Page MenuHomePhabricator
Create Task
Maniphest T238518

Disable TLSv1/TLSv1.1 on sites without caching layer
Closed, ResolvedPublic
Actions

Description

Now that TLSv1/TLSv1.1 is getting deprecated/removed in our caching infrastructure as part of T238038, we should do the same with the services that provide their own TLS termination:

  • apt
  • archiva - no action needed
  • cloudelastic
  • dumps
  • gerrit
  • icinga - no action needed
  • cas-icinga - no action needed
  • idp
  • ldap (moved to T329218)
  • ldap-codfw1dev (moved to T329218)
  • ldap-labtest (to be removed)
  • librenms - no action needed
  • lists
  • mirrors
  • mx T203260
  • ncredir
  • netbox - no action needed
  • tendril - no action needed

Details

SubjectRepoBranchLines +/-
idp: Set cloud TLS/SSL compatiblility to strongoperations/puppetproduction+1 -1
ncredir: Remove TLSv1.0 && TLSv1.1 supportoperations/puppetproduction+1 -1
ssl_ciphersuite: Allow TLSv1/TLSv1.1 in compat mode onlyoperations/puppetproduction+6 -6
idp: Set SSL compatibilty mode to strongoperations/puppetproduction+1 -0
Customize query in gerrit

Related Objects

Event Timeline

Vgutierrez created this task.Nov 18 2019, 7:31 AM
Restricted Application added a project: SRE. · View Herald TranscriptNov 18 2019, 7:31 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Vgutierrez triaged this task as Medium priority.Nov 18 2019, 8:00 AM
Vgutierrez updated the task description. (Show Details)
gerritbot added a comment.Nov 18 2019, 8:08 AM

Change 551396 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ssl_ciphersuite: Allow TLSv1/TLSv1.1 in compat mode only

https://gerrit.wikimedia.org/r/551396

gerritbot added a project: Patch-For-Review.Nov 18 2019, 8:08 AM
gerritbot added a comment.Nov 18 2019, 8:20 AM

Change 551413 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] idp: Set SSL compatibilty mode to strong

https://gerrit.wikimedia.org/r/551413

gerritbot added a comment.Nov 18 2019, 8:34 AM

Change 551413 merged by Vgutierrez:
[operations/puppet@production] idp: Set SSL compatibilty mode to strong

https://gerrit.wikimedia.org/r/551413

Vgutierrez updated the task description. (Show Details)Nov 18 2019, 8:36 AM
MoritzMuehlenhoff subscribed.Nov 18 2019, 8:48 AM
MoritzMuehlenhoff updated the task description. (Show Details)Nov 18 2019, 8:57 AM
Vgutierrez moved this task from Backlog to TLS on the Traffic board.Nov 18 2019, 6:13 PM
Krenair subscribed.Nov 24 2019, 8:43 PM
gerritbot added a comment.Jan 16 2020, 4:00 PM

Change 551396 merged by Vgutierrez:
[operations/puppet@production] ssl_ciphersuite: Allow TLSv1/TLSv1.1 in compat mode only

https://gerrit.wikimedia.org/r/551396

Maintenance_bot removed a project: Patch-For-Review.Jan 16 2020, 4:11 PM
gerritbot added a comment.Jan 16 2020, 4:24 PM

Change 565316 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ncredir: Remove TLSv1.0 && TLSv1.1 support

https://gerrit.wikimedia.org/r/565316

gerritbot added a project: Patch-For-Review.Jan 16 2020, 4:24 PM
gerritbot added a comment.Jan 16 2020, 4:27 PM

Change 565316 merged by Vgutierrez:
[operations/puppet@production] ncredir: Remove TLSv1.0 && TLSv1.1 support

https://gerrit.wikimedia.org/r/565316

Maintenance_bot removed a project: Patch-For-Review.Jan 16 2020, 5:11 PM
BBlack edited projects, added Traffic-Icebox; removed Traffic.Sep 1 2021, 11:21 PM
BBlack subscribed.

The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all such tickets that haven't been updated in 6 months or more. This does not imply any human judgement about the validity or importance of the task, and is simply the first step in a larger task cleanup effort. Further manual triage and/or requests for updates will happen this month for all such tickets. For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!

BCornwall updated the task description. (Show Details)Jan 30 2023, 6:06 PM
BCornwall updated the task description. (Show Details)Jan 30 2023, 7:37 PM
BCornwall updated the task description. (Show Details)Jan 30 2023, 8:02 PM
BCornwall subscribed.

@Vgutierrez I've confirmed the remaining services use TLSv1.2+ except for ldap-codfw1dev and ldap-labtest. I'm having a little trouble accessing those servers - are they still around?

BCornwall changed the task status from Open to In Progress.Jan 30 2023, 8:12 PM
BCornwall claimed this task.
taavi subscribed.Jan 30 2023, 8:28 PM
In T238518#8571817, @BCornwall wrote:

@Vgutierrez I've confirmed the remaining services use TLSv1.2+ except for ldap-codfw1dev and ldap-labtest. I'm having a little trouble accessing those servers - are they still around?

Assuming you're referring to acme-chief certs since those are the only two uses of those names as far as I can tell. Those are the same thing (sent https://gerrit.wikimedia.org/r/885026 to drop ldap-labtest as that name is deprecated). That LDAP cluster is very much around and needed. It can be accessed for example from cloudservices2003-dev.wikimedia.org:

taavi@cloudservices2004-dev ~ $ openssl s_client -connect localhost:636 -showcerts 
CONNECTED(00000003)
...
BCornwall updated the task description. (Show Details)Jan 31 2023, 7:58 PM
BCornwall updated the task description. (Show Details)
gerritbot added a comment.Feb 1 2023, 5:17 PM

Change 885844 had a related patch set uploaded (by BCornwall; author: BCornwall):

[operations/puppet@production] idp: Set cloud TLS/SSL compatiblility to strong

https://gerrit.wikimedia.org/r/885844

gerritbot added a project: Patch-For-Review.Feb 1 2023, 5:17 PM
BCornwall updated the task description. (Show Details)Feb 1 2023, 7:32 PM
BCornwall closed this task as Resolved.Feb 8 2023, 6:25 PM
BCornwall updated the task description. (Show Details)

I've been advised to move the LDAP work into a separate ticket (T329218) since the traffic team doesn't have enough hands-on experience.

gerritbot added a comment.Feb 8 2023, 6:27 PM

Change 885844 abandoned by BCornwall:

[operations/puppet@production] idp: Set cloud TLS/SSL compatiblility to strong

Reason:

https://gerrit.wikimedia.org/r/885844

Maintenance_bot removed a project: Patch-For-Review.Feb 8 2023, 6:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL