Page MenuHomePhabricator

Replace SHA1 certificates with SHA256
Closed, ResolvedPublic

Description

SHA1 certificates still existing in our repo (as of 2015-05-29):

Intermediary SHA1 certificates (some of these will cease use when SHA1 certs are replaced, some won't, need to note which):

  • - (*.planet.wikimedia.org uses this) DigiCertHighAssuranceCA-3.crt
  • - RapidSSL_CA.crt - all rapidssl certs in sha256 appear to use RapidSSL_SHA256_CA_-_G3.crt. Once all sha1 rapidssl are replaced, this can be removed from the repo

Completed:

  • - civicrm T104378 (reissue complete, pending service implementation)
  • - frdata T104378 (reissue complete, pending service implementation)
  • - fundraising T104378 (reissue complete, pending service implementation)
  • - payments-listener T104378 (reissue complete, pending service implementation)
  • - RapidSSL_CA_2 - all rapidssl certs in sha256 appear to use RapidSSL_SHA256_CA_-_G3.crt. Once all sha1 rapidssl are replaced, this can be removed from the repo (this was gone before robh could get to it)
  • - ldap-mirror.wikimedia.org.crt T105187
  • - star.planet.wikimedia.org.crt
  • - ganglia.wikimedia.org.crt T100825
  • - git.wikimedia.org.crt T100827
  • - icinga.wikimedia.org.crt T100830
  • - librenms.wikimedia.org.crt T100831
  • - lists.wikimedia.org.crt T100832
  • - svn.wikimedia.org.crt - expired
  • - tendril.wikimedia.org.crt T100835
  • - ticket.wikimedia.org.crt T91504 T104634
  • - star.wmflabs.crt : T104017
  • - star.wmflabs.org.crt : T104017
  • - wikitech.wikimedia.org.crt T92709

Details

Reference
bz71156

Related Objects

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Yuhong added a subscriber: Yuhong.Feb 5 2015, 6:44 AM

This is a myth. "RapidSSL SHA256 CA - G3" is definitely SHA256. The other intermediate is for compatibility with older clients such as XP/Server 2003 (but note that XP has root certificate update enabled by default).

This is a myth. "RapidSSL SHA256 CA - G3" is definitely SHA256. The other intermediate is for compatibility with older clients such as XP/Server 2003 (but note that XP has root certificate update enabled by default).

I tried connecting to https://wikitech-static.wikimeda.org with IE6 on Windows XP SP3, and there was no problem. So I think the server only needs to send the end entity certificate and "RapidSSL G3" intermediate certificate. Then there'll be no SHA1 certificates.

Chmarkine updated the task description. (Show Details)Feb 6 2015, 10:30 PM
Chmarkine updated the task description. (Show Details)Feb 19 2015, 11:48 PM

Chrome 41 has been released. Are there any plans for replacing all the remaining SHA1 certificates?

Chmarkine updated the task description. (Show Details)Mar 7 2015, 5:24 AM
Dzahn added a comment.Mar 9 2015, 5:04 PM

Out of the one listed on top when this bug was created, a lot should not be used anymore meanwhile because we moved a lot of services to terminate SSL at nginx and be "behind misc-web" now.

Change 195303 had a related patch set uploaded (by Dzahn):
delete etherpad SSL cert

https://gerrit.wikimedia.org/r/195303

Change 195304 had a related patch set uploaded (by Dzahn):
delete metrics.wikimedia.org SSL cert

https://gerrit.wikimedia.org/r/195304

Change 195306 had a related patch set uploaded (by Dzahn):
delete *.planet.wikimedia.org SSL cert

https://gerrit.wikimedia.org/r/195306

Change 195307 had a related patch set uploaded (by Dzahn):
delete bugzilla SSL certs

https://gerrit.wikimedia.org/r/195307

Change 195308 had a related patch set uploaded (by Dzahn):
delete blog SSL cert

https://gerrit.wikimedia.org/r/195308

Change 195310 had a related patch set uploaded (by Dzahn):
delete svn.wikimedia.org SSL cert

https://gerrit.wikimedia.org/r/195310

Change 195309 had a related patch set uploaded (by Krinkle):
delete stats.wikimedia.org SSL cert

https://gerrit.wikimedia.org/r/195309

Change 195306 abandoned by Dzahn:
delete *.planet.wikimedia.org SSL cert

https://gerrit.wikimedia.org/r/195306

Change 195308 merged by Dzahn:
delete techblog.wm blog SSL cert

https://gerrit.wikimedia.org/r/195308

Change 195310 abandoned by Dzahn:
delete svn.wikimedia.org SSL cert

https://gerrit.wikimedia.org/r/195310

Change 195307 merged by Dzahn:
delete bugzilla SSL certs

https://gerrit.wikimedia.org/r/195307

Change 195303 merged by Dzahn:
delete etherpad SSL cert

https://gerrit.wikimedia.org/r/195303

Change 195304 merged by RobH:
delete metrics.wikimedia.org SSL cert

https://gerrit.wikimedia.org/r/195304

Change 195309 merged by RobH:
delete stats.wikimedia.org SSL cert

https://gerrit.wikimedia.org/r/195309

So we're only missing T92709 here to close this? Or is T91504 also a dependency?

