Page MenuHomePhabricator
Create Task
Maniphest T398018

Follow up on lists.wm.o TLS usage
Open, MediumPublic
Actions

Description

Background

On 2025-03-17, we enabled dual certificate support (RSA + ECDSA) and enforced server-preferred TLS cipher suite ordering on both Exim and Apache for lists.wikimedia.org.

Here is the current TLS usage data from Exim (as of 2025-06-27), considering only inbound (<=) connections:

# TLS version usage
$ zgrep -oE ".+<=.*(X=TLS[A-Z_0-9\.:]+)" /var/log/exim4/mainlog* \
  | grep -o "X=TLS.*" \
  | cut -f1 -d':' \
  | sort | uniq -c

     16 X=TLS1.0
   1241 X=TLS1.2
  13882 X=TLS1.3

# Cipher suite usage
$ zgrep -oE ".+<=.*(X=TLS[A-Z_0-9\.:]+)" /var/log/exim4/mainlog* \
  | grep -o "X=TLS.*" \
  | cut -f1-2 -d':' \
  | sort | uniq -c | sort -rn

  13883 X=TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__AES_256_GCM
    873 X=TLS1.2:ECDHE_SECP256R1__ECDSA_SHA512__AES_256_GCM
    230 X=TLS1.2:ECDHE_SECP256R1__ECDSA_SHA256__AES_256_GCM
    130 X=TLS1.2:ECDHE_SECP256R1__RSA_SHA512__AES_256_GCM
     16 X=TLS1.0:ECDHE_SECP256R1__ECDSA_SHA1__AES_256_CBC__SHA1
      5 X=TLS1.2:ECDHE_SECP256R1__ECDSA_SHA256__AES_128_GCM
      3 X=TLS1.2:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM

As expected, ECDSA certificates dominate, but there's still measurable usage of the RSA variant.

Next steps

  • Trim accepted cipher suites to match HTTPS configuration standards
  • Disable TLSv1.0 and TLSv1.1
  • Review RSA certificate usage:
    • Plan deprecation if client compatibility permits

Related Objects
Search...

Event Timeline

Vgutierrez created this task.Jun 27 2025, 9:16 AM
Vgutierrez removed Vgutierrez as the assignee of this task.
Vgutierrez triaged this task as Medium priority.
Vgutierrez mentioned this in T398019: Set up TLS dual stack for mx-in[12]001.wikimedia.org.Jun 27 2025, 9:28 AM
Vgutierrez mentioned this in T398020: Stop issuing RSA certificates.
LSobanski added a comment.Jun 30 2025, 3:38 PM

@Vgutierrez who would be doing the work listed in the bullet points, you or us?

Arnoldokoth assigned this task to Vgutierrez.Aug 4 2025, 3:44 PM
Arnoldokoth moved this task from Incoming to Backlog on the collaboration-services board.
ABran-WMF subscribed.Thu, Jan 22, 2:59 PM

Just an update to see if there is any planned work for this task.
It could maybe be discarded because of T286066: Put lists.wikimedia.org web interface behind LVS and T378028: Replace Exim on VRTS servers with Postfix (or maybe a subsequent task making mailman's new postfix use our existing email infrastructure) which would effectively cut mailman off Internet

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits