cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rohit Yadav <rohit.ya...@shapeblue.com>
Subject Re: [DISCUSS] Bountycastle upgrade
Date Fri, 02 Dec 2016 07:52:56 GMT
John,


I'll have a look at where/how the fingerprint method is used, if necessary I'll upgrade it
to use SHA-256. Thanks for the pointers.


Regards.

________________________________
From: John Kinsella <jlkinsel@gmail.com>
Sent: 02 December 2016 13:12:12
To: dev@cloudstack.apache.org
Subject: Re: [DISCUSS] Bountycastle upgrade

2 thoughts:

1) I know this is partially git’s fault on the diff, and i know this is a standard gripe
from me, but for reviewers things are much easier if syntax/whitespace changes are separated
out into a separate patch from logic/functionality.
2) One thing that caught my eye was the SHA-1 use on the fingerprint. That got me looking
around the codebase, and I see SHA-1/SHA1 sprinkled around. It’s not considered secure anymore
[1]. Some of the uses are just for naming, that’s fine. I don’t think any of the use I
saw was OMGFIXNOW. But at some point might be nice to replace all that with SHA-256. Would
require a data migration, though.
3) Awesome, run with it. :)

John
1: https://en.wikipedia.org/wiki/SHA-1#Cryptanalysis_and_validation


rohit.yadav@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 

> On Dec 1, 2016, at 10:17 PM, Rohit Yadav <rohit.yadav@shapeblue.com> wrote:
>
> All,
>
>
> I've sent a PR that will upgrade bountycastle dependency to the latest version [1]. In
terms of security, an upgrade is necessary though it would also require for users (who are
upgrading to 4.9.1.0, 4.10.0.0 or later) to destroy old systemvms such as CPVM and SSVM so
the agents that will be started in new system vms will use the same dependency jar (version/release)
and use the same cipher suites as the mgmt server (i.e. there will be no SSL-based communication
issue afterwards) as provided by bountycastle v1.55.
>
>
> Thoughts, feedback?
>
>
> [1] https://github.com/apache/cloudstack/pull/1799
>
>
> Regards.
>
> rohit.yadav@shapeblue.com
> www.shapeblue.com<http://www.shapeblue.com>
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue
>
>
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message