Page MenuHomePhabricator

Deprecate TLSv1.2 weak ciphersuites
Open, MediumPublic

Description

Currently we still support three different ciphersuites that are considered weak:

  • ECDHE-ECDSA-AES128-SHA (TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
  • ECDHE-RSA-AES128-SHA (TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
  • DHE-RSA-AES128-SHA (TLS_DHE_RSA_WITH_AES_128_CBC_SHA)

ciphersuites using CBC block mode instead of GCM are considered weak since the disclosure of several attacks against CBC during 2019, specifically Zombie POODLE and GoldenPOODLE, a nice introduction to those attacks can be found here: https://www.tripwire.com/state-of-security/vulnerability-management/zombie-poodle-goldendoodle/

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 20 2020, 2:05 PM
Vgutierrez moved this task from Triage to TLS on the Traffic board.Jul 20 2020, 2:05 PM
Vgutierrez triaged this task as Medium priority.Jul 20 2020, 2:13 PM

Change 614763 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] vcl: Use synthetic warning for ECDHE-RSA-AES128-SHA pageviews

https://gerrit.wikimedia.org/r/614763

Change 614763 merged by Vgutierrez:
[operations/puppet@production] vcl: Use synthetic warning for ECDHE-RSA-AES128-SHA pageviews

https://gerrit.wikimedia.org/r/614763

Mentioned in SAL (#wikimedia-operations) [2020-07-21T15:01:12Z] <vgutierrez> show a synthetic warning for traffic using ECDHE-RSA-AES128-SHA - T258405

Change 622138 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Disable ECDHE-ECDSA-AES128-SHA support

https://gerrit.wikimedia.org/r/622138

Change 622138 merged by Vgutierrez:
[operations/puppet@production] ATS: Disable ECDHE-RSA-AES128-SHA support

https://gerrit.wikimedia.org/r/622138

Mentioned in SAL (#wikimedia-operations) [2020-08-24T15:04:03Z] <vgutierrez> rolling restart of ats-tls to disable ECDHE-RSA-AES128-SHA - T258405

Vgutierrez updated the task description. (Show Details)Mon, Aug 24, 3:39 PM

Change 622321 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] vcl: Use synthetic warning for DHE-RSA-AES128-SHA pageviews

https://gerrit.wikimedia.org/r/622321

Change 622321 merged by Vgutierrez:
[operations/puppet@production] vcl: Use synthetic warning for DHE-RSA-AES128-SHA pageviews

https://gerrit.wikimedia.org/r/622321

Mentioned in SAL (#wikimedia-operations) [2020-08-26T13:06:01Z] <vgutierrez> serve a synthetic warn page to DHE-RSA-AES128-SHA users - T258405