Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

[Rohit Yadav <ro...@shapeblue.com>]

Hi again,

> On 04-Nov-2014, at 6:01 am, Santhosh Edukulla <sa...@citrix.com> wrote:
>
> Apart from SSLv3, we may want to disable TLS1.0, TLS1.1, as they have similar vulnerabilities.

If we don’t support TLS v1.0, it will break console proxy on IE etc. Further, what vulnerabilities do TLS v1.0 and v1.1 have?

Here’s the tool to check POODLE vulnerability on your servers: http://packages.shapeblue.com/tools/poodle-checker.sh (taken from RedHat)

Patched systemvm template for 4.3.1 that fixes for ShellShock and POODLE:
http://packages.shapeblue.com/systemvmtemplate/4.3/4.3.1

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab

Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

[Rohit Yadav <ro...@shapeblue.com>]

> On 04-Nov-2014, at 2:52 pm, Santhosh Edukulla <sa...@citrix.com> wrote:
>
> As well, we may want to just revert the previous changes done to httpd.conf to keep the configuration of ciphers consistent across files.

Sure that was a mistake.

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab



Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

[Rohit Yadav <ro...@shapeblue.com>]

Santhosh,

Please go ahead with any better fix you think would work on any/all of the affected (release) branches.

> On 10-Nov-2014, at 9:53 pm, Santhosh Edukulla <sa...@citrix.com> wrote:
>
> Rohit,
>
> 1. Regarding the below note, you can decided on that, but removing or not is not related to this fix though.
>
> 2. Check the below link for other areas in code that need to be fixed as part of poodle issue fix.
>
> http://security.coverity.com/blog.html
>
> Regards,
> Santhosh
> ________________________________________
> From: Rohit Yadav [rohit.yadav@shapeblue.com]
> Sent: Tuesday, November 04, 2014 10:44 AM
> To: dev@cloudstack.apache.org
> Subject: Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)
>
> IMO - Let’s remove httpd.conf, it’s not used anywhere; if people want they can add it later down the lane.
>
>> On 04-Nov-2014, at 8:43 pm, Santhosh Edukulla <sa...@citrix.com> wrote:
>>
>> Rohit,
>>
>> The recent fix can solve the issue, but instead if we can use apache2.conf for these directives and remove them from http2.conf and ssl.conf, it makes usage at one place and avoids usage at different places.
>>
>> As well, if some body downs the lane includes httpd.conf under apache2.conf, then these references can lead to confusion.
>>
>> Santhosh
>> ________________________________________
>> From: Rohit Yadav [rohit.yadav@shapeblue.com]
>> Sent: Tuesday, November 04, 2014 4:28 AM
>> To: dev@cloudstack.apache.org
>> Subject: Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)
>>
>> - user-ML
>>
>>> On 04-Nov-2014, at 2:52 pm, Santhosh Edukulla <sa...@citrix.com> wrote:
>>>
>>> There we mentioned to support only TLS1...etc through + logic
>>
>> I checked again, where and how is httpd.conf used?
>>
>> I think this file that is no longer used. I think very old systemvms were build using a base (CentOS?) linux which used the old buildsystemvm.sh script, the build scripts that we use now (that uses VirtualBox+vagrant/veewee) is the one that I made using Debian as the base distro two years ago and in that we install apache2.conf. So, if there is any file needed there it should be a fixed version of apache2.conf and not httpd.conf
>>
>> Regards,
>> Rohit Yadav
>> Software Architect, ShapeBlue
>> M. +91 88 262 30892 | rohit.yadav@shapeblue.com
>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>>
>>
>>
>> Find out more about ShapeBlue and our range of CloudStack related services
>>
>> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>>
>> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
>
> Regards,
> Rohit Yadav
> Software Architect, ShapeBlue
> M. +91 88 262 30892 | rohit.yadav@shapeblue.com
> Blog: bhaisaab.org | Twitter: @_bhaisaab
>
>
>
> Find out more about ShapeBlue and our range of CloudStack related services
>
> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab



Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

RE: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

[Santhosh Edukulla <sa...@citrix.com>]

Rohit,

1. Regarding the below note, you can decided on that, but removing or not is not related to this fix though.

2. Check the below link for other areas in code that need to be fixed as part of poodle issue fix.

http://security.coverity.com/blog.html

Regards,
Santhosh
________________________________________
From: Rohit Yadav [rohit.yadav@shapeblue.com]
Sent: Tuesday, November 04, 2014 10:44 AM
To: dev@cloudstack.apache.org
Subject: Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

IMO - Let’s remove httpd.conf, it’s not used anywhere; if people want they can add it later down the lane.

