Page MenuHomePhabricator
Create Task
Maniphest T73156

Replace SHA1 certificates with SHA256
Closed, ResolvedPublic
Actions

Description

SHA1 certificates still existing in our repo (as of 2015-05-29):

Intermediary SHA1 certificates (some of these will cease use when SHA1 certs are replaced, some won't, need to note which):

  • - (*.planet.wikimedia.org uses this) DigiCertHighAssuranceCA-3.crt
  • - RapidSSL_CA.crt - all rapidssl certs in sha256 appear to use RapidSSL_SHA256_CA_-_G3.crt. Once all sha1 rapidssl are replaced, this can be removed from the repo

Completed:

  • - civicrm T104378 (reissue complete, pending service implementation)
  • - frdata T104378 (reissue complete, pending service implementation)
  • - fundraising T104378 (reissue complete, pending service implementation)
  • - payments-listener T104378 (reissue complete, pending service implementation)
  • - RapidSSL_CA_2 - all rapidssl certs in sha256 appear to use RapidSSL_SHA256_CA_-_G3.crt. Once all sha1 rapidssl are replaced, this can be removed from the repo (this was gone before robh could get to it)
  • - ldap-mirror.wikimedia.org.crt T105187
  • - star.planet.wikimedia.org.crt
  • - ganglia.wikimedia.org.crt T100825
  • - git.wikimedia.org.crt T100827
  • - icinga.wikimedia.org.crt T100830
  • - librenms.wikimedia.org.crt T100831
  • - lists.wikimedia.org.crt T100832
  • - svn.wikimedia.org.crt - expired
  • - tendril.wikimedia.org.crt T100835
  • - ticket.wikimedia.org.crt T91504 T104634
  • - star.wmflabs.crt : T104017
  • - star.wmflabs.org.crt : T104017
  • - wikitech.wikimedia.org.crt T92709

Details

Reference
bz71156
SubjectRepoBranchLines +/-
delete stats.wikimedia.org SSL certoperations/puppetproduction+0 -30
delete metrics.wikimedia.org SSL certoperations/puppetproduction+0 -30
delete etherpad SSL certoperations/puppetproduction+0 -28
delete bugzilla SSL certsoperations/puppetproduction+0 -61
delete svn.wikimedia.org SSL certoperations/puppetproduction+0 -30
delete techblog.wm blog SSL certoperations/puppetproduction+0 -30
delete *.planet.wikimedia.org SSL certoperations/puppetproduction+0 -39
Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Yuhong subscribed.Feb 5 2015, 6:44 AM

This is a myth. "RapidSSL SHA256 CA - G3" is definitely SHA256. The other intermediate is for compatibility with older clients such as XP/Server 2003 (but note that XP has root certificate update enabled by default).

Chmarkine added a comment.Feb 5 2015, 12:40 PM
In T73156#1017154, @Yuhong wrote:

This is a myth. "RapidSSL SHA256 CA - G3" is definitely SHA256. The other intermediate is for compatibility with older clients such as XP/Server 2003 (but note that XP has root certificate update enabled by default).

I tried connecting to https://wikitech-static.wikimeda.org with IE6 on Windows XP SP3, and there was no problem. So I think the server only needs to send the end entity certificate and "RapidSSL G3" intermediate certificate. Then there'll be no SHA1 certificates.

RobH closed subtask T88491: replace [blog|techblog].wikimedia.org sha1 certificates with sha256 as Resolved.Feb 6 2015, 7:48 PM
Chmarkine updated the task description. (Show Details)Feb 6 2015, 10:30 PM
ArielGlenn closed subtask T88497: replace dumps.wikimedia.org sha1 cert with sha256 cert as Resolved.Feb 19 2015, 10:21 AM
Chmarkine updated the task description. (Show Details)Feb 19 2015, 11:48 PM
Chmarkine added a comment.Mar 7 2015, 5:23 AM

Chrome 41 has been released. Are there any plans for replacing all the remaining SHA1 certificates?

