Reference by ticket #2517 added by dzahn

On Tue Apr 15 13:53:30 2014, dzahn wrote:

break out from #2517 which was about the BEAST attack (and has been fixed in
the past).

current issues left on bugzilla.wikimedia.org

~~
Key RSA 1024 bits WEAK

RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger
ciphers are available.

The server does not support Forward Secrecy with the reference browsers.
~~
https://www.ssllabs.com/ssltest/analyze.html?d=bugzilla.wikimedia.org

Reference by ticket #3172 added by dzahn

AdminCc CSteipp added by dzahn

Requestor ariel added by dzahn

the same is true for wmflabs.org and likely all/a lot of other servers, will
have to check all if we really wanted a stronger key

Does apache terminate the ssl on that server, or do we terminate on the nginx
cluster? If it's on the bugzilla server itself, and the general load isn't a
huge problem right now, I'd definitely be up for trying Mozilla's recommended
ciphersuite [https://wiki.mozilla.org/Security/Server_Side_TLS]. I'd expect to
see 5-10% overhead, but it would be great to get real numbers.
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
PFS is preferred, and rc4 is discouraged (but preferred over 3des, which has
horrible performance), so overall load will definitely increase, just how much
depends on what kinds of browsers hit the server.

Issue taken by dzahn

On Tue Apr 15 17:22:28 2014, CSteipp wrote:

Does apache terminate the ssl on that server, or do we terminate on
the nginx

On Bugzilla (zirconium) itself.
https://gerrit.wikimedia.org/r/#/c/126204/ (make the suite easier to configure)
https://gerrit.wikimedia.org/r/#/c/126205/ (change to the Mozilla recommended
suite)
https://gerrit.wikimedia.org/r/#/c/126206/ (change Protocol setting)

Reference to ticket #6763 added by dzahn

Bugzilla ticket 53259 added by dzahn

merged, we don't use RC4 anymore now.
but Qualis still says we don't support PFS with the reference browsers. and the
key being weak is of course not a webserver config issue

Subject changed from 'bugzilla SSL - weak RSA key, RC4 usage' to 'bugzilla SSL - weak RSA key, <s>RC4 usage</s>' by dzahn

Dependency on ticket #7534 added by fgiunchedi

calling it resolved because we fixed the RC4 usage and i dont think we are
going to buy a new cert now that we already started importing bugs to
phabricator

Dependency on ticket #7534 deleted by dzahn

Reference to ticket #7534 added by dzahn

half resolved, half rejected, also see 7534, fixed dependency that wasn't
really a dependency

Status changed from 'new' to 'resolved' by dzahn

AdminCc jeremyb added by jeremyb