Bug 1578057
| Summary: | Security sweep is showing weak ciphers RC4 and 3DES are enabled on VDSM port 54321. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Frank DeLorey <fdelorey> |
| Component: | vdsm | Assignee: | Martin Perina <mperina> |
| Status: | CLOSED ERRATA | QA Contact: | Petr Matyáš <pmatyas> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 4.1.11 | CC: | dfediuck, fdelorey, lleistne, lsurette, mgoldboi, michal.skrivanek, mperina, srevivo, ycui |
| Target Milestone: | ovirt-4.3.1 | ||
| Target Release: | 4.3.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-05-08 12:36:02 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1451297, 1671074 | ||
| Bug Blocks: | |||
|
Description
Frank DeLorey
2018-05-14 17:49:31 UTC
Frank, did you try to limit VDSM to TLS 1.2 ? No we did not as this customer only required TLSv1.0 to be disabled, they want to keep the use of TLSv1.1 and TLSv1.2. Frank (In reply to Frank DeLorey from comment #2) > No we did not as this customer only required TLSv1.0 to be disabled, they > want to keep the use of TLSv1.1 and TLSv1.2. > > Frank Why would the customer care what Engine<->VDSM is using for communication? Are you sure we are talking about the same thing? Let's try - see https://bugzilla.redhat.com/show_bug.cgi?id=1451297#c10 (and follow-up comments there!) OK I commented in the other BZ. should this have a z stream milestone? Removed the .z flag, since dropping this ciphers cannot be done in a minor release. We have enabled only higher key-length ciphers and disabled anonymous ciphers as a part of BZ1671074 so now RC4 and 3DES ciphers are no longer available and only strong ciphers are available, which can be validated using below command (nmap 7+ is required to show below result): # nmap -sV --script ssl-enum-ciphers -p 54321 <HOSTNAME> | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: client |_ least strength: A So moving bug to MODIFIED to aling with BZ1671074 status. INFO: Bug status wasn't changed from MODIFIED to ON_QA due to the following reason: [No relevant external trackers attached] For more info please contact: rhv-devops Verified on vdsm-4.30.9-1.el7ev.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:1077 |