Unless things have changed, one of the issues is that in Apache, you cannot change the TLS cipher suite based on the version number. This is important because to ensure proper security, we'd want to make sure TLS 1.0 users only use RC4 while TLS 1.1 users only use a block cipher. Because this isn't supported, the only option we have is to just disable TLS 1.1 entirely. The ops team can correct me if this is at all incorrect.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com
On Mon, Jul 29, 2013 at 2:51 PM, C. Scott Ananian cananian@wikimedia.orgwrote:
That ssllabs link also shows that wikimedia has RC4 encryption enabled on SSL connections, which offers no real security. This is apparently related to the TLS 1.0 -vs- TLS 1.1/1.2 issue:
https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-bro... --scott
-- (http://cscott.net)
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l