Wikimedia Developer Support

Security warning when our program call wikipedia api.php

This month, when our program calls the WikiPedia API, we are experiencing a phenomenon that redirects to the following warning page at a certain rate.

It occurs when calling the following api.php.

https://en.wikipedia.org/w/api.php?
action = parse
& format = json
& prop = text
& disablelimitreport =
& title =% E3% 82% A4% E3% 83% 81% E3% 83% AD% E3% 83% BC
& text = {{infobox}}

  • Convert wikitext of one specified article to html

I guess that this is because TLS v1.2 connection is not used, because our curl and OpenSSL versions are old.

Currently the api redirects to the warning page, but is it scheduled that the API will not be available if it is not TLS v1.2 connection?
Could anyone tell me about the schedule for that?

Thank you so much.

It’s at the bottom of the page you linked (after all the translations):

You must upgrade your browser or otherwise fix this issue to access our sites. This message will remain until Jan 1, 2020. After that date, your browser will not be able to establish a connection to our servers at all.

And yes, I assume that this will affect API requests from your program as well, though the message only mentions browsers.

I’m not sure if this date has been announced anywhere else, though. The August 2018 blog post Wikipedia goes 100% Forward Secret had a more ambitious goal:

Our next major goal in this space is deprecating support for TLS 1.0 and TLS 1.1. … We’re hoping we’ll be able to get this going by the end of 2018.

(Though perhaps there’s a difference between deprecating support for those protocols and removing it, and the former already took place? Not sure.) Start warning and deprecation process for all legacy TLS (T238038) seems to be the concrete Phabricator task for the removal of TLS 1.0 and 1.1 that’s happening now, but it doesn’t specify a timeline; there’s also Establish timeline and methodology for upcoming deprecation of non-forward-secret ciphers and TLSv1.0 (T192559), but that hasn’t been updated since June 2018 (shortly before the blog post I mentioned above was published).

1 Like

There seems to be a general plan across many places on the internet to deprecate & remove tls 1.1 starting early 2020

https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/

1 Like

I completely overlooked the bottom. I’m going to talk about fixing our programs with developer member.

Thank you so much for your kindly reply.

I over looked it. Thank you so much for your quick reply.