Yes, only the part of that ticket related to the SHA1 in the cert is also a dependency.

Dzahn added a comment.Apr 17 2015, 6:28 PM

T91504 is also a dependency.

Signature algorithm SHA1withRSA WEAK
https://www.ssllabs.com/ssltest/analyze.html?d=ticket.wikimedia.org
(deleted cached version to re-check)

RobH updated the task description. (Show Details)May 29 2015, 6:26 PM
RobH updated the task description. (Show Details)May 29 2015, 6:51 PM
RobH updated the task description. (Show Details)May 29 2015, 7:07 PM
RobH updated the task description. (Show Details)May 29 2015, 7:16 PM
RobH updated the task description. (Show Details)
RobH updated the task description. (Show Details)May 29 2015, 7:30 PM
RobH updated the task description. (Show Details)May 29 2015, 7:36 PM
RobH updated the task description. (Show Details)
RobH updated the task description. (Show Details)May 29 2015, 7:44 PM
Jay8g added a subscriber: Jay8g.May 30 2015, 3:48 AM
Dzahn added a comment.Jun 4 2015, 9:08 PM

please revoke the SHA-1 versions of: tendril, librenms, icinga, ganglia

please check if the SHA-1 certs have been revoked already: dumps, blog, gerrit

Dzahn added a comment.Jun 19 2015, 7:25 PM

so all is left here is OTRS it seems

so all is left here is OTRS it seems

WMF Labs, Planet, and the domains mentioned by @Jgreen, civicrm, frdata, fundraising, payments-listener are still using SHA1.

https://wikitech.wikimedia.org/wiki/HTTPS/domains

RobH updated the task description. (Show Details)Jun 23 2015, 4:33 PM
RobH updated the task description. (Show Details)
RobH updated the task description. (Show Details)Jun 26 2015, 6:05 PM
Restricted Application added a subscriber: Matanya. · View Herald TranscriptJun 26 2015, 6:05 PM
RobH updated the task description. (Show Details)Jun 26 2015, 6:06 PM
RobH updated the task description. (Show Details)Jun 26 2015, 7:13 PM
RobH added a comment.Jun 30 2015, 7:36 PM

I'm not quite certain about the existence or replacement of the fundraising related certificates. Perhaps @Jgreen can advise?

RobH updated the task description. (Show Details)Jul 2 2015, 8:02 PM
RobH updated the task description. (Show Details)Jul 7 2015, 5:15 PM
RobH updated the task description. (Show Details)Jul 8 2015, 2:02 AM

I still need to investigate/replace use of the ldap-mirror certificate (need to coordinate, as last time this happened it was tricky getting the ldap service to recognize the update correctly.)

Once that and the fundraising sub-task are complete, the old rapidssl sha1 intermediate certificates can be removed from our repo.

RobH updated the task description. (Show Details)Jul 8 2015, 4:55 PM
RobH added a comment.Jul 8 2015, 5:09 PM

The ldap-mirror.wikimedia.org is not a RapidSSL certificate; so I've asked Jeff on the fr-certs sub-ticket to confirm he doesn't need the copies in our main repo. T104378

Additionally, sub-task T105187 for ldap-mirror needs to confirm that is indeed a self-signed, and not using rapidssl.

I'm being overly cautious about the above, as I'm 99.999% certain we could get rid of both intermediaries this second and not have any problems. However, there isn't a rush on deleting them entirely from the repo just yet, so we can wait for confirmation.

Once the above conditions are met; I'll git rm RapidSSL_CA.crt and RapidSSL_CA_2

RobH added a comment.Jul 9 2015, 4:17 PM

I've confirmed with Jeff that he doesn't use any copies of the rapidssl SHA1 intermediary cert from our public repo (he has his own copy in frack repo).

As such, I've submitted https://gerrit.wikimedia.org/r/#/c/223816/ to remove the rapidssl sha1 intermediary certificates. My patchset (presently) removes the file, as well as updating certificates.pp to remove its references. I think this is enough, but since it isn't a rush, I'd like to have either Brandon or Faidon confirm. (Since they are the ones most familar with those scripts, being the ones who merged and submitted it in the first place ;)

Chmarkine updated the task description. (Show Details)Jul 10 2015, 2:12 AM
RobH closed subtask Restricted Task as Resolved.Jul 10 2015, 4:53 PM
RobH added a comment.Jul 10 2015, 4:59 PM

My patchset was incorrect, as I simply removed the file from the repo, and removed the stanza from certificates.pp entirely.

I've changed it now to work as Brandon suggested on the patchset, since he just did this work with the globaltrust certificate in the repo.

RobH changed the task status from Open to Stalled.Jul 10 2015, 5:01 PM

First of two patchsets is merged, I'll follow up on this in a day or so to ensure its been properly removed via puppet.

RobH updated the task description. (Show Details)Jul 10 2015, 5:02 PM
RobH added a comment.Jul 14 2015, 4:54 PM

So the symlink in /etc/ssl/RapidSSL_CA.pem was leftover, as update-ca-certificates didn't fire off (via config/script) after file removal.

Brandon fixed the config to fire an update: https://gerrit.wikimedia.org/r/#/c/224639/

The fix is live and applying to systems. Resolving task.

RobH closed this task as Resolved.Jul 14 2015, 4:54 PM