> On 04-Nov-2014, at 8:43 pm, Santhosh Edukulla <sa...@citrix.com> wrote:
>
> Rohit,
>
> The recent fix can solve the issue, but instead if we can use apache2.conf for these directives and remove them from http2.conf and ssl.conf, it makes usage at one place and avoids usage at different places.
>
> As well, if some body downs the lane includes httpd.conf under apache2.conf, then these references can lead to confusion.
>
> Santhosh
> ________________________________________
> From: Rohit Yadav [rohit.yadav@shapeblue.com]
> Sent: Tuesday, November 04, 2014 4:28 AM
> To: dev@cloudstack.apache.org
> Subject: Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)
>
> - user-ML
>
>> On 04-Nov-2014, at 2:52 pm, Santhosh Edukulla <sa...@citrix.com> wrote:
>>
>> There we mentioned to support only TLS1...etc through + logic
>
> I checked again, where and how is httpd.conf used?
>
> I think this file that is no longer used. I think very old systemvms were build using a base (CentOS?) linux which used the old buildsystemvm.sh script, the build scripts that we use now (that uses VirtualBox+vagrant/veewee) is the one that I made using Debian as the base distro two years ago and in that we install apache2.conf. So, if there is any file needed there it should be a fixed version of apache2.conf and not httpd.conf
>
> Regards,
> Rohit Yadav
> Software Architect, ShapeBlue
> M. +91 88 262 30892 | rohit.yadav@shapeblue.com
> Blog: bhaisaab.org | Twitter: @_bhaisaab
>
>
>
> Find out more about ShapeBlue and our range of CloudStack related services
>
> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab



Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

[Rohit Yadav <ro...@shapeblue.com>]

IMO - Let’s remove httpd.conf, it’s not used anywhere; if people want they can add it later down the lane.

> On 04-Nov-2014, at 8:43 pm, Santhosh Edukulla <sa...@citrix.com> wrote:
>
> Rohit,
>
> The recent fix can solve the issue, but instead if we can use apache2.conf for these directives and remove them from http2.conf and ssl.conf, it makes usage at one place and avoids usage at different places.
>
> As well, if some body downs the lane includes httpd.conf under apache2.conf, then these references can lead to confusion.
>
> Santhosh
> ________________________________________
> From: Rohit Yadav [rohit.yadav@shapeblue.com]
> Sent: Tuesday, November 04, 2014 4:28 AM
> To: dev@cloudstack.apache.org
> Subject: Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)
>
> - user-ML
>
>> On 04-Nov-2014, at 2:52 pm, Santhosh Edukulla <sa...@citrix.com> wrote:
>>
>> There we mentioned to support only TLS1...etc through + logic
>
> I checked again, where and how is httpd.conf used?
>
> I think this file that is no longer used. I think very old systemvms were build using a base (CentOS?) linux which used the old buildsystemvm.sh script, the build scripts that we use now (that uses VirtualBox+vagrant/veewee) is the one that I made using Debian as the base distro two years ago and in that we install apache2.conf. So, if there is any file needed there it should be a fixed version of apache2.conf and not httpd.conf
>
> Regards,
> Rohit Yadav
> Software Architect, ShapeBlue
> M. +91 88 262 30892 | rohit.yadav@shapeblue.com
> Blog: bhaisaab.org | Twitter: @_bhaisaab
>
>
>
> Find out more about ShapeBlue and our range of CloudStack related services
>
> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab



Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

RE: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

[Santhosh Edukulla <sa...@citrix.com>]

Rohit,

The recent fix can solve the issue, but instead if we can use apache2.conf for these directives and remove them from http2.conf and ssl.conf, it makes usage at one place and avoids usage at different places.

As well, if some body downs the lane includes httpd.conf under apache2.conf, then these references can lead to confusion.

Santhosh
________________________________________
From: Rohit Yadav [rohit.yadav@shapeblue.com]
Sent: Tuesday, November 04, 2014 4:28 AM
To: dev@cloudstack.apache.org
Subject: Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

- user-ML

> On 04-Nov-2014, at 2:52 pm, Santhosh Edukulla <sa...@citrix.com> wrote:
>
> There we mentioned to support only TLS1...etc through + logic

I checked again, where and how is httpd.conf used?

I think this file that is no longer used. I think very old systemvms were build using a base (CentOS?) linux which used the old buildsystemvm.sh script, the build scripts that we use now (that uses VirtualBox+vagrant/veewee) is the one that I made using Debian as the base distro two years ago and in that we install apache2.conf. So, if there is any file needed there it should be a fixed version of apache2.conf and not httpd.conf

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab



Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

[Rohit Yadav <ro...@shapeblue.com>]

- user-ML

> On 04-Nov-2014, at 2:52 pm, Santhosh Edukulla <sa...@citrix.com> wrote:
>
> There we mentioned to support only TLS1...etc through + logic

I checked again, where and how is httpd.conf used?

I think this file that is no longer used. I think very old systemvms were build using a base (CentOS?) linux which used the old buildsystemvm.sh script, the build scripts that we use now (that uses VirtualBox+vagrant/veewee) is the one that I made using Debian as the base distro two years ago and in that we install apache2.conf. So, if there is any file needed there it should be a fixed version of apache2.conf and not httpd.conf

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab



Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

[Rohit Yadav <ro...@shapeblue.com>]

> On 04-Nov-2014, at 2:52 pm, Santhosh Edukulla <sa...@citrix.com> wrote:
>
> As well, we may want to just revert the previous changes done to httpd.conf to keep the configuration of ciphers consistent across files.

Sure that was a mistake.

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab



Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

RE: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

[Santhosh Edukulla <sa...@citrix.com>]

Rohit,

As well, we may want to just revert the previous changes done to httpd.conf to keep the configuration of ciphers consistent across files.

There we mentioned to support only TLS1...etc through + logic

Here, we are excluding few protocols from all. 

Regards
Santhosh
________________________________________
From: Rohit Yadav [rohit.yadav@shapeblue.com]
Sent: Tuesday, November 04, 2014 4:16 AM
To: dev@cloudstack.apache.org
Cc: users@cloudstack.apache.org
Subject: Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

Hi Hari,

> On 04-Nov-2014, at 2:21 pm, Harikrishna Patnala <ha...@citrix.com> wrote:
>
> Regarding the configurations in httpd.conf, they don't apply to apache server running in our system vms.
>
> We need to put the configuration in “/etc/apache2/mods-enabled/ssl.conf”, if you see apache2.conf it includes ssl.conf “Include mods-enabled/*.conf" not httpd.conf.
>
> I tried using namp, it worked if we put the configuration in ssl.conf.

Yes, I figured that this morning and have fixed it for 4.3. Doing it for master/4.5 now.

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab



Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

RE: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

[Santhosh Edukulla <sa...@citrix.com>]

Rohit,

As well, we may want to just revert the previous changes done to httpd.conf to keep the configuration of ciphers consistent across files.

There we mentioned to support only TLS1...etc through + logic

Here, we are excluding few protocols from all. 

Regards
Santhosh
________________________________________
From: Rohit Yadav [rohit.yadav@shapeblue.com]
Sent: Tuesday, November 04, 2014 4:16 AM
To: dev@cloudstack.apache.org
Cc: users@cloudstack.apache.org
Subject: Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

Hi Hari,

> On 04-Nov-2014, at 2:21 pm, Harikrishna Patnala <ha...@citrix.com> wrote:
>
> Regarding the configurations in httpd.conf, they don't apply to apache server running in our system vms.
>
> We need to put the configuration in “/etc/apache2/mods-enabled/ssl.conf”, if you see apache2.conf it includes ssl.conf “Include mods-enabled/*.conf" not httpd.conf.
>
> I tried using namp, it worked if we put the configuration in ssl.conf.

Yes, I figured that this morning and have fixed it for 4.3. Doing it for master/4.5 now.

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab



Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

[Rohit Yadav <ro...@shapeblue.com>]

Hi Hari,

> On 04-Nov-2014, at 2:21 pm, Harikrishna Patnala <ha...@citrix.com> wrote:
>
> Regarding the configurations in httpd.conf, they don't apply to apache server running in our system vms.
>
> We need to put the configuration in “/etc/apache2/mods-enabled/ssl.conf”, if you see apache2.conf it includes ssl.conf “Include mods-enabled/*.conf" not httpd.conf.
>
> I tried using namp, it worked if we put the configuration in ssl.conf.

Yes, I figured that this morning and have fixed it for 4.3. Doing it for master/4.5 now.

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab



Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

[Rohit Yadav <ro...@shapeblue.com>]

Hi Hari,

> On 04-Nov-2014, at 2:21 pm, Harikrishna Patnala <ha...@citrix.com> wrote:
>
> Regarding the configurations in httpd.conf, they don't apply to apache server running in our system vms.
>
> We need to put the configuration in “/etc/apache2/mods-enabled/ssl.conf”, if you see apache2.conf it includes ssl.conf “Include mods-enabled/*.conf" not httpd.conf.
>
> I tried using namp, it worked if we put the configuration in ssl.conf.

Yes, I figured that this morning and have fixed it for 4.3. Doing it for master/4.5 now.

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab



Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

[Harikrishna Patnala <ha...@citrix.com>]

Regarding the configurations in httpd.conf, they don't apply to apache server running in our system vms.

We need to put the configuration in “/etc/apache2/mods-enabled/ssl.conf”, if you see apache2.conf it includes ssl.conf “Include mods-enabled/*.conf" not httpd.conf.

I tried using namp, it worked if we put the configuration in ssl.conf.

-Harikrishna

On 04-Nov-2014, at 1:49 pm, Santhosh Edukulla <sa...@citrix.com>> wrote:

1. The article is just a reference, but if we use a known security scanner the combination of ssl protocol and cipher suites used identifies these vulnerabilities on a given machine with available TLS lower versions, check for some thing like beast attack.

2. The conf file changes done will not countermeasure the sytemplate vuln issue i believe, we may still wanted to confirm that its indeed the httpd.conf which needs to be changed for apache2 as well for the particular template fix.

Regards.
Santhosh
________________________________________
From: Rohit Yadav [rohit.yadav@shapeblue.com<ma...@shapeblue.com>]
Sent: Tuesday, November 04, 2014 2:42 AM
To: dev@cloudstack.apache.org<ma...@cloudstack.apache.org>
Cc: users@cloudstack.apache.org<ma...@cloudstack.apache.org>
Subject: Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

On 04-Nov-2014, at 1:02 pm, Santhosh Edukulla <sa...@citrix.com>> wrote:

2. TLSv1.2 is the latest to be used and suggested default, ssl protocol and the ciphers we use leads to vulnerability, the settings for these as well should be available in similar config file. In our code, search for TLS leads to usage at places, and assumption is that it should negotiate the protocol version from configured and available latest version to least, so if TLSv1.2 is configured on server and client supports it, then it should work.

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118518-technote-esa-00.html

Not sure how this applies for us, we use newer openssl version in systemvm templates. This is for some Cisco appliance not related to Debian/openssl.

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com<ma...@shapeblue.com>
Blog: bhaisaab.org<http://bhaisaab.org> | Twitter: @_bhaisaab

Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

[Harikrishna Patnala <ha...@citrix.com>]

Regarding the configurations in httpd.conf, they don't apply to apache server running in our system vms.

We need to put the configuration in “/etc/apache2/mods-enabled/ssl.conf”, if you see apache2.conf it includes ssl.conf “Include mods-enabled/*.conf" not httpd.conf.

I tried using namp, it worked if we put the configuration in ssl.conf.

-Harikrishna

On 04-Nov-2014, at 1:49 pm, Santhosh Edukulla <sa...@citrix.com>> wrote:

1. The article is just a reference, but if we use a known security scanner the combination of ssl protocol and cipher suites used identifies these vulnerabilities on a given machine with available TLS lower versions, check for some thing like beast attack.

2. The conf file changes done will not countermeasure the sytemplate vuln issue i believe, we may still wanted to confirm that its indeed the httpd.conf which needs to be changed for apache2 as well for the particular template fix.

Regards.
Santhosh
________________________________________
From: Rohit Yadav [rohit.yadav@shapeblue.com<ma...@shapeblue.com>]
Sent: Tuesday, November 04, 2014 2:42 AM
To: dev@cloudstack.apache.org<ma...@cloudstack.apache.org>
Cc: users@cloudstack.apache.org<ma...@cloudstack.apache.org>
Subject: Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

On 04-Nov-2014, at 1:02 pm, Santhosh Edukulla <sa...@citrix.com>> wrote:

2. TLSv1.2 is the latest to be used and suggested default, ssl protocol and the ciphers we use leads to vulnerability, the settings for these as well should be available in similar config file. In our code, search for TLS leads to usage at places, and assumption is that it should negotiate the protocol version from configured and available latest version to least, so if TLSv1.2 is configured on server and client supports it, then it should work.

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118518-technote-esa-00.html

Not sure how this applies for us, we use newer openssl version in systemvm templates. This is for some Cisco appliance not related to Debian/openssl.

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com<ma...@shapeblue.com>
Blog: bhaisaab.org<http://bhaisaab.org> | Twitter: @_bhaisaab

Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

[Rohit Yadav <ro...@shapeblue.com>]

Hi,

> On 04-Nov-2014, at 1:49 pm, Santhosh Edukulla <sa...@citrix.com> wrote:
>
> 2. The conf file changes done will not countermeasure the sytemplate vuln issue i believe, we may still wanted to confirm that its indeed the httpd.conf which needs to be changed for apache2 as well for the particular template fix.

AFAIK, on SSVM apache2 runs to serve templates/iso/volumes which users download and it uses 443/https and uses a custom SSL certificate if uploaded. If SSL is not enabled then it does not apply.

In case of CPVM, the Java based agent uses an in-memory SSL keystore (that mgmt server sends it when it starts) and it implements its own Java based webservice that serves the console proxy over 443/https, again if SSL is enabled and a SSL certificate was uploaded.

In both cases, if SSL is not enabled (global settings) for SSVM/CPVM these SSL based attacks don’t apply. Other than these components, it’s the ACS mgmt server (tomcat) or the reverse-proxy/LB in front of it that needs to be fixed either in the server.xml file or in respective reverse-proxy (such as nginx) or the LB (netscaler etc). I’m only aware of these components prone to SSL attacks. If there are other areas, we should find and fix them.

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab



Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

[Rohit Yadav <ro...@shapeblue.com>]

Hi,

> On 04-Nov-2014, at 1:49 pm, Santhosh Edukulla <sa...@citrix.com> wrote:
>
> 2. The conf file changes done will not countermeasure the sytemplate vuln issue i believe, we may still wanted to confirm that its indeed the httpd.conf which needs to be changed for apache2 as well for the particular template fix.

AFAIK, on SSVM apache2 runs to serve templates/iso/volumes which users download and it uses 443/https and uses a custom SSL certificate if uploaded. If SSL is not enabled then it does not apply.

In case of CPVM, the Java based agent uses an in-memory SSL keystore (that mgmt server sends it when it starts) and it implements its own Java based webservice that serves the console proxy over 443/https, again if SSL is enabled and a SSL certificate was uploaded.

