upgrade BMO to a SHA-2 certificate

RESOLVED FIXED

Status

()

RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: Atoll, Assigned: fubar)

Tracking

Production

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
Currently, BMO is using a SHA-1 EV cert from Digicert. We should upgrade this to SHA-2 for various reasons.

MSIE and Chrome users on Windows XP SP2 (User-Agent =~ / SV1 /) will lose access to the Bugzilla site once this work is completed. (Firefox users on XP SP2 will continue working as expected.)

Please let me know when this change is approved for deployment. I (or Webops) can reissue the existing SHA-1 cert as SHA-2 for this purpose, and Zeus will permit us to switch back to the older certificate in a few seconds if severe issues are uncovered.
(Reporter)

Updated

3 years ago
Blocks: 1068715
Component: Administration → Infrastructure
QA Contact: mcote
(In reply to Richard Soderberg [:atoll] from comment #0)
> MSIE and Chrome users on Windows XP SP2 (User-Agent =~ / SV1 /) will lose
> access to the Bugzilla site once this work is completed. (Firefox users on
> XP SP2 will continue working as expected.)

will users running XP SP3 be able to use other IE or chrome?

what is the response that XP SP2 users will receive, and can it be customised in any way?
Flags: needinfo?(rsoderberg)
(Reporter)

Comment 2

3 years ago
They will receive an SSL error page preventing hem from viewing the site, as SChannel cannot negotiate a connection.

They also already receive this error, since we offer no ciphers currently that their stack can use. So this is very likely a noop.

SP3 works fine, as far as I know.
Flags: needinfo?(rsoderberg)
thanks for the quick response.
given you're proposing breaking already broken clients this sounds reasonable :)

> Please let me know when this change is approved for deployment

i ok with it, but i'd like to get fubar's feedback.
Flags: needinfo?(klibby)
(Reporter)

Comment 4

3 years ago
Oh also, since it's relevant - deploy/rollback is selecting the SHA2 or SHA1 certificate from the SSL dropdown on the BMO vserver in Zeus, and takes ~5sec to alter - and we can temporarily put the production cert on the prod-stage vserver for testing, if that's useful.
(Assignee)

Comment 5

3 years ago
we're already using an SHA2 cert on *.bugzilla.mozilla.org; combined with the above, I think we're ok to go.
Flags: needinfo?(klibby)
(Reporter)

Comment 6

3 years ago
The SHA2 certificate is now available in both external Zeus clusters, PHX1 and SCL3, and can be applied at any time using the dropdown in the SSL Decryption section of the bugzilla-https virtual server.
(Assignee)

Comment 7

3 years ago
Configured zeus VIPs to use new SHA-2 cert in SCL3 and PHX1.
Assignee: nobody → klibby
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.