdistcodename').capitalize != 'Jessie' - Puppet.warning('ssl_ciphersuite(): DHE ciphers disabled - upgrade to Jessie+Apache2.4!') + # We can't do proper DH params for DHE suites on any of our current apache + # builds, actually, because they weren't built against openssl-1.0.2. + # Disabling for now, until we come up with a better way to configure this + if server == 'apache' cipherlist = ciphersuites[ciphersuite].reject{|x| x =~ /^DHE-/}.join(":") set_dhparam = false else -- To view, visit https://gerrit.wikimedia.org/r/234551 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I80ada9fb7c4b2f55731bd1de2bddd14f6f38b877 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: BBlack <bbl...@wikimedia.org> Gerrit-Reviewer: BBlack <bbl...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits