BBlack has uploaded a new change for review.
https://gerrit.wikimedia.org/r/308279
Change subject: ssl_ciphersuite: remove less-popular 3DES options
......................................................................
ssl_ciphersuite: remove less-popular 3DES options
At the time these were first added, they were considered "better
than nothing" in an effort to increase forward secrecy. In
practice they're statistically-useless, so in the post-SWEET32
world we should remove them completely.
Change-Id: I9d3433b5317e531cfaa760c7da06bcdd1df08a8b
---
M modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
1 file changed, 0 insertions(+), 5 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/79/308279/1
diff --git a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
index a339f9f..34a93bb 100644
--- a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
+++ b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
@@ -111,11 +111,6 @@
# not-forward-secret compat for ancient stuff
'compat' => [
'AES128-SHA', # Mostly evil proxies, also ancient devices
- # These 4 are forward-secret, but 3DES is borked now
- 'ECDHE-ECDSA-DES-CBC3-SHA',
- 'ECDHE-RSA-DES-CBC3-SHA',
- 'DHE-RSA-DES-CBC3-SHA', # openssl-1.1.0
- 'EDH-RSA-DES-CBC3-SHA', # pre-1.1.0 name for the above
'DES-CBC3-SHA', # Mostly IE7-8 on XP, also ancient devices
],
}
--
To view, visit https://gerrit.wikimedia.org/r/308279
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I9d3433b5317e531cfaa760c7da06bcdd1df08a8b
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <bbl...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
