You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2021/02/12 17:30:12 UTC

[GitHub] [cloudstack] Mahir92 opened a new issue #4689: Update to enable TLS >=1.2 as default secure protocols

Mahir92 opened a new issue #4689:
URL: https://github.com/apache/cloudstack/issues/4689


   in file https://github.com/apache/cloudstack/blob/0f3f2a09370a18301db28ec3d28efe746b6437c9/plugins/network-elements/bigswitch/src/main/java/com/cloud/network/bigswitch/TrustingProtocolSocketFactory.java, line 71, the SSL protocol is used in statement:  SSLContext sc = SSLContext.getInstance("SSL");
   
   Impact: 
   
   An SSL DDoS attack targets the SSL handshake protocol either by sending worthless data to the SSL server which will result in connection issues for legitimate users or by abusing the SSL handshake protocol itself.
   
   Suggestions:
   
   Upgrade the implementation to the “TLS”, and configure https.protocols JVM option to include TLSv1.2:
   
   Useful links:
   
   https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https
   
   https://www.appmarq.com/public/tqi,1039002,CWE-319-Avoid-using-Deprecated-SSL-protocols-to-secure-connection
   
   Please share with us your opinions/comments if there is any:
   
   Is the bug report helpful?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] rhtyd closed issue #4689: Update to enable TLS >=1.2 as default secure protocols

Posted by GitBox <gi...@apache.org>.

rhtyd closed issue #4689:
URL: https://github.com/apache/cloudstack/issues/4689


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] Mahir92 commented on issue #4689: Update to enable TLS >=1.2 as default secure protocols

Posted by GitBox <gi...@apache.org>.

Mahir92 commented on issue #4689:
URL: https://github.com/apache/cloudstack/issues/4689#issuecomment-782739744


   hi @DaanHoogland , thanks for giving your feedback. It was really helpful. We will see if we can provide an exploit of the vulnerability.
   
   Thanks again.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] rhtyd commented on issue #4689: Update to enable TLS >=1.2 as default secure protocols

Posted by GitBox <gi...@apache.org>.

rhtyd commented on issue #4689:
URL: https://github.com/apache/cloudstack/issues/4689#issuecomment-791905760


   Thanks @Mahir92 but the specific class/plugin in question may not be used/updated, for those reasons and lack of testing environment we would not make update that (some legacy systems don't support newer TLS versions). I'll close on this remark, unless you disagree or can help with a fix and testing it.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] DaanHoogland commented on issue #4689: Update to enable TLS >=1.2 as default secure protocols

Posted by GitBox <gi...@apache.org>.

DaanHoogland commented on issue #4689:
URL: https://github.com/apache/cloudstack/issues/4689#issuecomment-779047250


   
   > Please share with us your opinions/comments if there is any:
   > 
   > Is the bug report helpful?
   
   @Mahir92 , I'm guessing you came to this with static analysis. It could be made to be more helpfull by providing an exploit. There is close to no-one taking the trouble to analyse your findings without them. The issue makes sense btw. it's just that it is not inviting to the community to go and chase something that may not be exposed ever even if in principle yu are pointing out a valid issue. As this stand it will not be planned by anybody to work on (unless you intent to).


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org