[00:13:56] 10Traffic, 10Operations, 10Security-Team, 10CRM (Jan-Mar-2020): Domain / Subdomain for Wikimania Scholarship Public Form on CRM - https://phabricator.wikimedia.org/T243032 (10JFishback_WMF) Has #wmf-legal reviewed this yet? [00:14:18] 10Traffic, 10Operations, 10Privacy Engineering, 10Security-Team, 10CRM (Jan-Mar-2020): Domain / Subdomain for Wikimania Scholarship Public Form on CRM - https://phabricator.wikimedia.org/T243032 (10JFishback_WMF) [06:45:54] 10Domains, 10Traffic, 10Operations, 10Privacy Engineering, and 2 others: Domain / Subdomain for Wikimania Scholarship Public Form on CRM - https://phabricator.wikimedia.org/T243032 (10soworu) [07:32:56] 10Domains, 10Traffic, 10Operations, 10Privacy Engineering, and 2 others: Domain / Subdomain for Wikimania Scholarship Public Form on CRM - https://phabricator.wikimedia.org/T243032 (10Qgil) a:05mark→03None [07:54:01] 10Domains, 10Traffic, 10Operations, 10Privacy Engineering, and 2 others: Domain / Subdomain for Wikimania Scholarship Public Form on CRM - https://phabricator.wikimedia.org/T243032 (10soworu) >>! In T243032#5811583, @JFishback_WMF wrote: > Has #wmf-legal reviewed this yet? Legal has been duly notified. We... [08:36:10] 10Wikimedia-Apache-configuration, 10Operations, 10serviceops: Build a black-box httpd testing framework - https://phabricator.wikimedia.org/T236699 (10Joe) p:05Triage→03Normal [10:56:10] 10netops, 10Operations, 10cloud-services-team (Kanban): asw-b-codfw: fixes for openstack - https://phabricator.wikimedia.org/T243002 (10ayounsi) `lang=diff ayounsi@asw-b-codfw# show | compare [edit interfaces] interface-range vlan-private1-a-codfw { ... } + interface-range cloud-net-trunk { + me... [10:58:36] 10netops, 10Operations, 10cloud-services-team (Kanban): asw-b-codfw: fixes for openstack - https://phabricator.wikimedia.org/T243002 (10aborrero) >>! In T243002#5812422, @ayounsi wrote: > `lang=diff > ayounsi@asw-b-codfw# show | compare > [edit interfaces] > interface-range vlan-private1-a-codfw { ... }... [11:03:26] 10netops, 10Operations, 10cloud-services-team (Kanban): asw-b-codfw: fixes for openstack - https://phabricator.wikimedia.org/T243002 (10ayounsi) 05Open→03Resolved Synced up on IRC, change pushed. [11:03:55] 10netops, 10Operations, 10observability: Provision plaintext syslog collectors in esams/ulsfo/eqsin - https://phabricator.wikimedia.org/T243065 (10fgiunchedi) [11:59:04] 10netops, 10Operations: mr1-esams RMA (2020 edition) - https://phabricator.wikimedia.org/T242097 (10ayounsi) JTAC recommends to upgrade to the current Junos recommended, 18.2R3-S2.9. I copied it over and validated it: ` ayounsi@mr1-esams> request system software validate /var/tmp/junos-srxsme-18.2R3-S2.9.tgz... [12:12:25] 10netops, 10Operations, 10observability: Provision plaintext syslog collectors in esams/ulsfo/eqsin - https://phabricator.wikimedia.org/T243065 (10MoritzMuehlenhoff) p:05Triage→03Normal [15:07:21] 10Traffic, 10Operations, 10Research, 10Patch-For-Review: Set up git-driven static microsite for wikiworkshop.org - https://phabricator.wikimedia.org/T242374 (10BBlack) [15:08:08] 10Traffic, 10Operations, 10Research, 10Patch-For-Review: Set up git-driven static microsite for wikiworkshop.org - https://phabricator.wikimedia.org/T242374 (10BBlack) Most of this has been configured now, the remaining slightly difficult bit is configuring an alternate SNI cert for the domain on our new a... [15:09:09] ^^ bblack: I can fight with ats-tls if you need that [15:16:47] 10netops, 10Operations: Upgrade routers - https://phabricator.wikimedia.org/T243080 (10ayounsi) p:05Triage→03Low [15:18:36] vgutierrez: that would be awesome if you have some time to fight with it :) All the other parts are configured now (even