Discussion:
[Bug 53259] New: Add Forward Secrecy
b***@wikimedia.org
2013-08-23 16:46:43 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

Web browser: ---
Bug ID: 53259
Summary: Add Forward Secrecy
Product: Wikimedia
Version: wmf-deployment
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: enhancement
Priority: Unprioritized
Component: SSL related
Assignee: wikibugs-***@lists.wikimedia.org
Reporter: michael+***@yanovich.net
Classification: Unclassified
Mobile Platform: ---

Forward Secrecy capable ciphers are not currently available on wikipedia.org.
The only ciphers available on wikipedia.org are:

* SSL_RSA_WITH_RC4_128_SHA
* SSL_RSA_WITH_RC4_128_MD5
* SSL_RSA_WITH_3DES_EDE_CBC_SHA
* TLS_RSA_WITH_AES_128_CBC_SHA
* TLS_RSA_WITH_AES_256_CBC_SHA

source, https://www.ssllabs.com/ssltest/analyze.html?d=en.wikipedia.org

None of which offer Forward Secrecy.

Could this please be added to wikipedia's servers?
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2013-08-26 10:00:26 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

Andre Klapper <***@wikimedia.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Priority|Unprioritized |Low

--- Comment #1 from Andre Klapper <***@wikimedia.org> ---
Where can I find more information?
https://en.wikipedia.org/wiki/Perfect_forward_secrecy ?
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2013-08-29 08:27:04 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #2 from Seb35 <***@gmail.com> ---
The blog post [1] explains the "forward secrecy" property only adds a +15% in
CPU load for ECDHE ciphers, but +300% for simple DHE ciphers. Probably the
Operations team should carefully review this bug before activating it for
performance reasons. Nowadays only Chromium and Firefox support FS, Opera only
supports DHE ciphers and Internet Explorer don’t support FS; I don’t know for
Safari.

This other blog post [2] (and blog) explains how Google configured FS: why they
chosed ECDHE (this performance reason) and how they configured session tickets.

[1] http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
[2] https://www.imperialviolet.org/2011/11/22/forwardsecret.html
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2013-12-11 09:56:00 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

***@azet.sk changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |***@azet.sk

--- Comment #3 from ***@azet.sk ---
Google is already supporting Forward Secrecy for SSL connections.

The deployment of Forward Secrecy muss be done carefully, especialy when SSL
session IDs are used. But SSL session IDs can help reduce the overhead of
Forward Secrecy:

https://www.imperialviolet.org/2013/06/27/botchingpfs.html
http://blog.ivanristic.com/2013/06/ssl-labs-deploying-forward-secrecy.html
http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
http://blog.ivanristic.com/2013/08/increasing-dhe-strength-on-apache.html

There have been some questions about backdoors in ECDHE ciphers:

https://crypto.stackexchange.com/questions/10263/should-we-trust-the-nist-recommended-ecc-parameters
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2013-12-20 10:37:30 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

Nemo <***@tiscali.it> changed:

What |Removed |Added
----------------------------------------------------------------------------
Priority|Low |Normal
Status|UNCONFIRMED |NEW
CC| |***@tiscali.it
Ever confirmed|0 |1

--- Comment #4 from Nemo <***@tiscali.it> ---
According to https://wikitech.wikimedia.org/wiki/HTTPS/Future_work this is in
the plans already (second bullet), adjusting fields.
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-04-02 16:10:44 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

jeremyb <bugzilla+***@tuxmachine.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |bugzilla+***@tuxm
| |achine.com
See Also| |https://bugzilla.wikimedia.
| |org/show_bug.cgi?id=33890
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-05-10 12:03:49 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

Jan Zerebecki <***@zerebecki.de> changed:

What |Removed |Added
----------------------------------------------------------------------------
Blocks| |65005
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-05-10 12:05:08 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #5 from Jan Zerebecki <***@zerebecki.de> ---
https://gerrit.wikimedia.org/r/#/c/132393/
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-05-16 15:14:43 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

James Forrester <***@wikimedia.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Blocks|65005 |
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-05-22 05:11:31 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

Gerrit Notification Bot <***@wikimedia.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |PATCH_TO_REVIEW
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-05-22 05:11:28 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #6 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 132393 had a related patch set uploaded by MZMcBride:
Improve nginx TLS/SSL settings.

https://gerrit.wikimedia.org/r/132393
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-06-27 23:19:16 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #7 from Nemo <***@tiscali.it> ---
Giuseppe tested the settings, proving the load is not a problem, and thanks to
this the change is now scheduled for next week!
https://wikitech.wikimedia.org/wiki/Deployments#deploycal-item-20140701T1000
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-06-28 00:05:16 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

Ori Livneh <***@wikimedia.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |***@wikimedia.org

--- Comment #8 from Ori Livneh <***@wikimedia.org> ---
The load may not be a problem for our servers, but I'd like to know whether
there is a potential impact on user experience, and whether an attempt has been
made to quantify it.
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-04 11:35:29 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

***@hotmail.com changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |***@hotmail.com

--- Comment #14 from ***@hotmail.com ---
gerrit.wikimedia.org still does not support Forward Secrecy.

