Closed Bug 1332964 Opened 7 years ago Closed 7 years ago

Verify readiness of infra to handle HTTPS only traffic to hg.mozilla.org

Categories

(Release Engineering :: Release Automation: Other, defect)

Product:
Release Engineering
Component:
Release Automation: Other
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: hwine, Unassigned)

References

Details

RelEng needs to verify that no problems will be caused when hg.mozilla.org is switched to HTTPS only.

The current concerns are about:
- older tooling supporting SNI properly, and
- older tooling supporting cipher suites that will be used.
- older tooling that may need config changes to avoid new error messages regarding certificates. (i.e. apply steps from bug 1147548 comment 12)
Error messages like this may appear from older mercurial clients due to Mercurial recommending the use of TLSv1.[12] over 1.0:

Jan 23 04:00:04 buildbot-master91.bb.releng.usw2.mozilla.com maybe_reconfig.sh: warning: connecting to hg.mozilla.org using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
Just checked papertrail for that mercurial warning, and it's only buildbotmaster\d+.bb.releng.{region} that are generating it, so it may not be worth the effort of updating if they're Going Away Soon.
Per email with :gps, confirmed that:
 - SNI is not a concern for hg.mozilla.org
 - no change in existing cipher suites will be made at this time
 - It is not a blocker, but use of TLS 1.0 is not a good thing (see comment 1 and comment 2)

We have that concern mitigated by explicit specification of the known good certificate's fingerprint in the relevant .hgrc files.

With all that taken care of, there is nothing to do prior to the change.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.