You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Vivek Kumar <vi...@indiqus.com.INVALID> on 2024/04/29 09:57:15 UTC
SSL Medium Strength Cipher Suites Supported | port 8250 on Management servers
Hello Folks,
Our security team has highlighted that services running on port 8250 supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits,
It is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network.
Our security team has recommended to reconfigure the affected application if possible to avoid use of medium strength ciphers, so we do something about it or not ?
Vivek Kumar
Sr. Manager - Cloud & DevOps
TechOps | Indiqus Technologies
vivek.kumar@indiqus.com <ma...@indiqus.com>
www.indiqus.com <https://www.indiqus.com/>
--
This message is intended only for the use of the individual or entity to
which it is addressed and may contain confidential and/or privileged
information. If you are not the intended recipient, please delete the
original message and any copy of it from your computer system. You are
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited unless proper authorization has been
obtained for such action. If you have received this communication in error,
please notify the sender immediately. Although IndiQus attempts to sweep
e-mail and attachments for viruses, it does not guarantee that both are
virus-free and accepts no liability for any damage sustained as a result of
viruses.
Re: SSL Medium Strength Cipher Suites Supported | port 8250 on Management servers
Posted by Rohit Yadav <ro...@shapeblue.com>.
Hi Vivek,
I think you can tune the following global settings to regenerate CloudStack's root-ca certificates with chosen cipher/algorithm and key size: (depending on the ACS version if it has CA framework)
ca.framework.cert.signature.algorithm
ca.framework.cert.keysize
(for an already deployed cloudstack env, after changing this you may need to delete old root-ca keypair for this to regenerate new server certificates and CA certificate, by removing the configurations found out by: `select * from configuration where name like 'ca.plugin.root%' and category='Hidden'\G;`; and then restarting management servers one by one).
Alternatively, you can also test and disable cipher algorithm via /etc/cloudstack/management/java.security.ciphers that you don't want. And of course, you want to test and validate these in a test environment before applying in production (and take db backups just in case).
Regards.
________________________________
From: Vivek Kumar <vi...@indiqus.com.INVALID>
Sent: Monday, April 29, 2024 15:27
To: CloudStack Users Mailing list <us...@cloudstack.apache.org>
Subject: SSL Medium Strength Cipher Suites Supported | port 8250 on Management servers
Hello Folks,
Our security team has highlighted that services running on port 8250 supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits,
It is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network.
Our security team has recommended to reconfigure the affected application if possible to avoid use of medium strength ciphers, so we do something about it or not ?
Vivek Kumar
Sr. Manager - Cloud & DevOps
TechOps | Indiqus Technologies
vivek.kumar@indiqus.com <ma...@indiqus.com>
www.indiqus.com<http://www.indiqus.com> <https://www.indiqus.com/>
--
This message is intended only for the use of the individual or entity to
which it is addressed and may contain confidential and/or privileged
information. If you are not the intended recipient, please delete the
original message and any copy of it from your computer system. You are
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited unless proper authorization has been
obtained for such action. If you have received this communication in error,
please notify the sender immediately. Although IndiQus attempts to sweep
e-mail and attachments for viruses, it does not guarantee that both are
virus-free and accepts no liability for any damage sustained as a result of
viruses.