[MediaWiki-commits] [Gerrit] operations/puppet[production]: ssl_ciphersuite: remove DHE-RSA-AES128-GCM-SHA256

Tue, 09 May 2017 13:50:57 -0700 

BBlack has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/352924 )

Change subject: ssl_ciphersuite: remove DHE-RSA-AES128-GCM-SHA256
......................................................................

ssl_ciphersuite: remove DHE-RSA-AES128-GCM-SHA256

This is one of our last two remaining DHE-based suites and its 30d
usage sits at a modest 0.068%.  The other is DHE-RSA-AES128-SHA,
which enjoys a relatively-robust popularity of 0.712% due
primarily to Android 2.x and is at the very end of our
forward-secret list.

None of the current users of the cipher to be removed cipher will
lose connectivity.  Ciphersuite simulations on past real traffic
indicate the users of the removed cipher will primarily switch to
the other DHE alternative above, although a small fraction will
instead switch to ECDHE-RSA-AES128-SHA (which is preferable
anyways).

Removing this has a chance to increase our compatibility with a
tiny percentage of clients who may be stuck on the DHE > 1024
issue, at an acceptably-tiny loss to our overall AEAD stats.

It also gets our "high" list for TLSv1.2 aligned with our expected
TLSv1.3 offerings (later this year), which will simplify future
analysis, and paves the way for eventually disabling the final DHE
cipher (probably after we've removed both of our legacy
non-forward-secret options and disabled TLSv1.0, so probably no
earlier than late 2018 at best).

Change-Id: I22ab2b15251396a0bfef3ac6d7455e622332d92b
---
M modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
1 file changed, 0 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/24/352924/1

diff --git a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb 
b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
index 6143766..352b42c 100644
--- a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
+++ b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
@@ -95,7 +95,6 @@
       'ECDHE-RSA-AES256-GCM-SHA384',
       'ECDHE-ECDSA-AES128-GCM-SHA256',
       'ECDHE-RSA-AES128-GCM-SHA256',
-      'DHE-RSA-AES128-GCM-SHA256',
     ],
     # Forward-Secret, but not AEAD
     'mid' => [

-- 
To view, visit https://gerrit.wikimedia.org/r/352924
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I22ab2b15251396a0bfef3ac6d7455e622332d92b
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to