[MediaWiki-commits] [Gerrit] operations/puppet[production]: ssl_ciphersuite: demote all 3DES for SWEET32

Thu, 25 Aug 2016 07:11:10 -0700 

BBlack has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/306666

Change subject: ssl_ciphersuite: demote all 3DES for SWEET32
......................................................................

ssl_ciphersuite: demote all 3DES for SWEET32

These forward-secret 3DES options were just there to help increase
our forward-secrecy percentage a bit at little cost.  In pragmatic
terms there's no real impact here on client incompatibility, even
in the "mid" server case.

Change-Id: I618bc996fef7de21f44842e0e28881bb3b1ea201
---
M modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
1 file changed, 6 insertions(+), 4 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/66/306666/1

diff --git a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb 
b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
index 827a489..a339f9f 100644
--- a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
+++ b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
@@ -64,6 +64,7 @@
 module Puppet::Parser::Functions
   # Basic list chunks, used to construct bigger lists
   # General preference ordering for fullest combined list:
+  # -1) Enc: 3DES < ALL       (SWEET32)
   # 0) Kx:   (EC)DHE > RSA    (Forward Secrecy)
   # 1) Mac:  AEAD > ALL       (AES-GCM/CHAPOLY > Others)
   #   ^ Note: our chapoly patches only turn on chapoly ciphers if the client
@@ -104,16 +105,17 @@
       'ECDHE-RSA-AES128-SHA256',
       'ECDHE-ECDSA-AES128-SHA',    # Unpatched IE<11, Android 4.[0-3]
       'ECDHE-RSA-AES128-SHA',
-      'ECDHE-ECDSA-DES-CBC3-SHA',
-      'ECDHE-RSA-DES-CBC3-SHA',
       'DHE-RSA-AES128-SHA256',
       'DHE-RSA-AES128-SHA',   # Android 2.x, openssl-0.9.8
-      'DHE-RSA-DES-CBC3-SHA', # openssl-1.1.0
-      'EDH-RSA-DES-CBC3-SHA', # pre-1.1.0 name for the above
     ],
     # not-forward-secret compat for ancient stuff
     'compat' => [
       'AES128-SHA',   # Mostly evil proxies, also ancient devices
+       # These 4 are forward-secret, but 3DES is borked now
+      'ECDHE-ECDSA-DES-CBC3-SHA',
+      'ECDHE-RSA-DES-CBC3-SHA',
+      'DHE-RSA-DES-CBC3-SHA', # openssl-1.1.0
+      'EDH-RSA-DES-CBC3-SHA', # pre-1.1.0 name for the above
       'DES-CBC3-SHA', # Mostly IE7-8 on XP, also ancient devices
     ],
   }

-- 
To view, visit https://gerrit.wikimedia.org/r/306666
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I618bc996fef7de21f44842e0e28881bb3b1ea201
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to