cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vadim <va...@ant.ee>
Subject Re: Fwd: [DISCUSS] Move from OpenSSL to LibreSSL
Date Sun, 07 Feb 2016 08:49:50 GMT
John,

          I think you touched up serious problem that should be cosidered 
by security team to judge how this may influence product development 
cycle and make a decision. Big players (like Google 
https://www.imperialviolet.org/2015/10/17/boringssl.html) has already 
made this. To broaden the scope I will suggest to consider several 
candidates for this position : LibreSSL, BoringSSL (or more).

Vadim.

On 2016-02-05 19:25, John Kinsella wrote:

> (whoops - accidentally replied privately, bringing back to mailing list 
> - hope Vadim's OK with that)
> 
> Realize the SSVM and VR provide "public" services - https is open on 
> the console proxy, vpn services are open on the virtual router.
> 
> And unfortunately yes, people usually only think about improving 
> security after issues are found - that's why security geeks like me are 
> around. :)
> 
> I'll see if I can drop in libressl in the next week or two and see what 
> happens....
> 
> John
> 
> Begin forwarded message:
> FROM: Vadim <vadim@ant.ee>
> 
> SUBJECT: RE: [DISCUSS] MOVE FROM OPENSSL TO LIBRESSL
> 
> DATE: February 4, 2016 at 11:43:07 PM PST
> 
> TO: John Kinsella <jlkinsel@gmail.com>
> 
> Thank you for explanation, John.
> 
> I am not involved into CS security assessment, but existing 
> architecture makes me feel safe, because SSVM and VR and any other 
> system VM is accessible (by SSH) only from hypervisor host due to 
> link-local address limitation. I don't know other ways, but it doesn't 
> mean they do not exist.
> 
> I do share your worries about OpenSSL library vulnerabilities, 
> especially after "heartbleed", but replacing it everywhere seems to be 
> very hard task.  I don't think you will have discussion in this list on 
> the subject unless next "heartbleed" happens.
> 
> Vadim.
> 
> On 2016-02-04 18:01, John Kinsella wrote:
> Hey Vadim - I should have clarified, sorry...
> 
> SSL libraries are used in several areas in an ACS installation:
> 
> 1) On management server, for secure communication with management UI, 
> APIs, etc.
> 2) On system VMs - console proxies, secondary storage VMs, and possibly 
> virtual routers (this is off top of my head, need to confirm).
> 
> On management servers, whoever's building the system can choose 
> whatever they want - you are correct here. What I was originally 
> referring to was the second bullet - these are usually pre-built VM 
> images downloaded into a CloudStack environment. That build is 
> generated by ACS code, which currently uses OpenSSL. That's where I'm 
> asking should we consider using LibreSSL instead.
> 
> John
> 
> On Feb 4, 2016, at 7:47 AM, Vadim <vadim@ant.ee> wrote:
> 
> John,
> 
> Can CS community decide that? From my point of view this is OS 
> distribution owner who does. OpenSSL is system package and you probably 
> can't skip it, unless you create your own Linux distribution.
> 
> Vadim.
> 
> On 2016-02-03 17:48, John Kinsella wrote:
> 
> Folks - another OpenSSL vulnerability was announced last week[1]. I 
> believe our current SSVMs are running Wheezy, so they should be OK 
> according to [2].
> This makes me ponder, though: Should we consider moving to LibreSSL[3] 
> in the future? For those not familiar, it's a fork of OpenSSL with more 
> emphasis on cleaning up the code and improving the security of the 
> codebase.
> From what I've seen so far, it should be a "drop in" replacement for 
> OpenSSL, but I haven't tested that theory out yet.
> I originally brought this up on security@, but it was quickly pointed 
> out as it's not an actual vulnerability in ACS we should discuss in 
> public, so here we are.
> Looking for thoughts, maybe somebody has experience moving from OpenSSL 
> to LibreSSL in another project?
> John
> 1: https://www.openssl.org/news/secadv/20160128.txt
> 2: https://security-tracker.debian.org/tracker/CVE-2016-0701
> 3: http://www.libressl.org/
Mime
  • Unnamed multipart/mixed (inline, None, 0 bytes)
View raw message