BBlack has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/373670 )
Change subject: dhparam: use ffdhe2048 from RFC7919 ...................................................................... dhparam: use ffdhe2048 from RFC7919 We've been using openssl dhparam to generate custom 2048-bit DHE groups since mid-2015 and rotating in new random ones periodically as additional insurance against a persistent calculation against an accidentally-weak one. That approach is not invalid, but really it's better to just go ahead and use the standard ffdhe2048 group published in RFC 7919. In the long run, our DHE support will eventually end before persistent attacks on public 2048-bit groups becomes a risk. More importantly, the ffdhe2048 group has been audited for weaknesses that could happen in our random groups. Also, some newer or patched clients which use DHE may prefer known-good groups like these if they see them (and reject random ones, resulting in failure), and there's no way to negotiate for that except to use these standardized groups in our present scenario. Change-Id: Ib0438325235890e08864b8b5293a09f825f06d9c --- M modules/sslcert/files/dhparam.pem 1 file changed, 6 insertions(+), 6 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/70/373670/1 diff --git a/modules/sslcert/files/dhparam.pem b/modules/sslcert/files/dhparam.pem index 7a3d9f3..9b182b7 100644 --- a/modules/sslcert/files/dhparam.pem +++ b/modules/sslcert/files/dhparam.pem @@ -1,8 +1,8 @@ -----BEGIN DH PARAMETERS----- -MIIBCAKCAQEAikk4qQ78Qt4o9o85Rb8s3iXPsKcd1nzYRjAQsBJHOwqVESfUE3xI -R13wE3y/prFYupnOuoaf0Fq0KWoedtbHVBCZatix0eq9jeQmxMPb4h0nQcLPeGPk -HXDziEjWQX1U4nOkZUkVLK2IAshT/BVt6aE/vIxsv9+8ifWiJz+cOZdtzcniPhRA -MU1SQZd3hmJt5ygMSeojTYVtxixerhC283Q3PXzrzJbd5tboOPxfuz1TNsl1SS2d -EiwKtJRJ6PlwGWp0fguZ/4nfEiqqFK2GPR39g2y38De5sk81+rGH+/6g+8MbfdJb -HkrbKanSwChl81I5qLQnZTkXU27EEpJFcwIBAg== +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== -----END DH PARAMETERS----- -- To view, visit https://gerrit.wikimedia.org/r/373670 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ib0438325235890e08864b8b5293a09f825f06d9c Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: BBlack <[email protected]> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
