Last modified: 2014-10-30 23:44:25 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T74072, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 72072 - Disable SSL 3.0 on Wikimedia sites to mitigate POODLE attack (CVE-2014-3566)
Disable SSL 3.0 on Wikimedia sites to mitigate POODLE attack (CVE-2014-3566)
Status: PATCH_TO_REVIEW
Product: Wikimedia
Classification: Unclassified
SSL related (Other open bugs)
wmf-deployment
All All
: High normal (vote)
: ---
Assigned To: Nobody - You can work on this!
: ops
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-10-15 07:38 UTC by chmarkine
Modified: 2014-10-30 23:44 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description chmarkine 2014-10-15 07:38:26 UTC 
This POODLE bites: exploiting the SSL 3.0 fallback:  http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html
https://www.openssl.org/~bodo/ssl-poodle.pdf

The only workaround now is to disable SSL 3.0, but this will make IE6 users unable to access over HTTPS. If supporting IE6 is needed, how about we disable it for now and re-enable SSL 3.0 after TLS_FALLBACK_SCSV is available?
Comment 1 Andre Klapper 2014-10-15 11:00:19 UTC 
This topic is being discussed on the Operations mailing list now.

(In reply to chmarkine from comment #0)
> re-enable SSL 3.0 after TLS_FALLBACK_SCSV is available?

Quoting: "Google's TLS_FALLBACK_SCSV needs all clients and servers patched."
Comment 2 chmarkine 2014-10-21 21:31:30 UTC 
Has SSL 3.0 been disabled on misc-web-lb.eqiad.wikimedia.org?

https://www.ssllabs.com/ssltest/analyze.html?d=gdash.wikimedia.org
https://www.ssllabs.com/ssltest/analyze.html?d=ishmael.wikimedia.org
Comment 3 chmarkine 2014-10-21 21:42:07 UTC 
... and the Tool Labs?
https://www.ssllabs.com/ssltest/analyze.html?d=tools.wmflabs.org
Comment 4 Daniel Zahn 2014-10-29 23:13:04 UTC 
fixed misc-web-lb by restarting nginx on cp1043 and cp1044. they already had the right config but lacked that.

this fixed all the services behind misc-web, including gdash and ishmael

it did NOT fix Tool Labs
Comment 5 Gerrit Notification Bot 2014-10-30 01:28:22 UTC 
Change 169978 had a related patch set uploaded by Chmarkine:
lists - disable SSLv3

https://gerrit.wikimedia.org/r/169978
Comment 6 Gerrit Notification Bot 2014-10-30 01:44:17 UTC 
Change 169978 abandoned by Chmarkine:
lists - disable SSLv3

Reason:
I don't know if it will cause any problem if "ssl.use-sslv3" is not recognized by the current version. Anyway, there is no harm to wait until the server is upgraded.

https://gerrit.wikimedia.org/r/169978
Comment 7 Daniel Zahn 2014-10-30 19:16:38 UTC 
(In reply to Daniel Zahn from comment #4)
> it did NOT fix Tool Labs

fixed toollabs by 

https://gerrit.wikimedia.org/r/#/c/169949/2

and restarting nginx on the instance tools-webproxy

https://www.ssllabs.com/ssltest/analyze.html?d=tools.wmflabs.org


also: https://gerrit.wikimedia.org/r/#/c/170117/2
Comment 8 Daniel Zahn 2014-10-30 19:28:25 UTC 
Chmarkine, you had that nice table, what does your data say now, anything left?
Comment 9 chmarkine 2014-10-30 23:42:03 UTC 
(In reply to Daniel Zahn from comment #8)
> Chmarkine, you had that nice table, what does your data say now, anything
> left?

Thanks for fixing them.

I think the only two left are lists and dumps, but they are using so outdated versions of lighttpd that disabling SSL 3 is not an option. Is there any plan to upgrade these two servers?

[1] https://www.ssllabs.com/ssltest/analyze.html?d=lists.wikimedia.org
[2] https://www.ssllabs.com/ssltest/analyze.html?d=dumps.wikimedia.org
Comment 10 Daniel Zahn 2014-10-30 23:44:25 UTC 
ticket for upgrading sodium: RT #5420
ticket for deploying new dumps misc hosts RT #4570
ticket for enabling https on dumps: RT #7067
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links