Return-Path: X-Original-To: apmail-cloudstack-dev-archive@www.apache.org Delivered-To: apmail-cloudstack-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C3369181AC for ; Sun, 7 Feb 2016 08:55:40 +0000 (UTC) Received: (qmail 34127 invoked by uid 500); 7 Feb 2016 08:55:35 -0000 Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org Received: (qmail 34058 invoked by uid 500); 7 Feb 2016 08:55:35 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 34047 invoked by uid 99); 7 Feb 2016 08:55:35 -0000 Received: from Unknown (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 07 Feb 2016 08:55:35 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id A27A71A02F8 for ; Sun, 7 Feb 2016 08:55:34 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.43 X-Spam-Level: X-Spam-Status: No, score=-0.43 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.429, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-us-west.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id dICDl0jtLB-9 for ; Sun, 7 Feb 2016 08:55:32 +0000 (UTC) Received: from mail.ant.ee (mail.ant.ee [52.58.1.169]) by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with ESMTP id F12DA201C0 for ; Sun, 7 Feb 2016 08:55:31 +0000 (UTC) Received: by mail.ant.ee (Postfix, from userid 80) id E89AE28B3A1; Sun, 7 Feb 2016 10:55:38 +0200 (EET) To: dev@cloudstack.apache.org Subject: Re: [DISCUSS] Move from OpenSSL to LibreSSL X-PHP-Originating-Script: 80:rcube.php MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Sun, 07 Feb 2016 10:55:38 +0200 From: Vadim In-Reply-To: <86572f2081e32c578d542ae529a38dad@ant.ee> References: <187be265a0bceade5db00b3c7fb1b94d@ant.ee> <6B9A0783-5227-43C9-BAE9-4D005E1BA741@gmail.com> <86572f2081e32c578d542ae529a38dad@ant.ee> Message-ID: <5fbd4ca0120c66c6ff1ca0683901fa3b@ant.ee> X-Sender: vadim@ant.ee User-Agent: Roundcube Webmail/1.1.4 John, I think you touched up serious problem that should be cosidered by security team to judge how this may influence product development cycle and make a decision. Big players (like Google https://www.imperialviolet.org/2015/10/17/boringssl.html) has already made this. To broaden the scope I will suggest to consider several candidates for this position : LibreSSL, BoringSSL (or more). Vadim. On 2016-02-05 19:25, John Kinsella wrote: (whoops - accidentally replied privately, bringing back to mailing list - hope Vadim's OK with that) Realize the SSVM and VR provide "public" services - https is open on the console proxy, vpn services are open on the virtual router. And unfortunately yes, people usually only think about improving security after issues are found - that's why security geeks like me are around. :) I'll see if I can drop in libressl in the next week or two and see what happens.... John Begin forwarded message: FROM: Vadim SUBJECT: RE: [DISCUSS] MOVE FROM OPENSSL TO LIBRESSL DATE: February 4, 2016 at 11:43:07 PM PST TO: John Kinsella Thank you for explanation, John. I am not involved into CS security assessment, but existing architecture makes me feel safe, because SSVM and VR and any other system VM is accessible (by SSH) only from hypervisor host due to link-local address limitation. I don't know other ways, but it doesn't mean they do not exist. I do share your worries about OpenSSL library vulnerabilities, especially after "heartbleed", but replacing it everywhere seems to be very hard task. I don't think you will have discussion in this list on the subject unless next "heartbleed" happens. Vadim. On 2016-02-04 18:01, John Kinsella wrote: Hey Vadim - I should have clarified, sorry... SSL libraries are used in several areas in an ACS installation: 1) On management server, for secure communication with management UI, APIs, etc. 2) On system VMs - console proxies, secondary storage VMs, and possibly virtual routers (this is off top of my head, need to confirm). On management servers, whoever's building the system can choose whatever they want - you are correct here. What I was originally referring to was the second bullet - these are usually pre-built VM images downloaded into a CloudStack environment. That build is generated by ACS code, which currently uses OpenSSL. That's where I'm asking should we consider using LibreSSL instead. John On Feb 4, 2016, at 7:47 AM, Vadim wrote: John, Can CS community decide that? From my point of view this is OS distribution owner who does. OpenSSL is system package and you probably can't skip it, unless you create your own Linux distribution. Vadim. On 2016-02-03 17:48, John Kinsella wrote: Folks - another OpenSSL vulnerability was announced last week[1]. I believe our current SSVMs are running Wheezy, so they should be OK according to [2]. This makes me ponder, though: Should we consider moving to LibreSSL[3] in the future? For those not familiar, it's a fork of OpenSSL with more emphasis on cleaning up the code and improving the security of the codebase. From what I've seen so far, it should be a "drop in" replacement for OpenSSL, but I haven't tested that theory out yet. I originally brought this up on security@, but it was quickly pointed out as it's not an actual vulnerability in ACS we should discuss in public, so here we are. Looking for thoughts, maybe somebody has experience moving from OpenSSL to LibreSSL in another project? John 1: https://www.openssl.org/news/secadv/20160128.txt 2: https://security-tracker.debian.org/tracker/CVE-2016-0701 3: http://www.libressl.org/