Page MenuHomePhabricator

letsencrypt puppetization: add parallel rsa+ecdsa cert support
Closed, ResolvedPublic


We should generate both RSA and ECDSA certs and use them in parallel like we do for the primary clusters (which is possible at least on our Jessie nginx hosts, and probably Jessie Apache too). This increases cipher strength (from FS+CBC to FS+AEAD) for IE11 clients on Windows versions < 10.

Event Timeline

BBlack created this task.Jul 25 2016, 3:45 PM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptJul 25 2016, 3:45 PM
BBlack moved this task from Triage to In Progress on the Traffic board.Aug 1 2016, 9:22 PM
BBlack moved this task from In Progress to Triage on the Traffic board.Sep 30 2016, 1:20 PM
BBlack moved this task from Triage to TLS on the Traffic board.Sep 30 2016, 1:38 PM
Paladox removed a subscriber: Paladox.Oct 13 2016, 7:46 PM
Krenair added a comment.EditedSep 12 2018, 1:18 PM

I don't know if we're going to end up doing this in the current letsencrypt puppetisation, but it's there in certcentral.

Krenair closed this task as Resolved.Jan 14 2019, 1:34 PM

I think at this point the route forward is certcentral and there's not much point keeping this particular ticket open. Feel free to reopen if you disagree.