Closed Bug 1074170 Opened 11 years ago Closed 10 years ago

BMO has a B rating for SSL and should be made better

Categories

(bugzilla.mozilla.org :: Infrastructure, defect)

Product:
bugzilla.mozilla.org
Component:
Infrastructure
Version:
Production
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1195439

People

(Reporter: dkl, Unassigned)

Details

As reported by Mozilla's new Stooge tool https://stooge.mozillalabs.com/#/results/latest https://www.ssllabs.com/ssltest/analyze.html?d=bugzilla.mozilla.org&s=63.245.215.80 https://www.ssllabs.com/ssltest/analyze.html?d=bugzilla.mozilla.org&s=63.245.215.81 * Certificate uses SHA1. When renewing, ensure you upgrade to SHA256. * The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B. * The server does not support Forward Secrecy with the reference browsers.
TLS is dictated by what Zeus supports, and thus depends on their update cycle and WebOps. I don't know what it supports offhand, but will look. Switching to SHA256 will prevent users running WinXP < SP3 from accessing the site at all; c.f. bug 1060508.
BMO now has an A- on ssllabs because TLS 1.2 is now supported by Zeus. Also two DHE ciphers are supported so we have Forward Secrecy by now (only IE doesn't support those ciphers and that's why we're capped at A-). Fwiw wiki.mozilla.org runs with an SHA256 cert and from what I know it's only necessary for the mozilla.org download site to be reachable by WinXP < SP3. I don't think there's any reason for BMO not to switch to a new cert, but please correct me if I'm wrong.
(forgot about this bug) current ssllabs rating is a B again. cert upgrade to SHA2 is in bug 1195445 and tweaks to the cipher suite is in 1195439. PFS is stuck pending bug 1167011 (in SCL3 only). going to close this bug out since all of the activity is elsewhere.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.