cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Harikrishna Patnala <harikrishna.patn...@citrix.com>
Subject Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)
Date Tue, 04 Nov 2014 08:51:09 GMT
Regarding the configurations in httpd.conf, they don't apply to apache server running in our
system vms.

We need to put the configuration in “/etc/apache2/mods-enabled/ssl.conf”, if you see apache2.conf
it includes ssl.conf “Include mods-enabled/*.conf" not httpd.conf.

I tried using namp, it worked if we put the configuration in ssl.conf.

-Harikrishna

On 04-Nov-2014, at 1:49 pm, Santhosh Edukulla <santhosh.edukulla@citrix.com<mailto:santhosh.edukulla@citrix.com>>
wrote:

1. The article is just a reference, but if we use a known security scanner the combination
of ssl protocol and cipher suites used identifies these vulnerabilities on a given machine
with available TLS lower versions, check for some thing like beast attack.

2. The conf file changes done will not countermeasure the sytemplate vuln issue i believe,
we may still wanted to confirm that its indeed the httpd.conf which needs to be changed for
apache2 as well for the particular template fix.

Regards.
Santhosh
________________________________________
From: Rohit Yadav [rohit.yadav@shapeblue.com<mailto:rohit.yadav@shapeblue.com>]
Sent: Tuesday, November 04, 2014 2:42 AM
To: dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>
Cc: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org>
Subject: Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

On 04-Nov-2014, at 1:02 pm, Santhosh Edukulla <santhosh.edukulla@citrix.com<mailto:santhosh.edukulla@citrix.com>>
wrote:

2. TLSv1.2 is the latest to be used and suggested default, ssl protocol and the ciphers we
use leads to vulnerability, the settings for these as well should be available in similar
config file. In our code, search for TLS leads to usage at places, and assumption is that
it should negotiate the protocol version from configured and available latest version to least,
so if TLSv1.2 is configured on server and client supports it, then it should work.

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118518-technote-esa-00.html

Not sure how this applies for us, we use newer openssl version in systemvm templates. This
is for some Cisco appliance not related to Debian/openssl.

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com<mailto:rohit.yadav@shapeblue.com>
Blog: bhaisaab.org<http://bhaisaab.org> | Twitter: @_bhaisaab

Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use
of the individual to whom it is addressed. Any views or opinions expressed are solely those
of the author and do not necessarily represent those of Shape Blue Ltd or related companies.
If you are not the intended recipient of this email, you must neither take any action based
upon its contents, nor copy or show it to anyone. Please contact the sender if you believe
you have received this email in error. Shape Blue Ltd is a company incorporated in England
& Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated
under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated
in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
registered by The Republic of South Africa and is traded under license from Shape Blue Ltd.
ShapeBlue is a registered trademark.


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message