Closed Bug 1167018 Opened 10 years ago Closed 10 years ago

Increase DH parameter to 2048 on ZLB sites

Categories

(Infrastructure & Operations :: SSL Certificates, task)

Product:
Infrastructure & Operations
Component:
SSL Certificates
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: jvehent, Assigned: Atoll)

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/1258] )

To the exception of sites that explicitly need compatibility with old clients, it should be possible to increase the DH parameter size on TLS connections to 2048 bits. Last time we tried this, it created issues with newrelic's use of java 6/7, so we should check with them prior to increasing the size again. A few potential candidates: airmo, bugzilla, planet and etherpad.
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/1258]
Bad news... this is a global setting, not a per-vhost. We're going to wait for our upcoming upgraded to version 10.0r1 and check again. If we still can't, we'll probably have to WONTFIX this until we start migrating stuff to AWS, and set them up how we want in that environment. I don't know if we have this setting with ELB's though, so we might be in a similar spot.
Assignee: server-ops-webops → rsoderberg
ELBs are 1024 only and not configurable right now. Hopefully AWS will change that before we start migrating.
Riverbed has added us to the list of customers who have requested per-vserver DH prime configuration, but does not currently offer it as a configurable at this time. Resolving as WONTFIX per comment 1 and comment 2, until we can proceed more effectively an unknown time in the future.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.