cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rohit Yadav <rohit.ya...@shapeblue.com>
Subject Re: New SSL vulnerability #FREAK
Date Mon, 09 Mar 2015 12:05:41 GMT
Hi Lucian,

I made a similar fix on 4.5/master today for apache2. I'm not sure how
to deal with this in Java. There are ways to get enabled cipher suites,
but should we be doing this or configuring the jre security settings?

On Monday 09 March 2015 04:21 PM, Nux! wrote:
> Ok, so for Apache HTTPD something like this would do the job:
>
> SSLProtocol             all -SSLv2 -SSLv3 -TLSv1
> SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
> SSLHonorCipherOrder     on
>
> I do not know how to do this for the CPVM java thingy that runs there; I think it's based
on Jetty.
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro
>
> ----- Original Message -----
>> From: "Erik Weber" <terbolous@gmail.com>
>> To: "dev" <dev@cloudstack.apache.org>
>> Sent: Monday, 9 March, 2015 09:34:08
>> Subject: Re: New SSL vulnerability #FREAK
>
>> On Mon, Mar 9, 2015 at 9:59 AM, Nux! <nux@li.nux.ro> wrote:
>>
>>> BTW, the command I used is:
>>>
>>> nmap --script ssl-enum-ciphers $HOST
>>>
>>> I'm not entirely sure which cipher is good or not.
>>>
>>
>> Anyone with EXPORT in it is bad (in the FREAK case).
>>
>> This is a scan of my 4.3.2 systemvm with nmap:
>>
>> | ssl-enum-ciphers:
>> |   SSLv3:
>> |     ciphers:
>> |       TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
>> |       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
>> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
>> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
>> |       TLS_DHE_RSA_WITH_DES_CBC_SHA - weak
>> |       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
>> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
>> |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
>> |       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
>> |       TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
>> |       TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak
>> |       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
>> |       TLS_RSA_WITH_AES_128_CBC_SHA - strong
>> |       TLS_RSA_WITH_AES_256_CBC_SHA - strong
>> |       TLS_RSA_WITH_DES_CBC_SHA - weak
>> |       TLS_RSA_WITH_RC4_128_MD5 - strong
>> |       TLS_RSA_WITH_RC4_128_SHA - strong
>> |     compressors:
>> |       NULL
>> |   TLSv1.0:
>> |     ciphers:
>> |       TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
>> |       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
>> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
>> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
>> |       TLS_DHE_RSA_WITH_DES_CBC_SHA - weak
>> |       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
>> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
>> |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
>> |       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
>> |       TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
>> |       TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak
>> |       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
>> |       TLS_RSA_WITH_AES_128_CBC_SHA - strong
>> |       TLS_RSA_WITH_AES_256_CBC_SHA - strong
>> |       TLS_RSA_WITH_DES_CBC_SHA - weak
>> |       TLS_RSA_WITH_RC4_128_MD5 - strong
>> |       TLS_RSA_WITH_RC4_128_SHA - strong
>>
>> --
>> Erik

--
Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 8826230892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab
PS. If you see any footer below, I did not add it :)
Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-engineering/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use
of the individual to whom it is addressed. Any views or opinions expressed are solely those
of the author and do not necessarily represent those of Shape Blue Ltd or related companies.
If you are not the intended recipient of this email, you must neither take any action based
upon its contents, nor copy or show it to anyone. Please contact the sender if you believe
you have received this email in error. Shape Blue Ltd is a company incorporated in England
& Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated
under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated
in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
registered by The Republic of South Africa and is traded under license from Shape Blue Ltd.
ShapeBlue is a registered trademark.

Mime
View raw message