cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vadim <va...@ant.ee>
Subject Re: [DISCUSS] Move from OpenSSL to LibreSSL
Date Sun, 07 Feb 2016 08:55:38 GMT
John,

          I think you touched up serious problem that should be cosidered 
by security team to judge how this may influence product development 
cycle and make a decision. Big players (like Google 
https://www.imperialviolet.org/2015/10/17/boringssl.html) has already 
made this. To broaden the scope I will suggest to consider several 
candidates for this position : LibreSSL, BoringSSL (or more).

Vadim.

On 2016-02-05 19:25, John Kinsella wrote:

(whoops - accidentally replied privately, bringing back to mailing list 
- hope Vadim's OK with that)

Realize the SSVM and VR provide "public" services - https is open on the 
console proxy, vpn services are open on the virtual router.

And unfortunately yes, people usually only think about improving 
security after issues are found - that's why security geeks like me are 
around. :)

I'll see if I can drop in libressl in the next week or two and see what 
happens....

John

Begin forwarded message:
FROM: Vadim <vadim@ant.ee>

SUBJECT: RE: [DISCUSS] MOVE FROM OPENSSL TO LIBRESSL

DATE: February 4, 2016 at 11:43:07 PM PST

TO: John Kinsella <jlkinsel@gmail.com>

Thank you for explanation, John.

I am not involved into CS security assessment, but existing architecture 
makes me feel safe, because SSVM and VR and any other system VM is 
accessible (by SSH) only from hypervisor host due to link-local address 
limitation. I don't know other ways, but it doesn't mean they do not 
exist.

I do share your worries about OpenSSL library vulnerabilities, 
especially after "heartbleed", but replacing it everywhere seems to be 
very hard task.  I don't think you will have discussion in this list on 
the subject unless next "heartbleed" happens.

Vadim.

On 2016-02-04 18:01, John Kinsella wrote:
Hey Vadim - I should have clarified, sorry...

SSL libraries are used in several areas in an ACS installation:

1) On management server, for secure communication with management UI, 
APIs, etc.
2) On system VMs - console proxies, secondary storage VMs, and possibly 
virtual routers (this is off top of my head, need to confirm).

On management servers, whoever's building the system can choose whatever 
they want - you are correct here. What I was originally referring to was 
the second bullet - these are usually pre-built VM images downloaded 
into a CloudStack environment. That build is generated by ACS code, 
which currently uses OpenSSL. That's where I'm asking should we consider 
using LibreSSL instead.

John

On Feb 4, 2016, at 7:47 AM, Vadim <vadim@ant.ee> wrote:

John,

Can CS community decide that? From my point of view this is OS 
distribution owner who does. OpenSSL is system package and you probably 
can't skip it, unless you create your own Linux distribution.

Vadim.

On 2016-02-03 17:48, John Kinsella wrote:

Folks - another OpenSSL vulnerability was announced last week[1]. I 
believe our current SSVMs are running Wheezy, so they should be OK 
according to [2].
This makes me ponder, though: Should we consider moving to LibreSSL[3] 
in the future? For those not familiar, it's a fork of OpenSSL with more 
emphasis on cleaning up the code and improving the security of the 
codebase.
 From what I've seen so far, it should be a "drop in" replacement for 
OpenSSL, but I haven't tested that theory out yet.
I originally brought this up on security@, but it was quickly pointed 
out as it's not an actual vulnerability in ACS we should discuss in 
public, so here we are.
Looking for thoughts, maybe somebody has experience moving from OpenSSL 
to LibreSSL in another project?
John
1: https://www.openssl.org/news/secadv/20160128.txt
2: https://security-tracker.debian.org/tracker/CVE-2016-0701
3: http://www.libressl.org/

Mime
View raw message