Page MenuHomePhabricator
Create Task
Maniphest T92709

wikitech.wikimedia.org SSL certificate considered "outdated security" in Chrome
Closed, ResolvedPublic
Actions

Assigned To
RobH
Authored By
Krinkle
Mar 14 2015, 2:07 AM
Tags
Referenced Files
F103972: Screen_Shot_2015-03-25_at_08.49.05.png
Mar 25 2015, 8:49 AM
F103968: Screen_Shot_2015-03-25_at_08.46.56.png
Mar 25 2015, 8:48 AM
F90708: Screen_Shot_2015-03-14_at_03.06.09.png
Mar 14 2015, 2:07 AM
Subscribers
Aklapper
Chmarkine
Dzahn
gerritbot
Krenair
Krinkle
RobH

Description

The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it.

Screen_Shot_2015-03-14_at_03.06.09.png (1×790 px, 238 KB)

Details

SubjectRepoBranchLines +/-
certs: wikitech.wm.org certificate SHA1 to SHA2operations/puppetproduction+26 -28
Customize query in gerrit

Related Objects
Search...

Event Timeline

Krinkle created this task.Mar 14 2015, 2:07 AM
Krinkle raised the priority of this task from to Needs Triage.
Krinkle updated the task description. (Show Details)
Krinkle added projects: acl*sre-team, wikitech.wikimedia.org.
Krinkle subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 14 2015, 2:07 AM
Krenair added a project: HTTPS.Mar 14 2015, 2:08 AM
Krenair subscribed.
Dzahn set Security to None.Mar 14 2015, 3:59 AM
Dzahn added a subscriber: Chmarkine.
Dzahn subscribed.Mar 14 2015, 4:30 AM

this should be T73156 (SHA1 needs to be replaced with a SHA256 cert)

Chrome 39 will warn users if SHA1 certificates are used and expire after January 1, 2017.
Chrome 40 will warn users if SHA1 certificates are used and expire after June 1, 2016.
Chrome 41 will warn users if SHA1 certificates are used and expire after January 1, 2016.

Dzahn added a parent task: T73156: Replace SHA1 certificates with SHA256.Mar 14 2015, 4:31 AM
Krinkle added a comment.EditedMar 25 2015, 8:48 AM
In T92709#1118731, @Dzahn wrote:

this should be T73156 (SHA1 needs to be replaced with a SHA256 cert)
..
Chrome 41 will warn users if SHA1 certificates are used and expire after January 1, 2016.

Indeed. Chrome 43 improved the SSL dialog with details about the warning. https://wikitech.wikimedia.org/ now shows in Chrome 43.0.2343.5 canary the following:

Screen_Shot_2015-03-25_at_08.46.56.png (954×606 px, 129 KB)

.. which confirms it is SHA1 and not something else.

yuvipanda triaged this task as Medium priority.Mar 25 2015, 9:19 AM
yuvipanda subscribed.
Aklapper mentioned this in T73156: Replace SHA1 certificates with SHA256.Apr 17 2015, 1:31 PM
Liuxinyu970226 subscribed.May 28 2015, 12:21 PM
gerritbot subscribed.May 29 2015, 6:37 PM

Change 214666 had a related patch set uploaded (by RobH):
wikitech.wikimeida.org certificate sha1 to sha256

https://gerrit.wikimedia.org/r/214666

gerritbot added a project: Patch-For-Review.May 29 2015, 6:37 PM
RobH subscribed.May 29 2015, 6:38 PM

once the above patchset is merged live and wikitech is using the sha256, please assign this task to me for the revocation of the sha1 certificate. (The sha1 cert will be overwritten on the hosts).

Dzahn claimed this task.Jun 4 2015, 6:10 PM
gerritbot added a comment.Jun 4 2015, 6:46 PM

Change 214666 merged by Dzahn:
certs: wikitech.wm.org certificate SHA1 to SHA2

https://gerrit.wikimedia.org/r/214666

Dzahn mentioned this in rOPUP684013582144: certs: wikitech.wm.org certificate SHA1 to SHA2.Jun 4 2015, 6:46 PM
Dzahn added a comment.Jun 4 2015, 6:53 PM

amended to the change (we had another leading whitespace that would break it, fixed that),
ran puppet on wikitech and let it recreate cert and chained file.

Signature algorithm is now SHA256withRSA

grade A on https://www.ssllabs.com/ssltest/analyze.html?d=wikitech.wikimedia.org

the warnings in Chrome should be gone too

Dzahn reassigned this task from Dzahn to RobH.Jun 4 2015, 6:56 PM

re-assigned to RobH

In T92709#1321521, @RobH wrote:

once the above patchset is merged live and wikitech is using the sha256, please assign this task to me for the revocation of the sha1 certificate. (The sha1 cert will be overwritten on the hosts).

done. you can revoke the old one now.

RobH closed this task as Resolved.Jun 10 2015, 6:35 PM

sha1 revoked

Liuxinyu970226 unsubscribed.Jun 10 2015, 9:58 PM
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:53 PM
Restricted Application added projects: Cloud-Services, Traffic. · View Herald TranscriptJun 7 2017, 6:53 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL