Description of problem: The ovirt-provider-ovn service running on Port 35357 is accepting anonymous cipher suites: TLS_ECDH_anon_WITH_AES_128_CBC_SHA TLS_ECDH_anon_WITH_AES_256_CBC_SHA Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Start ovirt-provider-ovn 2. Scan using any vulnerability scanner or ssl scanner 3. Actual results: Anonymous cipher suites are accepted Expected results: Anonymous cipher suites should be excluded. Additional info:
Ralf, can you please provide more detailed instructions to enable us checking if this is still a problem in 4.4?
Hi, you can use the tool testssl.sh from https://github.com/drwetter/testssl.sh Clone the repo and invoke the tool with: ./testssl.sh ovirt-engine.xxx.xx:35357 The output will contain a line: Anonymous NULL Ciphers (no authentication) offered (NOT ok) A few other problems are reported as well: - Unsecure client side renegotiation - CBC usage Kind regards, Ralf
Created attachment 1635289 [details] update ssl ciphers configuration file This attachment should be used to disallow anonymous ciphers. It should me moved to /etc/ovirt-provider-ovn/conf.d/01-no-anonymous-ciphers.conf on the ovirt-engine node. This file should be removed upon the ovirt-4.3.8 release, where the ovirt-provider-ovn cipher list will be updated, making it FIPS compliant.
Verified using [1] as offered in comment #2. ============================================ Verified on version =================== ovirt-engine-4.3.8.2-0.1.master.el7.noarch ovirt-provider-ovn-1.2.29-1.el7ev.noarch Test tool output ================ Testing cipher categories NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC[2,4] (w/o export) not offered (OK) Triple DES Ciphers / IDEA not offered Obsolete: SEED + 128+256 Bit CBC cipher offered Strong encryption (AEAD ciphers) offered (OK) [1] - https://github.com/drwetter/testssl.sh
This bugzilla is included in oVirt 4.3.8 release, published on January 27th 2020. Since the problem described in this bug report should be resolved in oVirt 4.3.8 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.