Last modified: 2014-11-19 08:38:42 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T73156, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 71156 - replace SHA1 certificates with SHA256


Summary:	replace SHA1 certificates with SHA256

Status:	NEW

Product:	Wikimedia
Classification:	Unclassified
Component:	SSL related (Other open bugs)
Version:	wmf-deployment
Hardware:	All All

Importance:	Normal normal (vote)
Target Milestone:	---
Assigned To:	Nobody - You can work on this!

URL:
Whiteboard:
Keywords:

Duplicates:	73190 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2014-09-23 00:24 UTC by chmarkine
Modified:	2014-11-19 08:38 UTC (History)
CC List:	5 users (show)

See Also:	https://rt.wikimedia.org/Ticket/Display.html?id=8835
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description chmarkine 2014-09-23 00:24:53 UTC

Chrome 39 will warn users if SHA1 certificates are used and expire after January 1, 2017.
Chrome 40 will warn users if SHA1 certificates are used and expire after June 1, 2016. 
Chrome 41 will warn users if SHA1 certificates are used and expire after January 1, 2016.

Currently, it seems most of our servers are using SHA1 certificates with different expiration dates:

Bugzilla -- ‎November ‎5, ‎2017 (!)
Blog -- September ‎16, ‎2017 (!)
bug-attachment.wikimedia.org -- September ‎7, ‎2017 (!)
Gerrit -- April ‎24, ‎2017 (!)
Shop -- ‎April ‎22, ‎2016
Dumps -- March ‎25, ‎2016
icinga-admin -- February 26, ‎2016
OTRS -- February ‎17, ‎2016
tendril -- February 14, ‎2016
en.planet -- February 3, ‎2016
Lists -- January ‎30, ‎2016
Wikitech -- January ‎25, ‎2016
Wikis (Wikipedia, etc.), donate -- January ‎20, ‎2016
librenms -- January 12, 2016
RT, etherpad -- January ‎9, ‎2016
noc, ganglia, icinga -- January 8, 2016
Git, gdash, graphite, integration, doc, contacts, racktables, ishmael -- October ‎18, ‎2015
tools.wmflabs.org -- September ‎15, ‎2015
svn -- ‎January ‎31, ‎2015

I think we should start upgrading these certificates as soon as possible.

Comment 1 chmarkine 2014-09-23 07:37:05 UTC

And stats.wikimedia.org -- June 20, 2017

Comment 2 Waldir 2014-09-23 20:34:46 UTC

Background reading: https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1

Comment 3 Andre Klapper 2014-09-24 11:03:03 UTC

Official announcement: http://googleonlinesecurity.blogspot.cz/2014/09/gradually-sunsetting-sha-1.html

(In reply to chmarkine from comment #0)
> Chrome 39 will warn users if SHA1 certificates are used and expire after
> January 1, 2017.

> Bugzilla -- ‎November ‎5, ‎2017
> bug-attachment.wikimedia.org -- September ‎7, ‎2017
> Gerrit -- April ‎24, ‎2017

These three items will likely be ceased in the next months.

Comment 4 Andre Klapper 2014-09-24 11:20:33 UTC

...and Mozilla: https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/

Comment 5 chmarkine 2014-09-24 23:26:56 UTC

(In reply to Andre Klapper from comment #3)

> > Bugzilla -- ‎November ‎5, ‎2017
> > bug-attachment.wikimedia.org -- September ‎7, ‎2017
> > Gerrit -- April ‎24, ‎2017
> 
> These three items will likely be ceased in the next months.

So do you mean these three domains will be shut down after we migrate to Phabricator?

Comment 6 Andre Klapper 2014-09-28 23:23:40 UTC

To some extent that's still to be defined, but the Bugzilla domain will change to something like bugzilla-old.wm.org as we plan to redirect bugzilla.wikimedia.org URLs to phabricator.wikimedia.org

Comment 7 chmarkine 2014-09-29 00:08:02 UTC

I see. Thanks for your explanation.

(In reply to Andre Klapper from comment #6)
> To some extent that's still to be defined, but the Bugzilla domain will
> change to something like bugzilla-old.wm.org as we plan to redirect
> bugzilla.wikimedia.org URLs to phabricator.wikimedia.org

Comment 8 Andre Klapper 2014-11-09 13:15:38 UTC

*** Bug 73190 has been marked as a duplicate of this bug. ***

Comment 9 Antoine "hashar" Musso (WMF) 2014-11-10 12:40:35 UTC

Filled as well in the internal request tracker as https://rt.wikimedia.org/Ticket/Display.html?id=8835

Comment 10 chmarkine 2014-11-18 21:55:50 UTC

Chrome 39 was released today. When will the certificates be replaced then?

Comment 11 Antoine "hashar" Musso (WMF) 2014-11-19 08:38:42 UTC

(In reply to chmarkine from comment #10)
> Chrome 39 was released today. When will the certificates be replaced then?

Thanks for the update. I have poked the internal ticket (RT #8835).

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links