Page MenuHomePhabricator

Fix apache-2.4 + DHE ciphersuites issue
Closed, ResolvedPublic

Description

For apache (only 2.4, not 2.2), we'd like to be able to enable DHE-based ciphersuites for broader compatibility, like we do for nginx. Aside from tiny corner cases, this primarily affects Android 2.x and OpenSSL 0.9.8 clients (the latter being what a bunch of CLI tools on older linux installations might still be using). For services using 'compat' ciphersuites (virtually all of them), it would upgrade these clients to PFS. For those using 'mid' (just lists.wm.o so far, AFAIK), without DHE those clients can't actually connect at all.

Currently we universally disable the DHE suites for apache, though, for complex reasons:

  • We don't want to turn them on without using a custom DH group instead of the static one (logjam, et al)
  • Apache doesn't support custom DH groups until 2.4.7+ (so, jessie+ for us, which has 2.4.10)
  • 2.4.7 introduced one ugly way to configure it: append the DH group to the server's certificate file
  • 2.4.8 introduced a better way with an explicit config parameter (similar to nginx style), but the feature doesn't work unless apache is rebuilt against openssl-1.0.2, and jessie's stock apache isn't.

So there's two basic ways to go about fixing this:

  1. Similar to how we generate 'chained' certs in the sslcert module, also generate a copy of the cert with dhparams appended, e.g. /etc/ssl/localcerts/foo.plusdh.crt. Then go around to all the SSLCertificateFile directives in jessie-based public-facing apaches and switch them to that file reference, and set some new parameter in their ssl_ciphersuite() calls to allow DHE. Complex, and there's no good way to enforce that the former is in place when the latter is enabled.
  2. Re-build apache-2.4 for jessie-wikimedia using our existing openssl-1.0.2 package. Get the package upgraded on existing hosts. Then have ssl_ciphersuite assume DHE is ok on jessie+, and put the new directive into the file itself (as we do for nginx). Relatively painless on the puppet front, but means we have the pain of maintaining our own apache package for jessie forever (with no real diffs, just a dependency update for openssl-1.0.2).

Details

Related Gerrit Patches:

Event Timeline

BBlack created this task.Apr 20 2016, 8:59 PM
Restricted Application added a project: Operations. · View Herald TranscriptApr 20 2016, 8:59 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
BBlack triaged this task as Low priority.Apr 20 2016, 9:01 PM

I'm in favour of rebuilding apache2. The overhead isn't that big (jessie has been released a year ago and saw one update in a DSA and two in point releases) and it's a transient effort which will cease with the upgrade to stretch.

@MoritzMuehlenhoff - if you think it's not much overhead and want to take on packaging jessie's apache-2.4 built against our openssl-1.0.2, that would be awesome :)

Sure, I can do that next week.

apache 2.4.10-10+deb8u4+wmf1 has been built against openssl 1.0.2 and uploaded to carbon. I'll update this bug once all existing jessie systems are upgraded.

Apache on all jessie systems has been upgraded and restarted.

MoritzMuehlenhoff removed MoritzMuehlenhoff as the assignee of this task.Apr 26 2016, 1:00 PM

Change 284518 had a related patch set uploaded (by BBlack):
ssl_ciphersuite refactoring, jessie apache DHE support

https://gerrit.wikimedia.org/r/284518

Change 284518 merged by BBlack:
ssl_ciphersuite refactoring, jessie apache DHE support

https://gerrit.wikimedia.org/r/284518

BBlack closed this task as Resolved.Apr 26 2016, 2:18 PM
BBlack claimed this task.