Closed Bug 1195445 Opened 9 years ago Closed 9 years ago

upgrade BMO to a SHA-2 certificate

Categories

(bugzilla.mozilla.org :: Infrastructure, defect)

Product:
bugzilla.mozilla.org
Component:
Infrastructure
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: Atoll, Assigned: fubar)

References

Details

Currently, BMO is using a SHA-1 EV cert from Digicert. We should upgrade this to SHA-2 for various reasons.

MSIE and Chrome users on Windows XP SP2 (User-Agent =~ / SV1 /) will lose access to the Bugzilla site once this work is completed. (Firefox users on XP SP2 will continue working as expected.)

Please let me know when this change is approved for deployment. I (or Webops) can reissue the existing SHA-1 cert as SHA-2 for this purpose, and Zeus will permit us to switch back to the older certificate in a few seconds if severe issues are uncovered.
Blocks: 1068715
Component: Administration → Infrastructure
QA Contact: mcote
(In reply to Richard Soderberg [:atoll] from comment #0)
> MSIE and Chrome users on Windows XP SP2 (User-Agent =~ / SV1 /) will lose
> access to the Bugzilla site once this work is completed. (Firefox users on
> XP SP2 will continue working as expected.)

will users running XP SP3 be able to use other IE or chrome?

what is the response that XP SP2 users will receive, and can it be customised in any way?
Flags: needinfo?(rsoderberg)
They will receive an SSL error page preventing hem from viewing the site, as SChannel cannot negotiate a connection.

They also already receive this error, since we offer no ciphers currently that their stack can use. So this is very likely a noop.

SP3 works fine, as far as I know.
Flags: needinfo?(rsoderberg)
thanks for the quick response.
given you're proposing breaking already broken clients this sounds reasonable :)

> Please let me know when this change is approved for deployment

i ok with it, but i'd like to get fubar's feedback.
Flags: needinfo?(klibby)
Oh also, since it's relevant - deploy/rollback is selecting the SHA2 or SHA1 certificate from the SSL dropdown on the BMO vserver in Zeus, and takes ~5sec to alter - and we can temporarily put the production cert on the prod-stage vserver for testing, if that's useful.
we're already using an SHA2 cert on *.bugzilla.mozilla.org; combined with the above, I think we're ok to go.
Flags: needinfo?(klibby)
The SHA2 certificate is now available in both external Zeus clusters, PHX1 and SCL3, and can be applied at any time using the dropdown in the SSL Decryption section of the bugzilla-https virtual server.
Configured zeus VIPs to use new SHA-2 cert in SCL3 and PHX1.
Assignee: nobody → klibby
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.