Chmarkine updated the task description. (Show Details)Mar 7 2015, 5:24 AM
Aklapper subscribed.Mar 9 2015, 2:16 PM
Dzahn added a comment.Mar 9 2015, 5:04 PM

Out of the one listed on top when this bug was created, a lot should not be used anymore meanwhile because we moved a lot of services to terminate SSL at nginx and be "behind misc-web" now.

gerritbot subscribed.Mar 9 2015, 5:13 PM

Change 195303 had a related patch set uploaded (by Dzahn):
delete etherpad SSL cert

https://gerrit.wikimedia.org/r/195303

gerritbot added a project: Patch-For-Review.Mar 9 2015, 5:13 PM
gerritbot added a comment.Mar 9 2015, 5:16 PM

Change 195304 had a related patch set uploaded (by Dzahn):
delete metrics.wikimedia.org SSL cert

https://gerrit.wikimedia.org/r/195304

gerritbot added a comment.Mar 9 2015, 5:21 PM

Change 195306 had a related patch set uploaded (by Dzahn):
delete *.planet.wikimedia.org SSL cert

https://gerrit.wikimedia.org/r/195306

gerritbot added a comment.Mar 9 2015, 5:29 PM

Change 195307 had a related patch set uploaded (by Dzahn):
delete bugzilla SSL certs

https://gerrit.wikimedia.org/r/195307

gerritbot added a comment.Mar 9 2015, 5:31 PM

Change 195308 had a related patch set uploaded (by Dzahn):
delete blog SSL cert

https://gerrit.wikimedia.org/r/195308

gerritbot added a comment.Mar 9 2015, 5:36 PM

Change 195310 had a related patch set uploaded (by Dzahn):
delete svn.wikimedia.org SSL cert

https://gerrit.wikimedia.org/r/195310

gerritbot added a comment.Mar 9 2015, 6:25 PM

Change 195309 had a related patch set uploaded (by Krinkle):
delete stats.wikimedia.org SSL cert

https://gerrit.wikimedia.org/r/195309

gerritbot added a comment.Mar 9 2015, 8:59 PM

Change 195306 abandoned by Dzahn:
delete *.planet.wikimedia.org SSL cert

https://gerrit.wikimedia.org/r/195306

gerritbot added a comment.Mar 9 2015, 9:35 PM

Change 195308 merged by Dzahn:
delete techblog.wm blog SSL cert

https://gerrit.wikimedia.org/r/195308

Dzahn mentioned this in rOPUP5e65c672cfff: delete techblog.wm blog SSL cert.Mar 9 2015, 9:35 PM
gerritbot added a comment.Mar 10 2015, 7:28 PM

Change 195310 abandoned by Dzahn:
delete svn.wikimedia.org SSL cert

https://gerrit.wikimedia.org/r/195310

gerritbot added a comment.Mar 10 2015, 11:45 PM

Change 195307 merged by Dzahn:
delete bugzilla SSL certs

https://gerrit.wikimedia.org/r/195307

Dzahn mentioned this in rOPUP610d189c1cb0: delete bugzilla SSL certs.Mar 10 2015, 11:45 PM
gerritbot added a comment.Mar 11 2015, 4:07 PM

Change 195303 merged by Dzahn:
delete etherpad SSL cert

https://gerrit.wikimedia.org/r/195303

gerritbot added a comment.Mar 11 2015, 5:29 PM

Change 195304 merged by RobH:
delete metrics.wikimedia.org SSL cert

https://gerrit.wikimedia.org/r/195304

Dzahn mentioned this in rOPUP0922e50ffbc7: delete etherpad SSL cert.Mar 11 2015, 7:57 PM
Dzahn mentioned this in rOPUPc93529c8a7f4: delete metrics.wikimedia.org SSL cert.
gerritbot added a comment.Mar 11 2015, 8:07 PM

Change 195309 merged by RobH:
delete stats.wikimedia.org SSL cert

https://gerrit.wikimedia.org/r/195309

Dzahn mentioned this in rOPUP752d7a594a66: delete stats.wikimedia.org SSL cert.Mar 12 2015, 4:04 AM
Dzahn mentioned this in T92709: wikitech.wikimedia.org SSL certificate considered "outdated security" in Chrome.Mar 14 2015, 4:30 AM
Dzahn added a subtask: T92709: wikitech.wikimedia.org SSL certificate considered "outdated security" in Chrome.
Dzahn mentioned this in T91504: SSL-config of the OTRS is outdated.Mar 25 2015, 5:33 AM
Aklapper added a comment.Apr 17 2015, 1:31 PM

So we're only missing T92709 here to close this? Or is T91504 also a dependency?

