You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2022/08/01 02:08:38 UTC
[GitHub] [cloudstack] fermosan opened a new pull request, #6594: JDK Disabled Algorithms update
fermosan opened a new pull request, #6594:
URL: https://github.com/apache/cloudstack/pull/6594
### Description
An update for JdK disabled aglorithms to improve the security posture of the Cloudstack Management Portal.
The selection of the disabled algorithms is the current "standard" and it will break clients that are not supported anymore.
- Internet Explorer 11
- Safari 6
- Safari 7
- Safari 8
<!--- Describe your changes in DETAIL - And how has behaviour functionally changed. -->
<!-- For new features, provide link to FS, dev ML discussion etc. -->
<!-- In case of bug fix, the expected and actual behaviours, steps to reproduce. -->
<!-- When "Fixes: #<id>" is specified, the issue/PR will automatically be closed when this PR gets merged -->
<!-- For addressing multiple issues/PRs, use multiple "Fixes: #<id>" -->
<!-- Fixes: # -->
<!--- ********************************************************************************* -->
<!--- NOTE: AUTOMATATION USES THE DESCRIPTIONS TO SET LABELS AND PRODUCE DOCUMENTATION. -->
<!--- PLEASE PUT AN 'X' in only **ONE** box -->
<!--- ********************************************************************************* -->
### Types of changes
- [ ] Breaking change (fix or feature that would cause existing functionality to change)
- [ ] New feature (non-breaking change which adds functionality)
- [ X] Bug fix (non-breaking change which fixes an issue)
- [ ] Enhancement (improves an existing feature and functionality)
- [ ] Cleanup (Code refactoring and cleanup, that may add test cases)
### Feature/Enhancement Scale or Bug Severity
#### Feature/Enhancement Scale
- [ ] Major
- [X ] Minor
#### Bug Severity
- [ ] BLOCKER
- [ ] Critical
- [ ] Major
- [X ] Minor
- [ ] Trivial
### Screenshots (if appropriate):
### How Has This Been Tested?
Our production environment (KVM, UBUNTU 20.04) runs on these changes for sometime now.
<!-- Please describe in detail how you tested your changes. -->
<!-- Include details of your testing environment, and the tests you ran to -->
<!-- see how your change affects other areas of the code, etc. -->
<!-- Please read the [CONTRIBUTING](https://github.com/apache/cloudstack/blob/main/CONTRIBUTING.md) document -->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rohityadavcloud commented on pull request #6594: JDK Disabled Algorithms update
Posted by GitBox <gi...@apache.org>.
rohityadavcloud commented on PR #6594:
URL: https://github.com/apache/cloudstack/pull/6594#issuecomment-1217692002
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #6594: JDK Disabled Algorithms update
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #6594:
URL: https://github.com/apache/cloudstack/pull/6594#issuecomment-1206360910
@rohityadavcloud a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #6594: JDK Disabled Algorithms update
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #6594:
URL: https://github.com/apache/cloudstack/pull/6594#issuecomment-1253232292
<b>Trillian test result (tid-4938)</b>
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 42631 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr6594-t4938-kvm-centos7.zip
Smoke tests completed. 102 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
test_08_upgrade_kubernetes_ha_cluster | `Failure` | 628.68 | test_kubernetes_clusters.py
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #6594: JDK Disabled Algorithms update
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #6594:
URL: https://github.com/apache/cloudstack/pull/6594#issuecomment-1252471661
Packaging result: :heavy_check_mark: el7 :heavy_check_mark: el8 :heavy_check_mark: debian :heavy_check_mark: suse15. SL-JID 4224
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #6594: JDK Disabled Algorithms update
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #6594:
URL: https://github.com/apache/cloudstack/pull/6594#issuecomment-1206391677
Packaging result: :heavy_check_mark: el7 :heavy_check_mark: el8 :heavy_check_mark: debian :heavy_check_mark: suse15. SL-JID 3919
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] fermosan commented on a diff in pull request #6594: JDK Disabled Algorithms update
Posted by GitBox <gi...@apache.org>.