In both cases, if SSL is not enabled (global settings) for SSVM/CPVM these SSL based attacks don’t apply. Other than these components, it’s the ACS mgmt server (tomcat) or the reverse-proxy/LB in front of it that needs to be fixed either in the server.xml file or in respective reverse-proxy (such as nginx) or the LB (netscaler etc). I’m only aware of these components prone to SSL attacks. If there are other areas, we should find and fix them.

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab



Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

RE: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

[Santhosh Edukulla <sa...@citrix.com>]

1. The article is just a reference, but if we use a known security scanner the combination of ssl protocol and cipher suites used identifies these vulnerabilities on a given machine with available TLS lower versions, check for some thing like beast attack.

2. The conf file changes done will not countermeasure the sytemplate vuln issue i believe, we may still wanted to confirm that its indeed the httpd.conf which needs to be changed for apache2 as well for the particular template fix.

Regards.
Santhosh
________________________________________
From: Rohit Yadav [rohit.yadav@shapeblue.com]
Sent: Tuesday, November 04, 2014 2:42 AM
To: dev@cloudstack.apache.org
Cc: users@cloudstack.apache.org
Subject: Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

> On 04-Nov-2014, at 1:02 pm, Santhosh Edukulla <sa...@citrix.com> wrote:
>
> 2. TLSv1.2 is the latest to be used and suggested default, ssl protocol and the ciphers we use leads to vulnerability, the settings for these as well should be available in similar config file. In our code, search for TLS leads to usage at places, and assumption is that it should negotiate the protocol version from configured and available latest version to least, so if TLSv1.2 is configured on server and client supports it, then it should work.
>
> http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118518-technote-esa-00.html

Not sure how this applies for us, we use newer openssl version in systemvm templates. This is for some Cisco appliance not related to Debian/openssl.

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab

Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

RE: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

[Santhosh Edukulla <sa...@citrix.com>]

1. The article is just a reference, but if we use a known security scanner the combination of ssl protocol and cipher suites used identifies these vulnerabilities on a given machine with available TLS lower versions, check for some thing like beast attack.

2. The conf file changes done will not countermeasure the sytemplate vuln issue i believe, we may still wanted to confirm that its indeed the httpd.conf which needs to be changed for apache2 as well for the particular template fix.

Regards.
Santhosh
________________________________________
From: Rohit Yadav [rohit.yadav@shapeblue.com]
Sent: Tuesday, November 04, 2014 2:42 AM
To: dev@cloudstack.apache.org
Cc: users@cloudstack.apache.org
Subject: Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

> On 04-Nov-2014, at 1:02 pm, Santhosh Edukulla <sa...@citrix.com> wrote:
>
> 2. TLSv1.2 is the latest to be used and suggested default, ssl protocol and the ciphers we use leads to vulnerability, the settings for these as well should be available in similar config file. In our code, search for TLS leads to usage at places, and assumption is that it should negotiate the protocol version from configured and available latest version to least, so if TLSv1.2 is configured on server and client supports it, then it should work.
>
> http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118518-technote-esa-00.html

Not sure how this applies for us, we use newer openssl version in systemvm templates. This is for some Cisco appliance not related to Debian/openssl.

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab

Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

[Rohit Yadav <ro...@shapeblue.com>]

> On 04-Nov-2014, at 1:02 pm, Santhosh Edukulla <sa...@citrix.com> wrote:
>
> 2. TLSv1.2 is the latest to be used and suggested default, ssl protocol and the ciphers we use leads to vulnerability, the settings for these as well should be available in similar config file. In our code, search for TLS leads to usage at places, and assumption is that it should negotiate the protocol version from configured and available latest version to least, so if TLSv1.2 is configured on server and client supports it, then it should work.
>
> http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118518-technote-esa-00.html

Not sure how this applies for us, we use newer openssl version in systemvm templates. This is for some Cisco appliance not related to Debian/openssl.

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab

Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

[Rohit Yadav <ro...@shapeblue.com>]

> On 04-Nov-2014, at 1:02 pm, Santhosh Edukulla <sa...@citrix.com> wrote:
>
> 2. TLSv1.2 is the latest to be used and suggested default, ssl protocol and the ciphers we use leads to vulnerability, the settings for these as well should be available in similar config file. In our code, search for TLS leads to usage at places, and assumption is that it should negotiate the protocol version from configured and available latest version to least, so if TLSv1.2 is configured on server and client supports it, then it should work.
>
> http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118518-technote-esa-00.html

Not sure how this applies for us, we use newer openssl version in systemvm templates. This is for some Cisco appliance not related to Debian/openssl.

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab

Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

RE: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

[Santhosh Edukulla <sa...@citrix.com>]

Hi Rohit,

1. does changing in httpd.conf reflects the setting for apache2?  Use the nmap script as suggested below to identify ssl versions on installed system vm template. Check the suggested change works or not.

http://security.stackexchange.com/questions/70733/how-do-i-use-openssl-s-client-to-test-for-absence-of-sslv3-support

2. TLSv1.2 is the latest to be used and suggested default, ssl protocol and the ciphers we use leads to vulnerability, the settings for these as well should be available in similar config file. In our code, search for TLS leads to usage at places, and assumption is that it should negotiate the protocol version from configured and available latest version to least, so if TLSv1.2 is configured on server and client supports it, then it should work. 

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118518-technote-esa-00.html

Regards,
Santhosh
________________________________________
From: Rohit Yadav [rohit.yadav@shapeblue.com]
Sent: Tuesday, November 04, 2014 2:04 AM
To: dev@cloudstack.apache.org
Cc: users@cloudstack.apache.org
Subject: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

Hi again,

> On 04-Nov-2014, at 6:01 am, Santhosh Edukulla <sa...@citrix.com> wrote:
>
> Apart from SSLv3, we may want to disable TLS1.0, TLS1.1, as they have similar vulnerabilities.

If we don’t support TLS v1.0, it will break console proxy on IE etc. Further, what vulnerabilities do TLS v1.0 and v1.1 have?

Here’s the tool to check POODLE vulnerability on your servers: http://packages.shapeblue.com/tools/poodle-checker.sh (taken from RedHat)

Patched systemvm template for 4.3.1 that fixes for ShellShock and POODLE:
http://packages.shapeblue.com/systemvmtemplate/4.3/4.3.1

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab

Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

RE: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

[Santhosh Edukulla <sa...@citrix.com>]

Hi Rohit,

1. does changing in httpd.conf reflects the setting for apache2?  Use the nmap script as suggested below to identify ssl versions on installed system vm template. Check the suggested change works or not.

http://security.stackexchange.com/questions/70733/how-do-i-use-openssl-s-client-to-test-for-absence-of-sslv3-support

2. TLSv1.2 is the latest to be used and suggested default, ssl protocol and the ciphers we use leads to vulnerability, the settings for these as well should be available in similar config file. In our code, search for TLS leads to usage at places, and assumption is that it should negotiate the protocol version from configured and available latest version to least, so if TLSv1.2 is configured on server and client supports it, then it should work. 

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118518-technote-esa-00.html

Regards,
Santhosh
________________________________________
From: Rohit Yadav [rohit.yadav@shapeblue.com]
Sent: Tuesday, November 04, 2014 2:04 AM
To: dev@cloudstack.apache.org
Cc: users@cloudstack.apache.org
Subject: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)

Hi again,

> On 04-Nov-2014, at 6:01 am, Santhosh Edukulla <sa...@citrix.com> wrote:
>
> Apart from SSLv3, we may want to disable TLS1.0, TLS1.1, as they have similar vulnerabilities.

If we don’t support TLS v1.0, it will break console proxy on IE etc. Further, what vulnerabilities do TLS v1.0 and v1.1 have?

Here’s the tool to check POODLE vulnerability on your servers: http://packages.shapeblue.com/tools/poodle-checker.sh (taken from RedHat)

Patched systemvm template for 4.3.1 that fixes for ShellShock and POODLE:
http://packages.shapeblue.com/systemvmtemplate/4.3/4.3.1

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab

Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.