Bug 1764946
Summary: | ovirt-provider-ovn accepts anonymous TLS cipher suites (security) | ||||||
---|---|---|---|---|---|---|---|
Product: | [oVirt] ovirt-provider-ovn | Reporter: | Ralf Spenneberg <ralf> | ||||
Component: | provider | Assignee: | Miguel Duarte Barroso <mduarted> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | msheena | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 1.2.22 | CC: | bugs, danken, dholler, dmoppert, mduarted, mperina, rbarry, royoung | ||||
Target Milestone: | ovirt-4.3.8 | Flags: | mperina:
ovirt-4.3?
|
||||
Target Release: | 1.2.29 | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | ovirt-provider-ovn-1.2.29-1 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2020-01-27 12:56:04 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | Network | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Ralf Spenneberg
2019-10-24 05:34:41 UTC
Ralf, can you please provide more detailed instructions to enable us checking if this is still a problem in 4.4? Hi, you can use the tool testssl.sh from https://github.com/drwetter/testssl.sh Clone the repo and invoke the tool with: ./testssl.sh ovirt-engine.xxx.xx:35357 The output will contain a line: Anonymous NULL Ciphers (no authentication) offered (NOT ok) A few other problems are reported as well: - Unsecure client side renegotiation - CBC usage Kind regards, Ralf Created attachment 1635289 [details]
update ssl ciphers configuration file
This attachment should be used to disallow anonymous ciphers.
It should me moved to /etc/ovirt-provider-ovn/conf.d/01-no-anonymous-ciphers.conf on the ovirt-engine node.
This file should be removed upon the ovirt-4.3.8 release, where the ovirt-provider-ovn cipher list will be updated, making it FIPS compliant.
Verified using [1] as offered in comment #2. ============================================ Verified on version =================== ovirt-engine-4.3.8.2-0.1.master.el7.noarch ovirt-provider-ovn-1.2.29-1.el7ev.noarch Test tool output ================ Testing cipher categories NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC[2,4] (w/o export) not offered (OK) Triple DES Ciphers / IDEA not offered Obsolete: SEED + 128+256 Bit CBC cipher offered Strong encryption (AEAD ciphers) offered (OK) [1] - https://github.com/drwetter/testssl.sh This bugzilla is included in oVirt 4.3.8 release, published on January 27th 2020. Since the problem described in this bug report should be resolved in oVirt 4.3.8 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report. |