Last modified: 2014-10-30 23:44:25 UTC
This POODLE bites: exploiting the SSL 3.0 fallback: http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html https://www.openssl.org/~bodo/ssl-poodle.pdf The only workaround now is to disable SSL 3.0, but this will make IE6 users unable to access over HTTPS. If supporting IE6 is needed, how about we disable it for now and re-enable SSL 3.0 after TLS_FALLBACK_SCSV is available?
This topic is being discussed on the Operations mailing list now. (In reply to chmarkine from comment #0) > re-enable SSL 3.0 after TLS_FALLBACK_SCSV is available? Quoting: "Google's TLS_FALLBACK_SCSV needs all clients and servers patched."
Has SSL 3.0 been disabled on misc-web-lb.eqiad.wikimedia.org? https://www.ssllabs.com/ssltest/analyze.html?d=gdash.wikimedia.org https://www.ssllabs.com/ssltest/analyze.html?d=ishmael.wikimedia.org
... and the Tool Labs? https://www.ssllabs.com/ssltest/analyze.html?d=tools.wmflabs.org
fixed misc-web-lb by restarting nginx on cp1043 and cp1044. they already had the right config but lacked that. this fixed all the services behind misc-web, including gdash and ishmael it did NOT fix Tool Labs
Change 169978 had a related patch set uploaded by Chmarkine: lists - disable SSLv3 https://gerrit.wikimedia.org/r/169978
Change 169978 abandoned by Chmarkine: lists - disable SSLv3 Reason: I don't know if it will cause any problem if "ssl.use-sslv3" is not recognized by the current version. Anyway, there is no harm to wait until the server is upgraded. https://gerrit.wikimedia.org/r/169978
(In reply to Daniel Zahn from comment #4) > it did NOT fix Tool Labs fixed toollabs by https://gerrit.wikimedia.org/r/#/c/169949/2 and restarting nginx on the instance tools-webproxy https://www.ssllabs.com/ssltest/analyze.html?d=tools.wmflabs.org also: https://gerrit.wikimedia.org/r/#/c/170117/2
Chmarkine, you had that nice table, what does your data say now, anything left?
(In reply to Daniel Zahn from comment #8) > Chmarkine, you had that nice table, what does your data say now, anything > left? Thanks for fixing them. I think the only two left are lists and dumps, but they are using so outdated versions of lighttpd that disabling SSL 3 is not an option. Is there any plan to upgrade these two servers? [1] https://www.ssllabs.com/ssltest/analyze.html?d=lists.wikimedia.org [2] https://www.ssllabs.com/ssltest/analyze.html?d=dumps.wikimedia.org
ticket for upgrading sodium: RT #5420 ticket for deploying new dumps misc hosts RT #4570 ticket for enabling https on dumps: RT #7067