Page MenuHomePhabricator

Start warning and deprecation process for all legacy TLS
Open, MediumPublic

Description

TLS 1.2 was published ten years ago to address weaknesses in TLS 1.0 and 1.1 and has enjoyed wide adoption since then. These old versions of TLS rely on MD5 and SHA-1, both now broken, and contain other flaws. TLS 1.0 is no longer PCI-DSS compliant and the TLS working group has adopted a document to deprecate TLS 1.0 and TLS 1.1.

TLS 1.1 and 1.0 support is being removed from the major browsers on early 2020 as announced:

Details

Related Gerrit Patches:

Event Timeline

Restricted Application added a project: Operations. · View Herald TranscriptTue, Nov 12, 5:19 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Vgutierrez moved this task from Triage to TLS on the Traffic board.Tue, Nov 12, 5:19 AM

Change 550391 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] varnish: Update sec-warning message

https://gerrit.wikimedia.org/r/550391

Vgutierrez triaged this task as Medium priority.Tue, Nov 12, 5:32 AM
ssingh added a subscriber: ssingh.Tue, Nov 12, 1:12 PM

Change 550391 merged by BBlack:
[operations/puppet@production] varnish: Update sec-warning message

https://gerrit.wikimedia.org/r/550391

Change 550856 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] vcl: Use synthetic warning for 1% of TLSv1/TLSv1.1 pageviews

https://gerrit.wikimedia.org/r/550856

Change 550868 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] vcl: Bump TLSv1/TLSv1.1 pageview replacement to 4%

https://gerrit.wikimedia.org/r/550868

Change 550869 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] vcl: Bump TLSv1/TLSv1.1 pageview replacement to 10%

https://gerrit.wikimedia.org/r/550869

Change 550870 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] vcl: Bump TLSv1/TLSv1.1 pageview replacement to 100%

https://gerrit.wikimedia.org/r/550870

Change 550856 merged by Vgutierrez:
[operations/puppet@production] vcl: Use synthetic warning for 1% of TLSv1/TLSv1.1 pageviews

https://gerrit.wikimedia.org/r/550856

Mentioned in SAL (#wikimedia-operations) [2019-11-15T09:47:01Z] <vgutierrez> Use a synthetic warning for 1% of TLSv1/TLS1v.1 pageviews - T238038

Change 552488 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: cover bot traffic better

https://gerrit.wikimedia.org/r/552488

Change 552488 merged by BBlack:
[operations/puppet@production] browsersec: cover bot traffic better

https://gerrit.wikimedia.org/r/552488

Change 550868 merged by BBlack:
[operations/puppet@production] vcl: Bump TLSv1/TLSv1.1 pageview replacement to 4%

https://gerrit.wikimedia.org/r/550868

Change 550869 merged by BBlack:
[operations/puppet@production] vcl: Bump TLSv1/TLSv1.1 pageview replacement to 10%

https://gerrit.wikimedia.org/r/550869

Change 550870 merged by BBlack:
[operations/puppet@production] vcl: Bump TLSv1/TLSv1.1 pageview replacement to 100%

https://gerrit.wikimedia.org/r/550870