enable SSL renegotiation "RFC 5746 only" mode in Zeus 10.0

RESOLVED FIXED

Status

RESOLVED FIXED
4 years ago
3 years ago

People

(Reporter: atoll, Assigned: atoll)

Tracking

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/1265] )

Zeus 10 adds a new feature that ONLY allows renegotiation from RFC 5746 clients, which should resolve the endless waves of bugs about Firefox warning users that we support unsafe renegotiations (which we don't - it's just that Zeus permits safe renegotiations OUTSIDE of rfc 5746, which Firefox doesn't understand).

So let's switch to that mode once we deploy Zeus 10.

I verified on our test 10.x cluster that this results in "Secure Renegotiation: Supported" at SSLLabs. It's a global setting that should have no impact whatsoever on clients.

Updated

4 years ago
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/1265]
:ulfr/:michal`, this is set on the 63.245.216.93:443 testing VIP and passes SSLLabs ("A", except for CN mismatch) so token sec-review? before we do this.
Flags: sec-review?(jvehent)

Updated

4 years ago
Assignee: server-ops-webops → rsoderberg

Updated

4 years ago
Depends on: 1164509
Changed from "Allow safe renegotiation" to "RFC 5746 only" mode on PHX1 Internal, already enabled on SCL3 Internal.

Changed from "Do not allow" to "RFC 5746 only" mode on PHX1 External, SCL3 External.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
clearing stale sec-review flag for :ulfr
Flags: sec-review?(jvehent)
You need to log in before you can comment on or make changes to this bug.