fermosan commented on code in PR #6594:
URL: https://github.com/apache/cloudstack/pull/6594#discussion_r939013386
##########
client/conf/java.security.ciphers.in:
##########
@@ -15,4 +15,21 @@
# specific language governing permissions and limitations
# under the License.
-jdk.tls.disabledAlgorithms=SSLv2Hello, SSLv3, DH keySize < 128, RSA keySize < 128, DES keySize < 128, SHA1 keySize < 128, MD5 keySize < 128, RC4
+jdk.tls.disabledAlgorithms=SSLv3,TLSv1.0, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 2048, EC keySize < 224, \
Review Comment:
I tested it only against KVM (Ubuntu 20.04). I could try to install one or two hypervisors and test it but what is the point? All supported hypervisors must be tested to make sure the change is ok.
Is it possible to use different definitions for type of service ?
For example have one definition for management server login portal and one for all the other backend communications. The big issue is the outside connections from users to the UI or/and apis and not the hypervisor communication.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #6594: JDK Disabled Algorithms update
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #6594:
URL: https://github.com/apache/cloudstack/pull/6594#issuecomment-1207152200
<b>Trillian test result (tid-4628)</b>
Environment: xenserver-71 (x2), Advanced Networking with Mgmt server 7
Total time taken: 38695 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr6594-t4628-xenserver-71.zip
Smoke tests completed. 100 look OK, 1 have errors
Only failed tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
test_08_upgrade_kubernetes_ha_cluster | `Failure` | 629.19 | test_kubernetes_clusters.py
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #6594: JDK Disabled Algorithms update
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #6594:
URL: https://github.com/apache/cloudstack/pull/6594#issuecomment-1218458210
<b>Trillian test result (tid-4716)</b>
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 40824 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr6594-t4716-kvm-centos7.zip
Smoke tests completed. 100 look OK, 1 have errors
Only failed tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
test_02_upgrade_kubernetes_cluster | `Failure` | 513.35 | test_kubernetes_clusters.py
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rohityadavcloud commented on pull request #6594: JDK Disabled Algorithms update
Posted by "rohityadavcloud (via GitHub)" <gi...@apache.org>.
rohityadavcloud commented on PR #6594:
URL: https://github.com/apache/cloudstack/pull/6594#issuecomment-1514259139
@fermosan I think making these default could cause cocerns for some users, could you instead propose this as a documentation PR to https://github.com/apache/cloudstack-documentation
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #6594: JDK Disabled Algorithms update
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #6594:
URL: https://github.com/apache/cloudstack/pull/6594#issuecomment-1207158950
<b>Trillian test result (tid-4630)</b>
Environment: vmware-65u2 (x2), Advanced Networking with Mgmt server 7
Total time taken: 41882 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr6594-t4630-vmware-65u2.zip
Smoke tests completed. 101 look OK, 0 have errors
Only failed tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #6594: JDK Disabled Algorithms update
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #6594:
URL: https://github.com/apache/cloudstack/pull/6594#issuecomment-1252401249
@DaanHoogland a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rohityadavcloud closed pull request #6594: JDK Disabled Algorithms update
Posted by "rohityadavcloud (via GitHub)" <gi...@apache.org>.
rohityadavcloud closed pull request #6594: JDK Disabled Algorithms update
URL: https://github.com/apache/cloudstack/pull/6594
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rohityadavcloud commented on pull request #6594: JDK Disabled Algorithms update
Posted by GitBox <gi...@apache.org>.
rohityadavcloud commented on PR #6594:
URL: https://github.com/apache/cloudstack/pull/6594#issuecomment-1206360378
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #6594: JDK Disabled Algorithms update
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #6594:
URL: https://github.com/apache/cloudstack/pull/6594#issuecomment-1206735044
@rohityadavcloud a Trillian-Jenkins matrix job (centos7 mgmt + xs71, centos7 mgmt + vmware65, centos7 mgmt + kvmcentos7) has been kicked to run smoke tests
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #6594: JDK Disabled Algorithms update
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #6594:
URL: https://github.com/apache/cloudstack/pull/6594#issuecomment-1252682649
@DaanHoogland a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rohityadavcloud commented on a diff in pull request #6594: JDK Disabled Algorithms update
Posted by GitBox <gi...@apache.org>.
rohityadavcloud commented on code in PR #6594:
URL: https://github.com/apache/cloudstack/pull/6594#discussion_r938736857
##########
client/conf/java.security.ciphers.in:
##########
@@ -15,4 +15,21 @@
# specific language governing permissions and limitations
# under the License.
-jdk.tls.disabledAlgorithms=SSLv2Hello, SSLv3, DH keySize < 128, RSA keySize < 128, DES keySize < 128, SHA1 keySize < 128, MD5 keySize < 128, RC4
+jdk.tls.disabledAlgorithms=SSLv3,TLSv1.0, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 2048, EC keySize < 224, \
Review Comment:
chances are this could break support of several older/supported hypervisors, can you share what you've tested with these changes @fermosan ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland commented on pull request #6594: JDK Disabled Algorithms update
Posted by GitBox <gi...@apache.org>.
DaanHoogland commented on PR #6594:
URL: https://github.com/apache/cloudstack/pull/6594#issuecomment-1252682283
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland commented on pull request #6594: JDK Disabled Algorithms update
Posted by GitBox <gi...@apache.org>.
DaanHoogland commented on PR #6594:
URL: https://github.com/apache/cloudstack/pull/6594#issuecomment-1252400573
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #6594: JDK Disabled Algorithms update
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #6594:
URL: https://github.com/apache/cloudstack/pull/6594#issuecomment-1217693145
@rohityadavcloud a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] codecov[bot] commented on pull request #6594: JDK Disabled Algorithms update
Posted by GitBox <gi...@apache.org>.
codecov[bot] commented on PR #6594:
URL: https://github.com/apache/cloudstack/pull/6594#issuecomment-1252332073
# [Codecov](https://codecov.io/gh/apache/cloudstack/pull/6594?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) Report
> Merging [#6594](https://codecov.io/gh/apache/cloudstack/pull/6594?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (aa21b6f) into [main](https://codecov.io/gh/apache/cloudstack/commit/bbc126057674a6cda047c2ea941d09af5c0e14a6?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (bbc1260) will **increase** coverage by `0.00%`.
> The diff coverage is `n/a`.
```diff
@@ Coverage Diff @@
## main #6594 +/- ##
=========================================
Coverage 10.42% 10.42%
- Complexity 6701 6703 +2
=========================================
Files 2458 2458
Lines 243246 243246
Branches 38067 38067
=========================================
+ Hits 25358 25362 +4
+ Misses 214714 214709 -5
- Partials 3174 3175 +1
```
| [Impacted Files](https://codecov.io/gh/apache/cloudstack/pull/6594?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | Coverage Δ | |
|---|---|---|
| [...dstack/network/contrail/model/ModelObjectBase.java](https://codecov.io/gh/apache/cloudstack/pull/6594/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cGx1Z2lucy9uZXR3b3JrLWVsZW1lbnRzL2p1bmlwZXItY29udHJhaWwvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL2Nsb3Vkc3RhY2svbmV0d29yay9jb250cmFpbC9tb2RlbC9Nb2RlbE9iamVjdEJhc2UuamF2YQ==) | `28.84% <0.00%> (+7.69%)` | :arrow_up: |
:mega: We’re building smart automated test selection to slash your CI/CD build times. [Learn more](https://about.codecov.io/iterative-testing/?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rohityadavcloud commented on pull request #6594: JDK Disabled Algorithms update
Posted by GitBox <gi...@apache.org>.
rohityadavcloud commented on PR #6594:
URL: https://github.com/apache/cloudstack/pull/6594#issuecomment-1206734060
@blueorangutan test matrix
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #6594: JDK Disabled Algorithms update
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #6594:
URL: https://github.com/apache/cloudstack/pull/6594#issuecomment-1206747386
<b>Trillian Build Failed (tid-4629)<b/>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rohityadavcloud commented on pull request #6594: JDK Disabled Algorithms update
Posted by "rohityadavcloud (via GitHub)" <gi...@apache.org>.
rohityadavcloud commented on PR #6594:
URL: https://github.com/apache/cloudstack/pull/6594#issuecomment-1514264158
Closing on above remark - let's better describe this in our project docs. Thanks for the PR.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org