Page MenuHomePhabricator

Fix wikitech-static TLS config
Closed, ResolvedPublic

Description

wikitech-static has a couple minor TLS issues:

  1. Does not send chain cert, which should be RapidSSL SHA256 CA - G3
  2. HTTP->HTTPS redirect is 302, should be 301 (probably just need to locate the rewrite rule and change R to R=301 in the bracketed part at the end)

I tried to log in and look at this myself, but the supposed access method doesn't work for me (using info from pwstore).

Related Objects

StatusAssignedTask
OpenBBlack
ResolvedBBlack
ResolvedArielGlenn
ResolvedChmarkine
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedCCogdill_WMF
DeclinedBBlack
DuplicateBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedKrenair
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack

Event Timeline

BBlack created this task.Apr 21 2016, 10:13 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 21 2016, 10:13 PM
BBlack updated the task description. (Show Details)Apr 21 2016, 10:13 PM
BBlack updated the task description. (Show Details)
BBlack added a subscriber: Andrew.

If I had to blindly guess on #1, it's that the config has SSLCertificateFile and SSLCertificateKeyFile, but lacks SSLCertificateChainFile, which should point at a copy of the cert shown in https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO26457 . Also, delete any line with SSLCACertificatePath at the same time, if that exists.

Krenair claimed this task.Apr 21 2016, 10:49 PM

I think I've fixed #1 as well. I did find SSLCertificateChainFile in the docs but it's obsolete since apache 2.4.8. Please check.

(I also removed the SSLCACertificatePath line)

BBlack added a comment.EditedApr 21 2016, 11:13 PM

Fix for #1 + #2 works, thanks!

The deprecation thing is accurate, but the ChainFile method still works. We've just been configuring all of our in-house apaches the deprecated way because it works consistently across all the versions that we run. The not-deprecated way is to remove the ChainFile directive and append the contents of that file to the main certificate file.

Also, found a third issue - it's missing HSTS header output (a past audit said that it had HSTS, maybe that got dropped during some later re-config, maybe during switch to Jessie?). Should just require this at the VirtualHost level for the SSL virtualhost:

Header always set Strict-Transport-Security "max-age=31536000"

(edited above - #1 + #2 are fixed)

The deprecation thing is accurate, but the ChainFile method still works. We've just been configuring all of our in-house apaches the deprecated way because it works consistently across all the versions that we run. The not-deprecated way is to remove the ChainFile directive and append the contents of that file to the main certificate file.

Yeah, I used the non-deprecated way.

Also, found a third issue - it's missing HSTS header output (a past audit said that it had HSTS, maybe that got dropped during some later re-config, maybe during switch to Jessie?). Should just require this at the VirtualHost level for the SSL virtualhost:

Header always set Strict-Transport-Security "max-age=31536000"

I copied over all the apache configs during the migration, not sure what happened with that. I wouldn't normally set this sort of header myself for a service like wikitech-static, but I'm going to trust your judgement on this topic. :)
I had to a2enmod headers to get it working.

Do you want to open a separate ticket for fixing ops access to the machine? @Dzahn should have the credentials somewhere, alternatively there's probably some way in through the web panel, or if the right people approve I suppose I could set a new root password for you.

For all I know the STS header may have been previously-set in mediawiki config somehow, too, no idea on that. But it's outputting the right header now, so #3 fixed as well. ssllabs back up to A+ now.

Yeah I'll make a separate ticket about access not working as expected.

Krenair closed this task as Resolved.Apr 21 2016, 11:43 PM