https://bugzilla.wikimedia.org/show_bug.cgi?id=23107
Summary: X.509 certificate for Bugzilla server(s) has expired
Product: Wikimedia
Version: unspecified
Platform: All
URL: https://bugzilla.wikimedia.org/
OS/Version: All
Status: NEW
Keywords: shell
Severity: normal
Priority: Normal
Component: Bugzilla
AssignedTo: [email protected]
ReportedBy: [email protected]
CC: [email protected]
The X.509 certificate for bugzilla.wikimedia.org has expired: it is not valid
after 2011-01-31T21:36:50+00:00. It should be replaced.
Side notes:
It also uses the MD5 algorithm for hashing, which is not considered secure
anymore. This should be changed to a more secure algorithm like one from the
SHA-2 family.
The certificate is also used for bugs.wikimedia.org, but does not contain that
host name in the certificate (should be included in subjectAlternativeName as a
dNSName). bugs.wikimedia.org uses a HTTP 302 Moved to redirect users to
bugzilla.wikimedia.org, but this does not mean that the certificate does not
have to include the host name as well. (Or a second certificate has to be
used.)
Furthermore, I recommend restricting keyUsage to
critical:(digitalSignature,keyEncipherment) (this will limit the usable
algorithms to the ones with ephemeral keys, which should not be a problem, but
considered a good thing) and extendedKeyUsage to (serverAuth). Client
authentication is probably unnecessary for the certificate.
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
