Last modified: 2014-11-19 08:38:42 UTC
Chrome 39 will warn users if SHA1 certificates are used and expire after January 1, 2017. Chrome 40 will warn users if SHA1 certificates are used and expire after June 1, 2016. Chrome 41 will warn users if SHA1 certificates are used and expire after January 1, 2016. Currently, it seems most of our servers are using SHA1 certificates with different expiration dates: Bugzilla -- November 5, 2017 (!) Blog -- September 16, 2017 (!) bug-attachment.wikimedia.org -- September 7, 2017 (!) Gerrit -- April 24, 2017 (!) Shop -- April 22, 2016 Dumps -- March 25, 2016 icinga-admin -- February 26, 2016 OTRS -- February 17, 2016 tendril -- February 14, 2016 en.planet -- February 3, 2016 Lists -- January 30, 2016 Wikitech -- January 25, 2016 Wikis (Wikipedia, etc.), donate -- January 20, 2016 librenms -- January 12, 2016 RT, etherpad -- January 9, 2016 noc, ganglia, icinga -- January 8, 2016 Git, gdash, graphite, integration, doc, contacts, racktables, ishmael -- October 18, 2015 tools.wmflabs.org -- September 15, 2015 svn -- January 31, 2015 I think we should start upgrading these certificates as soon as possible.
And stats.wikimedia.org -- June 20, 2017
Background reading: https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1
Official announcement: http://googleonlinesecurity.blogspot.cz/2014/09/gradually-sunsetting-sha-1.html (In reply to chmarkine from comment #0) > Chrome 39 will warn users if SHA1 certificates are used and expire after > January 1, 2017. > Bugzilla -- November 5, 2017 > bug-attachment.wikimedia.org -- September 7, 2017 > Gerrit -- April 24, 2017 These three items will likely be ceased in the next months.
...and Mozilla: https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
(In reply to Andre Klapper from comment #3) > > Bugzilla -- November 5, 2017 > > bug-attachment.wikimedia.org -- September 7, 2017 > > Gerrit -- April 24, 2017 > > These three items will likely be ceased in the next months. So do you mean these three domains will be shut down after we migrate to Phabricator?
To some extent that's still to be defined, but the Bugzilla domain will change to something like bugzilla-old.wm.org as we plan to redirect bugzilla.wikimedia.org URLs to phabricator.wikimedia.org
I see. Thanks for your explanation. (In reply to Andre Klapper from comment #6) > To some extent that's still to be defined, but the Bugzilla domain will > change to something like bugzilla-old.wm.org as we plan to redirect > bugzilla.wikimedia.org URLs to phabricator.wikimedia.org
*** Bug 73190 has been marked as a duplicate of this bug. ***
Filled as well in the internal request tracker as https://rt.wikimedia.org/Ticket/Display.html?id=8835
Chrome 39 was released today. When will the certificates be replaced then?
(In reply to chmarkine from comment #10) > Chrome 39 was released today. When will the certificates be replaced then? Thanks for the update. I have poked the internal ticket (RT #8835).