Upgrade SSL/TLS on synapse.org & prod.synapse.org

Description

We have a contractual obligation to use RSA4096/AES256 (or better in terms of OpenSSL naming heirarchy) and I'm hoping to create and encryption standard for Sage that references that cipher suite. We need to understand if there are any client dependencies blocking redeployment of new certs on synapse.org and prod.synapse.org (probably staging.synapse.org too) or if there are technical reasons blocking a change like this.

looked into using AWS Certificate Manager (ACM) to simplify the upgrade but found that it does not allow management of different key types beyond the AWS standard (RSA 2048, AES 128) and consequently this requires manual generation of a key and upload to ACM. (Though this documentation seems to indicate RSA 4096 is ok?)

I suggest we go ahead with the change, through ACM if possible. can we look at ACM and do the change, or generate and upload together?

 

Environment

None

Status

Assignee

Xavier Schildwachter

Reporter

Aaron Hayden

Labels

None

Validator

Aaron Hayden

Release Version History

None

Priority

Major