cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gabriel Beims Bräscher <gabr...@autonomiccs.com.br>
Subject Re: SSLv2Hello is disabled error
Date Sat, 22 Oct 2016 06:24:38 GMT
Hi there,

Hope my feedback will be somewhat helpful ;)

Just to put it in context, this exception is an SSLException thrown at 
the com.cloud.utils.nio.Link.doHandshakeUnwrap(SocketChannel, SSLEngine, 
ByteBuffer, ByteBuffer, int) method [1]; thus, the exception occurs only 
at the unwrap phase. Also, SSLv2Hello is disabled by default since Java 
7 [2] (disabled for sending, it accepts only when receiving).

Due to known security issues [3], [4], ACS has disabled SSLv2 and SSLv3 
from its system VMs at least since 4.6.0. Files as 
"/etc/apache2/mods-available/ssl.conf" and "/etc/httpd/conf/httpd.conf" 
have been configured to disable them [5], [6].

I am not sure yet of the cause of this exception. It might be something 
related to the process of upgrading from 4.2 (when SSLv2 was enabled); 
e.g. System VMs could stay with SSLv2 enabled at their configurations.

Just by curiosity. Besides those log messages, do you noticed something 
wrong in your environment?

Cheers,
Gabriel.

[2] 
https://github.com/apache/cloudstack/blob/87ef8137534fa798101f65c6691fcf71513ac978/utils/src/main/java/com/cloud/utils/nio/Link.java
[1] 
https://convincingbits.wordpress.com/2016/02/17/ssl-tls-with-java-7-and-the-death-of-sslv2hello/
[3] https://drownattack.com/
[4] https://access.redhat.com/articles/1232123
[5] 
https://github.com/apache/cloudstack/blob/87ef8137534fa798101f65c6691fcf71513ac978/systemvm/scripts/config_ssl.sh
[6] 
https://github.com/apache/cloudstack/blob/87ef8137534fa798101f65c6691fcf71513ac978/tools/appliance/definitions/systemvmtemplate/configure_systemvm_services.sh

Em 21/10/2016 01:53, Cloud List escreveu:
> Dear all,
>
> I have an ACS 4.9 test environment after upgraded from 4.2, using Ubuntu OS
> and KVM hypervisor.
>
> I am seeing below error messages on the management server logs after
> upgrading to ACS 4.9.0, is it normal?
>
> ===
> 2016-10-21 11:50:27,579 ERROR [c.c.u.n.Link]
> (AgentManager-SSLHandshakeHandler-1:null) (logid:) SSL error occurred while
> processing unwrap data: SSLv2Hello is disabled
> 2016-10-21 11:50:27,603 ERROR [c.c.u.n.Link]
> (AgentManager-SSLHandshakeHandler-1:null) (logid:) SSL error occurred while
> processing unwrap data: SSLv2Hello is disabled
> 2016-10-21 11:50:32,621 ERROR [c.c.u.n.Link]
> (AgentManager-SSLHandshakeHandler-1:null) (logid:) SSL error occurred while
> processing unwrap data: SSLv2Hello is disabled
> 2016-10-21 11:50:32,642 ERROR [c.c.u.n.Link]
> (AgentManager-SSLHandshakeHandler-1:null) (logid:) SSL error occurred while
> processing unwrap data: SSLv2Hello is disabled
> ===
>
> It seems to be some Java error complaining about SSLv2Hello which is
> supposed to be disabled (based on what I've read) so not too sure if I can
> safely ignore the above messages?
>
> Any advice is appreciated.
>
> Thank you.
>
> -ip-
>


Mime
View raw message