the acme cert is already generated), just not the part that deploys it to text ats-tls as an SNI alternate cert [15:18:47] sure [15:19:46] but yeah this is a capability we've been sorely lacking in the past. once we have one working example, we can start refactoring how puppetization works to support more of them easier I think. [15:20:07] (and then eventually we'll just start stacking them up for efficiency, e.g. 10 such domains per cert for whatever cases arise, as the need grows) [15:20:09] yeah, we've dropped that from the ats-tls profile as soon as we got rid of wikiba.se [15:20:49] hopefully it will never reach the expected ncredir levels, but there will always be these one-off needs [15:21:35] also for this type of purpose, we'll just have LE globally [15:22:13] until some future day when we can use two independent LE-like entities for redundancy. it's not worth the manual cert stuff for these lesser cases. [15:23:12] (speaking of all that, I was reminded this morning that now that we're past the tls1.0 hurdle, there's nothing really standing in the way of switching e.g. eqsin to the unified LE too) [15:55:19] 10Domains, 10Traffic, 10Operations, 10Privacy Engineering, and 2 others: Domain / Subdomain for Wikimania Scholarship Public Form on CRM - https://phabricator.wikimedia.org/T243032 (10JFishback_WMF) @soworu Did #wmf-legal or #security-team review the underlying vendor agreement or system? This is the first... [16:05:36] 10HTTPS, 10Traffic, 10Fundraising-Backlog, 10Operations: Re-evaluate use of EV certificates for payments.wm.o? - https://phabricator.wikimedia.org/T204931 (10Jgreen) 05Open→03Resolved a:03Jgreen Closing this task because as it was defined it has been completed and we decided to stay the course throug... [16:06:47] 10netops, 10Operations: Upgrade routers - https://phabricator.wikimedia.org/T243080 (10ayounsi) [16:19:19] bblack: we only need the wikiworkshop cert on the text cluster, right? [16:20:33] (answering myself.. yes, it's on the task) [16:43:17] bblack: https://gerrit.wikimedia.org/r/c/operations/puppet/+/565625 this should be a generic solution [16:43:50] >=0 optional extra certificates that must be handled by acme-chief and cannot be the default cert [16:44:43] hmm dunno what happened with irccloud and my > symbol, so >=0 certs :) [16:57:07] vgutierrez: does this trigger the acme chief client part too (to actually deploy the certs onto the cache nodes)? [16:57:14] yes [16:57:21] oh I see it now, the new resources list in the diff [16:57:30] indeed [16:57:34] Acme_chief::Cert[wikiworkshop] [16:57:49] that's wrapped into trafficserver::tls_material [16:57:59] right [16:58:05] I'll wait till Monday [16:58:11] just for our sanity :) [16:58:16] (and our weeekend sake) [16:58:19] +1'd, I'd say lets see if it pushes ok today, will hold on switching IPs sometime next week, but we can manually test with dns resolution hacks [16:58:26] or that, either way [16:58:35] Monday is fine! [16:58:38] ack :D [16:59:14] basically because it will be the first time that we have certs with different SNIs with ATS [17:15:05] vgutierrez: btw I took some data from turnilo for the first 24h of tlsv1.2 only (well the first 20 hours maybe, earlier today) [17:15:10] RSA: 0.47% CBC: 0.38% DHE: 0.12% [17:15:23] (percentages of our now-tls1.2-only traffic using those other undesirable things) [17:15:49] and then also filtered them by what happens if you eliminate the smallest-first [17:16:00] killing DHE leaves: RSA: 0.35% CBC: 0.26% [17:16:10] then killing CBC leaves: RSA: 0.26% [17:16:52] once we have at least a week (or even better 30d) of data, we can get some more-solid numbers and start thinking about next steps, but it looks pretty easy :) [17:20:04] cool