JanZerebecki added a subtask: T91504: SSL-config of the OTRS is outdated.Apr 17 2015, 2:15 PM
JanZerebecki added a comment.Apr 17 2015, 2:17 PM

Yes, only the part of that ticket related to the SHA1 in the cert is also a dependency.

Dzahn added a comment.Apr 17 2015, 6:28 PM

T91504 is also a dependency.

Signature algorithm SHA1withRSA WEAK
https://www.ssllabs.com/ssltest/analyze.html?d=ticket.wikimedia.org
(deleted cached version to re-check)

RobH updated the task description. (Show Details)May 29 2015, 6:26 PM
RobH removed a project: Patch-For-Review.May 29 2015, 6:46 PM
RobH updated the task description. (Show Details)May 29 2015, 6:51 PM
RobH updated the task description. (Show Details)May 29 2015, 7:07 PM
RobH updated the task description. (Show Details)May 29 2015, 7:16 PM
RobH updated the task description. (Show Details)
RobH updated the task description. (Show Details)May 29 2015, 7:30 PM
RobH updated the task description. (Show Details)May 29 2015, 7:36 PM
RobH updated the task description. (Show Details)
RobH updated the task description. (Show Details)May 29 2015, 7:44 PM
Jay8g subscribed.May 30 2015, 3:48 AM
RobH closed subtask T100832: replace lists.wikimedia.org's sha1 cert with sha256 as Resolved.Jun 2 2015, 6:49 PM
Dzahn closed subtask T100835: replace tendril.wikimedia.org's sha1 cert with sha256 as Resolved.Jun 2 2015, 8:10 PM
Dzahn closed subtask T100830: replace icinga's sha1 cert with sha256 as Resolved.Jun 2 2015, 8:15 PM
RobH closed subtask T100827: replace git's sha1 cert with sha256 as Resolved.Jun 3 2015, 5:45 PM
Dzahn closed subtask T100825: replace ganglia's sha1 cert with sha256 as Resolved.Jun 4 2015, 5:42 PM
Dzahn closed subtask T100831: replace librenms's sha1 cert with sha256 as Resolved.Jun 4 2015, 8:24 PM
Dzahn added a comment.Jun 4 2015, 9:08 PM

please revoke the SHA-1 versions of: tendril, librenms, icinga, ganglia

please check if the SHA-1 certs have been revoked already: dumps, blog, gerrit

RobH closed subtask T92709: wikitech.wikimedia.org SSL certificate considered "outdated security" in Chrome as Resolved.Jun 10 2015, 6:35 PM
Dzahn added a comment.Jun 19 2015, 7:25 PM

so all is left here is OTRS it seems

Chmarkine added a comment.Jun 21 2015, 9:29 AM
In T73156#1383664, @Dzahn wrote:

so all is left here is OTRS it seems

WMF Labs, Planet, and the domains mentioned by @Jgreen, civicrm, frdata, fundraising, payments-listener are still using SHA1.

https://wikitech.wikimedia.org/wiki/HTTPS/domains

RobH updated the task description. (Show Details)Jun 23 2015, 4:33 PM
RobH updated the task description. (Show Details)
RobH updated the task description. (Show Details)Jun 26 2015, 6:05 PM
Restricted Application added a subscriber: Matanya. · View Herald TranscriptJun 26 2015, 6:05 PM
RobH updated the task description. (Show Details)Jun 26 2015, 6:06 PM
RobH added a subtask: T104017: update star.wmflabs.org cert from sha1 to sha256.Jun 26 2015, 6:41 PM
RobH updated the task description. (Show Details)Jun 26 2015, 7:13 PM
yuvipanda closed subtask T104017: update star.wmflabs.org cert from sha1 to sha256 as Resolved.Jun 29 2015, 9:53 PM
RobH added a comment.Jun 30 2015, 7:36 PM

I'm not quite certain about the existence or replacement of the fundraising related certificates. Perhaps @Jgreen can advise?