* https://www.ssllabs.com/ssltest/analyze.html?d=gerrit.wikimedia.org
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-04 11:44:18 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #15 from ***@hotmail.com ---
wikitech.wikimedia.org also doesn't support Forward Secrecy.

More importantly, SSL Labs says Wikitech server is "vulnerable to the OpenSSL
CCS vulnerability (CVE-2014-0224) and exploitable".

* https://www.ssllabs.com/ssltest/analyze.html?d=wikitech.wikimedia.org
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-04 12:05:51 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #16 from Sam Reed (reedy) <***@reedyboy.net> ---
(In reply to chmarkine from comment #15)
Post by b***@wikimedia.org
wikitech.wikimedia.org also doesn't support Forward Secrecy.
More importantly, SSL Labs says Wikitech server is "vulnerable to the
OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable".
* https://www.ssllabs.com/ssltest/analyze.html?d=wikitech.wikimedia.org
F to A- now
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-04 15:26:52 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

Jan Zerebecki <***@zerebecki.de> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |---

--- Comment #17 from Jan Zerebecki <***@zerebecki.de> ---
Yes and there are more sites that still lack forward secrecy. Now that there is
an acceptable configuration with FS we can just apply that one to them. Some
like wikitech and gerrit can probably use one that is less backwards compatible
(like no SSL3, disable RC4, difficult: disable non-fs ciphers).
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-05 08:52:29 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #18 from ***@hotmail.com ---
I agree with Jan. I think disabling SSL3 and non-fs ciphers is feasible,
because only IE 6-8 on XP do not support any FS ciphers, only IE 6 does not
support TLS 1.0 or higher, and even IE 7 on Vista supports ECDHE.

Also ticket.wikimedia.org does not support PFS. So all together:
* gerrit.wikimedia.org
* wikitech.wikimedia.org
* ticket.wikimedia.org

https://www.ssllabs.com/ssltest/analyze.html?d=ticket.wikimedia.org
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-05 09:22:51 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #19 from ***@hotmail.com ---
I just find more and more sites with no FS:

* gerrit.wikimedia.org
* wikitech.wikimedia.org
* ticket.wikimedia.org
* lists.wikimedia.org
* dumps.wikimedia.org
* graphite.wikimedia.org
* gdash.wikimedia.org

Again, graphite.wikimedia.org, gdash.wikimedia.org and dumps.wikimedia.org are
"vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable".

lists.wikimedia.org is "vulnerable to the OpenSSL CCS vulnerability
(CVE-2014-0224), but probably not exploitable", and lists.wikimedia.org does
not support TLS 1.1 and TLS 1.2.

[1] https://www.ssllabs.com/ssltest/analyze.html?d=graphite.wikimedia.org (F)
[2] https://www.ssllabs.com/ssltest/analyze.html?d=gdash.wikimedia.org (F)
[3] https://www.ssllabs.com/ssltest/analyze.html?d=dumps.wikimedia.org (F)
[4] https://www.ssllabs.com/ssltest/analyze.html?d=lists.wikimedia.org (B)
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-06 11:59:49 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #20 from ***@hotmail.com ---
See also: https://bugzilla.wikimedia.org/show_bug.cgi?id=67564
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-08 18:11:53 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

Daniel Zahn <***@wikimedia.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |***@wikimedia.org

--- Comment #21 from Daniel Zahn <***@wikimedia.org> ---
meanwhile dumps and lists have been fixed it seems

dumps.wikimedia.org
Experimental: This server is not vulnerable to the OpenSSL CCS vulnerability
(CVE-2014-0224).


lists.wikimedia.org
Experimental: This server is not vulnerable to the OpenSSL CCS vulnerability
(CVE-2014-0224).
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-08 18:20:32 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #22 from Nemo <***@tiscali.it> ---
It's a bit unpractical to have one comment for each domain. Jan and chmarkine,
it would be IMHO more useful if you resurrected
https://wikitech.wikimedia.org/wiki/Httpsless_domains to make a table of which
domains have https but lack PFS.
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-08 18:40:20 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #23 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 144731 had a related patch set uploaded by Dzahn:
update SSL cipher list for gerrit to support PFS

https://gerrit.wikimedia.org/r/144731
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-08 18:40:24 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

Gerrit Notification Bot <***@wikimedia.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |PATCH_TO_REVIEW
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-08 18:51:17 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #24 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 144734 had a related patch set uploaded by Dzahn:
update SSL cipher list for OTRS to support PFS

https://gerrit.wikimedia.org/r/144734
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-08 18:57:12 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #25 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 144736 had a related patch set uploaded by Dzahn:
update SSL cipher list on wikitech to support PFS

https://gerrit.wikimedia.org/r/144736
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-08 19:26:54 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #26 from Daniel Zahn <***@wikimedia.org> ---
all services behind the misc. varnish cluster should be fixed now. they were
lacking an nginx restart on cp1043/cp1044, which i did now

this should have fixed all these:

doc
git
gdash
graphite
parsoid-tests
performance
integration
releases
legalpad
logstash
scholarships
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-08 20:03:29 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #27 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 144731 merged by Dzahn:
update SSL cipher list for gerrit to support PFS

https://gerrit.wikimedia.org/r/144731
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-09 07:40:58 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #28 from ***@hotmail.com ---
(In reply to Nemo from comment #22)
Post by b***@wikimedia.org
It's a bit unpractical to have one comment for each domain. Jan and
chmarkine, it would be IMHO more useful if you resurrected
https://wikitech.wikimedia.org/wiki/Httpsless_domains to make a table of
which domains have https but lack PFS.
I made such a list: https://wikitech.wikimedia.org/wiki/User:Chmarkine/HTTPS

It summarizes support status for Forward Secrecy and HSTS. It also shows
protocol versions, whether HTTP redirects to HTTPS, links to SSL Labs and SSL
Labs grades.

It is an incomplete list. Please feel free to update it or move it to main
namespace, if you want!
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-10 14:54:10 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #29 from Daniel Zahn <***@wikimedia.org> ---
also see the older wiki page that just focused on domains without https

https://wikitech.wikimedia.org/wiki/Httpsless_domains
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-10 22:43:35 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #30 from Daniel Zahn <***@wikimedia.org> ---
chmarkine: very nice list, thanks!

I just wanted to add that even though i have those (partly pending) patches to
enable it on gerrit,wikitech,otrs ..it will not actually work before Apache is
also a 2.4 version. But do you agree i should merge already anyways,based on it
being an improvement anyways? Then it would just automatically be supported as
soon as Apache will be upgraded.
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-11 02:56:21 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #31 from ***@hotmail.com ---
(In reply to Daniel Zahn from comment #30)
Post by b***@wikimedia.org
chmarkine: very nice list, thanks!
I just wanted to add that even though i have those (partly pending) patches
to enable it on gerrit,wikitech,otrs ..it will not actually work before
Apache is also a 2.4 version. But do you agree i should merge already
anyways,based on it being an improvement anyways? Then it would just
automatically be supported as soon as Apache will be upgraded.
I agree! I think we should definitely merge them.
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-11 18:03:52 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #32 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 144734 merged by Dzahn:
update SSL cipher list for OTRS to support PFS

https://gerrit.wikimedia.org/r/144734
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-11 20:29:17 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #33 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 144736 merged by Dzahn:
update SSL cipher list on wikitech to support PFS

https://gerrit.wikimedia.org/r/144736
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-15 18:39:34 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #34 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 146510 had a related patch set uploaded by Chmarkine:
update SSL ciphers for contacts.wm.org to support PFS

https://gerrit.wikimedia.org/r/146510
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-16 16:56:21 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #35 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 146510 merged by Dzahn:
update SSL ciphers for contacts.wm.org to support PFS

https://gerrit.wikimedia.org/r/146510
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-17 14:26:31 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #36 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 147110 had a related patch set uploaded by Chmarkine:
update SSL ciphers for Ganglia to support PFS

https://gerrit.wikimedia.org/r/147110
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-17 15:34:56 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #37 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 147123 had a related patch set uploaded by Chmarkine:
update SSL ciphers for noc.wikimedia.org to support PFS

https://gerrit.wikimedia.org/r/147123
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-17 15:54:07 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #38 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 147110 merged by Dzahn:
update SSL ciphers for Ganglia to support PFS

https://gerrit.wikimedia.org/r/147110
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-17 16:39:11 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #39 from Daniel Zahn <***@wikimedia.org> ---
Why does ganglia still get a B from Qualys SSL Labs after the change, while
others are fine?
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-17 17:05:05 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #40 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 147123 merged by Dzahn:
update SSL ciphers for noc.wikimedia.org to support PFS

https://gerrit.wikimedia.org/r/147123
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-17 18:26:40 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #41 from Jan Zerebecki <***@zerebecki.de> ---
It is B for ganglia because that old of an libssl and apache do not support
newer TLS versions. ganglia / nickel.wikimedia.org is still on Ubuntu Lucid.
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-18 11:26:04 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #42 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 147185 had a related patch set uploaded by JanZerebecki:
racktables - update SSL cipher list

https://gerrit.wikimedia.org/r/147185
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-18 11:29:37 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #43 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 147196 had a related patch set uploaded by JanZerebecki:
smokeping - update SSL cipher list

https://gerrit.wikimedia.org/r/147196
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-18 11:37:45 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #44 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 147199 had a related patch set uploaded by JanZerebecki:
etherpad - update SSL cipher list

https://gerrit.wikimedia.org/r/147199
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-18 11:49:17 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #45 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 147207 had a related patch set uploaded by JanZerebecki:
icinga - update SSL cipher list

https://gerrit.wikimedia.org/r/147207
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-18 12:13:21 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #46 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 147208 had a related patch set uploaded by JanZerebecki:
generic_vhost (webserver) - update SSL ciphers

https://gerrit.wikimedia.org/r/147208
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-18 12:17:53 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #47 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 147214 had a related patch set uploaded by JanZerebecki:
metrics - update SSL cipher list

https://gerrit.wikimedia.org/r/147214
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-18 16:11:33 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #48 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 147196 abandoned by Dzahn:
smokeping - update SSL cipher list

https://gerrit.wikimedia.org/r/147196
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-18 17:01:23 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #49 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 147199 merged by Dzahn:
etherpad - update SSL cipher list

https://gerrit.wikimedia.org/r/147199
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-18 20:56:33 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #50 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 147185 merged by Dzahn:
racktables - update SSL cipher list

https://gerrit.wikimedia.org/r/147185
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-18 21:38:52 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #51 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 147214 merged by Dzahn:
metrics - update SSL cipher list

https://gerrit.wikimedia.org/r/147214
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-19 04:31:07 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #52 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 147715 had a related patch set uploaded by Chmarkine:
rt -- update cipher suite list to support PFS

https://gerrit.wikimedia.org/r/147715
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-19 14:37:17 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #53 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 147739 had a related patch set uploaded by Chmarkine:
blog -- update cipher suite list to support PFS

https://gerrit.wikimedia.org/r/147739
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-19 15:11:16 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #54 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 147740 had a related patch set uploaded by Chmarkine:
ishmael -- update cipher suite list to support PFS

https://gerrit.wikimedia.org/r/147740
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-22 04:03:31 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #55 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 147739 abandoned by Chmarkine:
blog -- update cipher suite list to support PFS

https://gerrit.wikimedia.org/r/147739
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-23 09:13:34 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #56 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 148618 had a related patch set uploaded by Chmarkine:
tendril -- update cipher suite list to support PFS

https://gerrit.wikimedia.org/r/148618
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-23 09:47:36 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #57 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 148624 had a related patch set uploaded by Chmarkine:
planet -- update cipher suite list to support PFS

https://gerrit.wikimedia.org/r/148624
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-23 10:31:14 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #58 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 148631 had a related patch set uploaded by Chmarkine:
svn -- update cipher suite list to support PFS

https://gerrit.wikimedia.org/r/148631
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-25 08:25:59 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #59 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 149267 had a related patch set uploaded by Chmarkine:
icinga-admin -- update cipher suite list to support PFS

https://gerrit.wikimedia.org/r/149267
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-07-25 15:32:29 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #60 from Gerrit Notification Bot <***@wikimedia.org> ---
Change 149267 merged by Dzahn:
icinga-admin -- update cipher suite list to support PFS

https://gerrit.wikimedia.org/r/149267
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-08-03 20:55:02 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

Andre Klapper <***@wikimedia.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://rt.wikimedia.org/Ti
| |cket/Display.html?id=7534
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
b***@wikimedia.org
2014-11-20 23:59:13 UTC
Permalink
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259

--- Comment #61 from ***@hotmail.com ---
I just found that https://payments.wikimedia.org is still using the old cipher
suite list:

TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

https://www.ssllabs.com/ssltest/analyze.html?d=payments.wikimedia.org
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
Loading...