BBlack has submitted this change and it was merged.
Change subject: ssl_ciphersuite: demote all 3DES for SWEET32
......................................................................
ssl_ciphersuite: demote all 3DES for SWEET32
These forward-secret 3DES options were just there to help increase
our forward-secrecy percentage a bit at little cost. In pragmatic
terms there's no real impact here on client incompatibility, even
in the "mid" server case.
Change-Id: I618bc996fef7de21f44842e0e28881bb3b1ea201
---
M modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
1 file changed, 6 insertions(+), 4 deletions(-)
Approvals:
BBlack: Looks good to me, approved
jenkins-bot: Verified
diff --git a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
index 827a489..a339f9f 100644
--- a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
+++ b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
@@ -64,6 +64,7 @@
module Puppet::Parser::Functions
# Basic list chunks, used to construct bigger lists
# General preference ordering for fullest combined list:
+ # -1) Enc: 3DES < ALL (SWEET32)
# 0) Kx: (EC)DHE > RSA (Forward Secrecy)
# 1) Mac: AEAD > ALL (AES-GCM/CHAPOLY > Others)
# ^ Note: our chapoly patches only turn on chapoly ciphers if the client
@@ -104,16 +105,17 @@
'ECDHE-RSA-AES128-SHA256',
'ECDHE-ECDSA-AES128-SHA', # Unpatched IE<11, Android 4.[0-3]
'ECDHE-RSA-AES128-SHA',
- 'ECDHE-ECDSA-DES-CBC3-SHA',
- 'ECDHE-RSA-DES-CBC3-SHA',
'DHE-RSA-AES128-SHA256',
'DHE-RSA-AES128-SHA', # Android 2.x, openssl-0.9.8
- 'DHE-RSA-DES-CBC3-SHA', # openssl-1.1.0
- 'EDH-RSA-DES-CBC3-SHA', # pre-1.1.0 name for the above
],
# not-forward-secret compat for ancient stuff
'compat' => [
'AES128-SHA', # Mostly evil proxies, also ancient devices
+ # These 4 are forward-secret, but 3DES is borked now
+ 'ECDHE-ECDSA-DES-CBC3-SHA',
+ 'ECDHE-RSA-DES-CBC3-SHA',
+ 'DHE-RSA-DES-CBC3-SHA', # openssl-1.1.0
+ 'EDH-RSA-DES-CBC3-SHA', # pre-1.1.0 name for the above
'DES-CBC3-SHA', # Mostly IE7-8 on XP, also ancient devices
],
}
--
To view, visit https://gerrit.wikimedia.org/r/306666
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I618bc996fef7de21f44842e0e28881bb3b1ea201
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>
Gerrit-Reviewer: BBlack <[email protected]>
Gerrit-Reviewer: Ema <[email protected]>
Gerrit-Reviewer: Faidon Liambotis <[email protected]>
Gerrit-Reviewer: Muehlenhoff <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