RobH updated the task description. (Show Details)Jul 2 2015, 8:02 PM
jeremyb mentioned this in T104634: OTRS Maintenance Window - July 7th 17:00 UTC to 18:00 UTC .Jul 2 2015, 10:00 PM
RobH updated the task description. (Show Details)Jul 7 2015, 5:15 PM
BBlack mentioned this in rOPUPfe127f1fe3ff: star.planet.wikimedia.org sha256 ssl cert.Jul 7 2015, 10:38 PM
RobH updated the task description. (Show Details)Jul 8 2015, 2:02 AM

I still need to investigate/replace use of the ldap-mirror certificate (need to coordinate, as last time this happened it was tricky getting the ldap service to recognize the update correctly.)

Once that and the fundraising sub-task are complete, the old rapidssl sha1 intermediate certificates can be removed from our repo.

RobH edited subtasks, added: T104634: OTRS Maintenance Window - July 7th 17:00 UTC to 18:00 UTC ; removed: T91504: SSL-config of the OTRS is outdated.Jul 8 2015, 2:04 AM
RobH updated the task description. (Show Details)Jul 8 2015, 4:55 PM
RobH added a comment.Jul 8 2015, 5:09 PM

The ldap-mirror.wikimedia.org is not a RapidSSL certificate; so I've asked Jeff on the fr-certs sub-ticket to confirm he doesn't need the copies in our main repo. T104378

Additionally, sub-task T105187 for ldap-mirror needs to confirm that is indeed a self-signed, and not using rapidssl.

I'm being overly cautious about the above, as I'm 99.999% certain we could get rid of both intermediaries this second and not have any problems. However, there isn't a rush on deleting them entirely from the repo just yet, so we can wait for confirmation.

Once the above conditions are met; I'll git rm RapidSSL_CA.crt and RapidSSL_CA_2

akosiaris closed subtask T105187: update ldap-mirror.wikimedia.org certificate to sha256 as Resolved.Jul 9 2015, 2:56 PM
RobH added a comment.Jul 9 2015, 4:17 PM

I've confirmed with Jeff that he doesn't use any copies of the rapidssl SHA1 intermediary cert from our public repo (he has his own copy in frack repo).

As such, I've submitted https://gerrit.wikimedia.org/r/#/c/223816/ to remove the rapidssl sha1 intermediary certificates. My patchset (presently) removes the file, as well as updating certificates.pp to remove its references. I think this is enough, but since it isn't a rush, I'd like to have either Brandon or Faidon confirm. (Since they are the ones most familar with those scripts, being the ones who merged and submitted it in the first place ;)

Chmarkine updated the task description. (Show Details)Jul 10 2015, 2:12 AM
RobH closed subtask Restricted Task as Resolved.Jul 10 2015, 4:53 PM
RobH added a comment.Jul 10 2015, 4:59 PM

My patchset was incorrect, as I simply removed the file from the repo, and removed the stanza from certificates.pp entirely.

I've changed it now to work as Brandon suggested on the patchset, since he just did this work with the globaltrust certificate in the repo.

RobH mentioned this in rOPUP57295097ca47: removing rapidssl_ca sha1 intermediary from repo.Jul 10 2015, 5:00 PM
RobH changed the task status from Open to Stalled.Jul 10 2015, 5:01 PM

First of two patchsets is merged, I'll follow up on this in a day or so to ensure its been properly removed via puppet.

RobH updated the task description. (Show Details)Jul 10 2015, 5:02 PM
RobH added a comment.Jul 14 2015, 4:54 PM

So the symlink in /etc/ssl/RapidSSL_CA.pem was leftover, as update-ca-certificates didn't fire off (via config/script) after file removal.

Brandon fixed the config to fire an update: https://gerrit.wikimedia.org/r/#/c/224639/

The fix is live and applying to systems. Resolving task.

RobH closed this task as Resolved.Jul 14 2015, 4:54 PM
Liuxinyu970226 unsubscribed.Jul 15 2015, 12:29 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL