Closed Bug 1167397 Opened 10 years ago Closed 10 years ago

enable SSL renegotiation "RFC 5746 only" mode in Zeus 10.0

Categories

(Infrastructure & Operations Graveyard :: WebOps: Other, task)

Product:
Infrastructure & Operations Graveyard
Component:
WebOps: Other
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: Atoll, Assigned: Atoll)

References

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/1265] )

Zeus 10 adds a new feature that ONLY allows renegotiation from RFC 5746 clients, which should resolve the endless waves of bugs about Firefox warning users that we support unsafe renegotiations (which we don't - it's just that Zeus permits safe renegotiations OUTSIDE of rfc 5746, which Firefox doesn't understand). So let's switch to that mode once we deploy Zeus 10. I verified on our test 10.x cluster that this results in "Secure Renegotiation: Supported" at SSLLabs. It's a global setting that should have no impact whatsoever on clients.
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/1265]
:ulfr/:michal`, this is set on the 63.245.216.93:443 testing VIP and passes SSLLabs ("A", except for CN mismatch) so token sec-review? before we do this.
Flags: sec-review?(jvehent)
Assignee: server-ops-webops → rsoderberg
Depends on: 1164509
Changed from "Allow safe renegotiation" to "RFC 5746 only" mode on PHX1 Internal, already enabled on SCL3 Internal. Changed from "Do not allow" to "RFC 5746 only" mode on PHX1 External, SCL3 External.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
clearing stale sec-review flag for :ulfr
Flags: sec-review?(jvehent)
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.