cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <jlkin...@gmail.com>
Subject Fwd: [DISCUSS] Move from OpenSSL to LibreSSL
Date Fri, 05 Feb 2016 17:25:47 GMT
(whoops - accidentally replied privately, bringing back to mailing list - hope Vadim’s OK
with that)

Realize the SSVM and VR provide “public” services - https is open on the console proxy,
vpn services are open on the virtual router. 

And unfortunately yes, people usually only think about improving security after issues are
found - that’s why security geeks like me are around. :)

I’ll see if I can drop in libressl in the next week or two and see what happens….

John

> Begin forwarded message:
> 
> From: Vadim <vadim@ant.ee>
> Subject: Re: [DISCUSS] Move from OpenSSL to LibreSSL
> Date: February 4, 2016 at 11:43:07 PM PST
> To: John Kinsella <jlkinsel@gmail.com>
> 
> Thank you for explanation, John.
> 
> I am not involved into CS security assessment, but existing architecture makes me feel
safe, because SSVM and VR and any other system VM is accessible (by SSH) only from hypervisor
host due to link-local address limitation. I don't know other ways, but it doesn't mean they
do not exist.
> 
> I do share your worries about OpenSSL library vulnerabilities, especially after "heartbleed",
but replacing it everywhere seems to be very hard task.  I don't think you will have discussion
in this list on the subject unless next "heartbleed" happens.  
> Vadim.
> 
>  
> On 2016-02-04 18:01, John Kinsella wrote:
> 
>> Hey Vadim - I should have clarified, sorry...
>> 
>> SSL libraries are used in several areas in an ACS installation:
>> 
>> 1) On management server, for secure communication with management UI, APIs, etc.
>> 2) On system VMs - console proxies, secondary storage VMs, and possibly virtual routers
(this is off top of my head, need to confirm).
>> 
>> On management servers, whoever's building the system can choose whatever they want
- you are correct here. What I was originally referring to was the second bullet - these are
usually pre-built VM images downloaded into a CloudStack environment. That build is generated
by ACS code, which currently uses OpenSSL. That's where I'm asking should we consider using
LibreSSL instead.
>> 
>> John
>> 
>>> On Feb 4, 2016, at 7:47 AM, Vadim <vadim@ant.ee <mailto:vadim@ant.ee>>
wrote:
>>> 
>>> John,
>>> 
>>>    Can CS community decide that? From my point of view this is OS distribution
owner who does. OpenSSL is system package and you probably can't skip it, unless you create
your own Linux distribution.
>>> 
>>> Vadim.
>>> 
>>> On 2016-02-03 17:48, John Kinsella wrote:
>>> 
>>>> Folks - another OpenSSL vulnerability was announced last week[1]. I believe
our current SSVMs are running Wheezy, so they should be OK according to [2].
>>>> This makes me ponder, though: Should we consider moving to LibreSSL[3] in
the future? For those not familiar, it's a fork of OpenSSL with more emphasis on cleaning
up the code and improving the security of the codebase.
>>>> From what I've seen so far, it should be a "drop in" replacement for OpenSSL,
but I haven't tested that theory out yet.
>>>> I originally brought this up on security@, but it was quickly pointed out
as it's not an actual vulnerability in ACS we should discuss in public, so here we are.
>>>> Looking for thoughts, maybe somebody has experience moving from OpenSSL to
LibreSSL in another project?
>>>> John
>>>> 1: https://www.openssl.org/news/secadv/20160128.txt <https://www.openssl.org/news/secadv/20160128.txt>
>>>> 2: https://security-tracker.debian.org/tracker/CVE-2016-0701 <https://security-tracker.debian.org/tracker/CVE-2016-0701>
>>>> 3: http://www.libressl.org/ <http://www.libressl.org/> 
>  


Mime
View raw message