We should generate both RSA and ECDSA certs and use them in parallel like we do for the primary clusters (which is possible at least on our Jessie nginx hosts, and probably Jessie Apache too). This increases cipher strength (from FS+CBC to FS+AEAD) for IE11 clients on Windows versions < 10.
Description
Description
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | • ema | T108827 Investigate TCP Fast Open for tlsproxy | |||
Declined | None | T107236 Switch port 80 to nginx on primary clusters | |||
Open | None | T101048 Policy decisions for new (and current) DNS domains registered to the WMF | |||
Resolved | BBlack | T104681 HTTPS Plans (tracking / high-level info) | |||
Resolved | • Vgutierrez | T214253 en.wikipedia.com [sic] serves an invalid certificate | |||
Resolved | • Vgutierrez | T190244 en-wp.org certificate error | |||
Resolved | • Vgutierrez | T133548 Create a secure redirect service for large count of non-canonical / junk domains | |||
Resolved | None | T134447 letsencrypt puppetization: upgrade for scalability | |||
Resolved | None | T141266 letsencrypt puppetization: add parallel rsa+ecdsa cert support |
Event Timeline
Comment Actions
I don't know if we're going to end up doing this in the current letsencrypt puppetisation, but it's there in certcentral.
Comment Actions
I think at this point the route forward is certcentral and there's not much point keeping this particular ticket open. Feel free to reopen if you disagree.