Page MenuHomePhabricator
Create Task
Maniphest T385067

Set up dual-stack ECDSA/RSA certificate support for Exim
Closed, ResolvedPublic
Actions

Description

Right now exim is configured with RSA certs only and not with a dual stack (RSA+ECDSA) setup, from lists1004's exim configuration:

# TLS           
                
tls_certificate = /etc/acmecerts/lists/live/rsa-2048.chained.crt
tls_privatekey = /etc/acmecerts/lists/live/rsa-2048.key

From exim's documentation:

For dual-stack (eg. RSA and ECDSA) configurations, these options can be colon-separated lists of file paths.

Could we set exim to support ECDSA+RSA first (in that order) and track the evolution of TLS usage?

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
exim: Use RSA+ECDSA certificates for listsoperations/puppetproduction+3 -2
lists: Offer RSA+ECDSA certificates on lists.wm.ooperations/puppetproduction+3 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

BCornwall created this task.Jan 29 2025, 5:00 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 29 2025, 5:00 PM
BCornwall added a parent task: T375569: Remove RSA certificates from puppet.Jan 29 2025, 5:00 PM
MoritzMuehlenhoff subscribed.Jan 29 2025, 5:02 PM
Vgutierrez subscribed.Jan 29 2025, 5:02 PM
joanna_borun edited projects, added Wikimedia-Mailing-lists; removed Infrastructure-Foundations, Mail.Feb 3 2025, 3:26 PM
Maintenance_bot added a project: SRE.Feb 3 2025, 3:29 PM
Vgutierrez added a comment.Mar 10 2025, 11:52 AM

ping? it's also worth mentioning here that lists.wm.o right now is just offering RSA certificates and it should be migrated to a dual stack setup in preparation to drop RSA certs

LSobanski subscribed.Mar 10 2025, 3:33 PM

What's the timeline for dropping RSA certs? Just so we know how urgent this is.

LSobanski added a project: collaboration-services.Mar 10 2025, 3:33 PM
Vgutierrez added a comment.Mar 10 2025, 3:37 PM
In T385067#10619441, @LSobanski wrote:

What's the timeline for dropping RSA certs? Just so we know how urgent this is.

we already dropped RSA certs in the CDN and other services (gerrit, phabricator, gitlab, icinga, grafana...) in January

LSobanski added a subscriber: jhathaway.Mar 10 2025, 5:24 PM

@jhathaway any thoughts on this?

jhathaway added a comment.Mar 10 2025, 7:11 PM

I think this should be fine, looking through the logs it appears that almost all clients are 1.2 or 1.3. The handful of 1.1 TLS connections used the ECDHE cert:

$ zgrep -E ' X=TLS1.1\S+ ' /var/log/exim4/mainlog* -ho | sort | uniq -c | sort -n | tail -n10                                                                                                            
      4  X=TLS1.1:ECDHE_SECP521R1__RSA_SHA1__AES_256_CBC__SHA1:256
Vgutierrez added a comment.Mar 11 2025, 1:12 PM
In T385067#10620624, @jhathaway wrote:

I think this should be fine, looking through the logs it appears that almost all clients are 1.2 or 1.3. The handful of 1.1 TLS connections used the ECDHE cert:

$ zgrep -E ' X=TLS1.1\S+ ' /var/log/exim4/mainlog* -ho | sort | uniq -c | sort -n | tail -n10                                                                                                            
      4  X=TLS1.1:ECDHE_SECP521R1__RSA_SHA1__AES_256_CBC__SHA1:256

Please note that ECDHE there refers to Eliptic curve diffie hellman, the mechanism used to negoatiate a symmetric encryption key, but the certificate used is the RSA one, actually exim only go configure the RSA one:

vgutierrez@lists1004:/etc/exim4$ sudo fgrep acme exim4.conf
tls_certificate = /etc/acmecerts/lists/live/rsa-2048.chained.crt
tls_privatekey = /etc/acmecerts/lists/live/rsa-2048.key
vgutierrez@lists1004:/etc/exim4$
jhathaway added a comment.Mar 11 2025, 1:27 PM

Please note that ECDHE there refers to Eliptic curve diffie hellman, the mechanism used to negoatiate a symmetric encryption key, but the certificate used is the RSA one, actually exim only go configure the RSA one:

ah, thanks @Vgutierrez that makes more sense

gerritbot added a comment.Mar 12 2025, 4:11 PM

Change #1127066 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] lists: Offer RSA+ECDSA certificates on lists.wm.o

https://gerrit.wikimedia.org/r/1127066

gerritbot added a project: Patch-For-Review.Mar 12 2025, 4:11 PM
Vgutierrez added a comment.Mar 13 2025, 9:38 AM

I've submitted https://gerrit.wikimedia.org/r/1127066 as a first step to switch the web interface of lists.wikimedia.org to dual stack (RSA+ECDSA)

gerritbot added a comment.Mar 14 2025, 4:41 PM

Change #1127933 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] exim: Use RSA+ECDSA certificates for lists

https://gerrit.wikimedia.org/r/1127933

gerritbot added a comment.Mar 17 2025, 2:53 PM

Change #1127066 merged by Vgutierrez:

[operations/puppet@production] lists: Offer RSA+ECDSA certificates on lists.wm.o

https://gerrit.wikimedia.org/r/1127066

gerritbot added a comment.Mar 17 2025, 3:02 PM

Change #1127933 merged by Vgutierrez:

[operations/puppet@production] exim: Use RSA+ECDSA certificates for lists

https://gerrit.wikimedia.org/r/1127933

Vgutierrez closed this task as Resolved.Mar 17 2025, 3:15 PM
Vgutierrez claimed this task.

Both exim and apache2 have been reconfigured to offer RSA+ECDSA certificates, let's re-visit this in a while

Maintenance_bot removed a project: Patch-For-Review.Mar 17 2025, 3:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits