Page MenuHomePhabricator
Create Task
Maniphest T133217

Fix apache-2.4 + DHE ciphersuites issue
Closed, ResolvedPublic
Actions

Description

For apache (only 2.4, not 2.2), we'd like to be able to enable DHE-based ciphersuites for broader compatibility, like we do for nginx. Aside from tiny corner cases, this primarily affects Android 2.x and OpenSSL 0.9.8 clients (the latter being what a bunch of CLI tools on older linux installations might still be using). For services using 'compat' ciphersuites (virtually all of them), it would upgrade these clients to PFS. For those using 'mid' (just lists.wm.o so far, AFAIK), without DHE those clients can't actually connect at all.

Currently we universally disable the DHE suites for apache, though, for complex reasons:

  • We don't want to turn them on without using a custom DH group instead of the static one (logjam, et al)
  • Apache doesn't support custom DH groups until 2.4.7+ (so, jessie+ for us, which has 2.4.10)
  • 2.4.7 introduced one ugly way to configure it: append the DH group to the server's certificate file
  • 2.4.8 introduced a better way with an explicit config parameter (similar to nginx style), but the feature doesn't work unless apache is rebuilt against openssl-1.0.2, and jessie's stock apache isn't.

So there's two basic ways to go about fixing this:

  1. Similar to how we generate 'chained' certs in the sslcert module, also generate a copy of the cert with dhparams appended, e.g. /etc/ssl/localcerts/foo.plusdh.crt. Then go around to all the SSLCertificateFile directives in jessie-based public-facing apaches and switch them to that file reference, and set some new parameter in their ssl_ciphersuite() calls to allow DHE. Complex, and there's no good way to enforce that the former is in place when the latter is enabled.
  2. Re-build apache-2.4 for jessie-wikimedia using our existing openssl-1.0.2 package. Get the package upgraded on existing hosts. Then have ssl_ciphersuite assume DHE is ok on jessie+, and put the new directive into the file itself (as we do for nginx). Relatively painless on the puppet front, but means we have the pain of maintaining our own apache package for jessie forever (with no real diffs, just a dependency update for openssl-1.0.2).

Details

SubjectRepoBranchLines +/-
ssl_ciphersuite refactoring, jessie+apache DHE supportoperations/puppetproduction+68 -80
Customize query in gerrit

Related Objects

Event Timeline

BBlack created this task.Apr 20 2016, 8:59 PM
Restricted Application added a project: SRE. · View Herald TranscriptApr 20 2016, 8:59 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
BBlack triaged this task as Low priority.Apr 20 2016, 9:01 PM
MoritzMuehlenhoff added a comment.Apr 21 2016, 7:48 AM

I'm in favour of rebuilding apache2. The overhead isn't that big (jessie has been released a year ago and saw one update in a DSA and two in point releases) and it's a transient effort which will cease with the upgrade to stretch.

BBlack added a comment.Apr 21 2016, 1:12 PM

@MoritzMuehlenhoff - if you think it's not much overhead and want to take on packaging jessie's apache-2.4 built against our openssl-1.0.2, that would be awesome :)

MoritzMuehlenhoff added a comment.Apr 21 2016, 1:15 PM

Sure, I can do that next week.

BBlack mentioned this in T132521: Enforce HTTPS+HSTS on remaining one-off sites in wikimedia.org that don't use standard cache cluster termination.Apr 21 2016, 8:18 PM
MoritzMuehlenhoff claimed this task.Apr 26 2016, 8:05 AM
MoritzMuehlenhoff added a comment.Apr 26 2016, 9:41 AM

apache 2.4.10-10+deb8u4+wmf1 has been built against openssl 1.0.2 and uploaded to carbon. I'll update this bug once all existing jessie systems are upgraded.

MoritzMuehlenhoff added a comment.Apr 26 2016, 1:00 PM

Apache on all jessie systems has been upgraded and restarted.

MoritzMuehlenhoff removed MoritzMuehlenhoff as the assignee of this task.Apr 26 2016, 1:00 PM
gerritbot subscribed.Apr 26 2016, 1:39 PM

Change 284518 had a related patch set uploaded (by BBlack):
ssl_ciphersuite refactoring, jessie apache DHE support

https://gerrit.wikimedia.org/r/284518

gerritbot added a project: Patch-For-Review.Apr 26 2016, 1:39 PM
gerritbot added a comment.Apr 26 2016, 2:13 PM

Change 284518 merged by BBlack:
ssl_ciphersuite refactoring, jessie apache DHE support

https://gerrit.wikimedia.org/r/284518

BBlack closed this task as Resolved.Apr 26 2016, 2:18 PM
BBlack claimed this task.

thanks @MoritzMuehlenhoff !

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL