+++ This bug was initially created as a clone of Bug #1155328 +++ +++ +++ +++ This bug should be used to get the change in release-3.6. +++ This is related to the so-called POODLE attack. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 To summarize, POODLE involves a downgrade from TLS to SSLv3, combined with CBC cipher modes. Users can avoid the downgrade by using an SSL library that supports TLS_FALLBACK_SCSV, as recent versions of OpenSSL do. For users unable to pursue that strategy, disabling CBC cipher modes is a potential workaround. gluster volume set SOMEVOLUME ssl.cipherlist $something Unfortunately, calculating $something is not trivial. The "openssl ciphers" command does not have a built-in "CBC" group to exclude, nor does it support wildcards. Therefore, it is necessary to create a list of cipher modes that meet other criteria (e.g. "HIGH:!SSLv2") and manually delete "CBC" entries to create a new list. For users unwilling to calculate their own cipher lists, the default cipher list in the GlusterFS TLS code should be changed to exclude CBC modes in addition to other (current) restrictions ensuring optimal security. In the very rare case that this might cause a communication failure due to lack of compatible cipher modes between servers and clients (which would require a very unlikely combination of GlusterFS and OpenSSL versions), we should also document how to calculate and apply their own cipher list without making themselves vulnerable to POODLE. --- Additional comment from Anand Avati on 2014-10-22 00:17:59 CEST --- REVIEW: http://review.gluster.org/8962 (socket: disallow CBC cipher modes) posted (#1) for review on master by Jeff Darcy (jdarcy) --- Additional comment from Anand Avati on 2014-10-27 12:40:59 CET --- COMMIT: http://review.gluster.org/8962 committed in master by Vijay Bellur (vbellur) ------ commit 378a0a19d95e552220d71b13be685f4772c576cd Author: Jeff Darcy <jdarcy> Date: Tue Oct 21 16:54:48 2014 -0400 socket: disallow CBC cipher modes This is related to CVE-2014-3566 a.k.a. POODLE. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 POODLE is specific to CBC cipher modes in SSLv3. Because there is no way to prevent SSLv3 fallback on a system with an unpatched version of OpenSSL, users of such systems can only be protected by disallowing CBC modes. The default cipher-mode specification in our code has been changed accordingly. Users can still set their own cipher modes if they wish. To support them, the ssl-authz.t test script provides an example of how to combine the CBC exclusion with other criteria in a script. Change-Id: Ib1fa547082fbb7de9df94ffd182b1800d6e354e5 BUG: 1155328 Signed-off-by: Jeff Darcy <jdarcy> Reviewed-on: http://review.gluster.org/8962 Tested-by: Gluster Build System <jenkins.com> Reviewed-by: Kaleb KEITHLEY <kkeithle> Reviewed-by: Vijay Bellur <vbellur>
REVIEW: http://review.gluster.org/8987 (socket: disallow CBC cipher modes) posted (#1) for review on release-3.6 by Vijay Bellur (vbellur)
COMMIT: http://review.gluster.org/8987 committed in release-3.6 by Vijay Bellur (vbellur) ------ commit ab017cabfb547f423fd0d9702865edcb91b58c53 Author: Jeff Darcy <jdarcy> Date: Tue Oct 21 16:54:48 2014 -0400 socket: disallow CBC cipher modes This is related to CVE-2014-3566 a.k.a. POODLE. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 POODLE is specific to CBC cipher modes in SSLv3. Because there is no way to prevent SSLv3 fallback on a system with an unpatched version of OpenSSL, users of such systems can only be protected by disallowing CBC modes. The default cipher-mode specification in our code has been changed accordingly. Users can still set their own cipher modes if they wish. To support them, the ssl-authz.t test script provides an example of how to combine the CBC exclusion with other criteria in a script. Change-Id: Ib1fa547082fbb7de9df94ffd182b1800d6e354e5 BUG: 1157659 Signed-off-by: Jeff Darcy <jdarcy> Reviewed-on: http://review.gluster.org/8962 Tested-by: Gluster Build System <jenkins.com> Reviewed-by: Kaleb KEITHLEY <kkeithle> Reviewed-by: Vijay Bellur <vbellur> Reviewed-on: http://review.gluster.org/8987 Reviewed-by: Niels de Vos <ndevos> Tested-by: Niels de Vos <ndevos>
This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-3.6.1, please reopen this bug report. glusterfs-3.6.1 has been announced [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution. [1] http://supercolony.gluster.org/pipermail/gluster-users/2014-November/019410.html [2] http://supercolony.gluster.org/mailman/listinfo/gluster-users