[MediaWiki-commits] [Gerrit] operations/puppet[production]: Revert "ssl_ciphersuite: limit ECDH curves where possible"

Thu, 13 Jul 2017 10:08:16 -0700 

Hello jenkins-bot,

I'd like you to do a code review.  Please visit

    https://gerrit.wikimedia.org/r/365062

to review the following change.


Change subject: Revert "ssl_ciphersuite: limit ECDH curves where possible"
......................................................................

Revert "ssl_ciphersuite: limit ECDH curves where possible"

This reverts commit 1811def526025a67bd6baa8fe509a71a5b147f52.

Change-Id: I92d3fbb76f02a3fcd136871062f4617f584ccb76
---
M modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
1 file changed, 0 insertions(+), 8 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/62/365062/1

diff --git a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb 
b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
index 9fd9367..352b42c 100644
--- a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
+++ b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
@@ -162,10 +162,8 @@
     # OS / Server -dependant feature flags:
     nginx_always_ok = true
     dhe_ok = true
-    libssl_has_x25519 = true
     if !function_os_version(['debian >= jessie'])
       nginx_always_ok = false
-      libssl_has_x25519 = false
       if server == 'apache'
         dhe_ok = false
       end
@@ -193,7 +191,6 @@
         output.push('SSLProtocol all -SSLv2 -SSLv3')
       end
       output.push("SSLCipherSuite #{cipherlist}")
-      # Note: missing config to restrict ECDH curves
       output.push('SSLHonorCipherOrder On')
       if dhe_ok
         output.push('SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam.pem"')
@@ -208,11 +205,6 @@
         output.push('ssl_protocols TLSv1 TLSv1.1 TLSv1.2;')
       end
       output.push("ssl_ciphers #{cipherlist};")
-      if libssl_has_x25519
-        output.push("ssl_ecdh_curve X25519:prime256v1;")
-      else
-        output.push("ssl_ecdh_curve prime256v1;")
-      end
       output.push('ssl_prefer_server_ciphers on;')
       if dhe_ok
         output.push('ssl_dhparam /etc/ssl/dhparam.pem;')

-- 
To view, visit https://gerrit.wikimedia.org/r/365062
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I92d3fbb76f02a3fcd136871062f4617f584ccb76
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to