You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Nux! <nu...@li.nux.ro> on 2015/03/09 19:23:17 UTC
Disable ciphers in Console VM's Java server #FREAK
Hello,
Can anyone advise how to disable SSLv2, SSLv3, TLSv1 and various ciphers in the Java process which serves CPVM:443 ?
The CPVM is currently affected by the FREAK issue, we'd like to fix that.
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
Re: Disable ciphers in Console VM's Java server #FREAK
Posted by Nux! <nu...@li.nux.ro>.
Thanks Ilya,
I'll have a go at it.
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
----- Original Message -----
> From: "ilya musayev" <il...@gmail.com>
> To: dev@cloudstack.apache.org
> Sent: Monday, 9 March, 2015 21:33:08
> Subject: Re: Disable ciphers in Console VM's Java server #FREAK
> OpenJDK 1.7 is a requirement for this to work.
>
> On 3/9/15 2:31 PM, ilya musayev wrote:
>> This might be relevant, ways to disable weak ciphers for port 8250,
>> i'm under impression same can be done for all java related processes.
>> This came from Citrix security team sometime in August, when we
>> reached and mentioned that 8250 exposes weak ciphers as per internal
>> audit.
>>
>> ------------
>>
>> Who Should apply this workaround?
>>
>> This workaround is to make SSL Ciphers stronger than 128 bits. This
>> workaround is for customers running Citrix CloudPlatform version 3.x
>> and above. Apply this workaround on all the CloudPlatform 3.x and
>> above Management Servers.
>>
>>
>> Package Name
>>
>> NA
>>
>> Issues Resolved In This Hotfix
>>
>> This workaround resolves the following issue:
>> CS-17504: Weak SSL ciphers supported by the management server
>>
>>
>> Installing the Hotfix
>>
>> Use the following steps to for the workaround. As with any software
>> update, please back up your data before applying this workaround.
>>
>> 1. Stop the Management Server:# service cloudstack-management stop.
>>
>> 2. First Backup and then Modify java.security file at following
>> location (You may have different location based on your Java version),
>> if you are unsure, do a “find / -name java.security” to get the exact
>> location): #
>>
>> cp
>> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51.x86_64/jre/lib/security/java.security
>> java.security.backup
>>
>> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51.x86_64/jre/lib/security/java.security
>>
>>
>> 3. Make following changes to java.security:#
>>
>> #Start of Edit
>>
>> #Following are the default settings, needs to be commented.
>> #jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
>>
>> #Following needs to be added
>> jdk.tls.disabledAlgorithms=DH keySize < 128, RSA keySize < 128, DES
>> keySize < 128, SHA1 keySize < 128, MD5 keySize < 128, RC4 keySize < 128
>>
>> # End of edit
>>
>> 4. Start the Management Server: # service cloudstack-management start.
>>
>>
>> Log in to the CloudPlatform UI as administrator, and check the status
>> of the hosts. All hosts should come to Up state (except those that you
>> know to be offline). You may need to wait 20 or 30 minutes, depending
>> on the number of hosts.
>>
>> Troubleshooting: If login fails, clear your browser cache and reload
>> the page.
>>
>>
>>
>>
>>
>> On 3/9/15 11:23 AM, Nux! wrote:
>>> Hello,
>>>
>>> Can anyone advise how to disable SSLv2, SSLv3, TLSv1 and various
>>> ciphers in the Java process which serves CPVM:443 ?
>>>
>>> The CPVM is currently affected by the FREAK issue, we'd like to fix
>>> that.
>>>
>>> --
>>> Sent from the Delta quadrant using Borg technology!
>>>
>>> Nux!
>>> www.nux.ro
Re: Disable ciphers in Console VM's Java server #FREAK
Posted by ilya musayev <il...@gmail.com>.
OpenJDK 1.7 is a requirement for this to work.
On 3/9/15 2:31 PM, ilya musayev wrote:
> This might be relevant, ways to disable weak ciphers for port 8250,
> i'm under impression same can be done for all java related processes.
> This came from Citrix security team sometime in August, when we
> reached and mentioned that 8250 exposes weak ciphers as per internal
> audit.
>
> ------------
>
> Who Should apply this workaround?
>
> This workaround is to make SSL Ciphers stronger than 128 bits. This
> workaround is for customers running Citrix CloudPlatform version 3.x
> and above. Apply this workaround on all the CloudPlatform 3.x and
> above Management Servers.
>
>
> Package Name
>
> NA
>
> Issues Resolved In This Hotfix
>
> This workaround resolves the following issue:
> CS-17504: Weak SSL ciphers supported by the management server
>
>
> Installing the Hotfix
>
> Use the following steps to for the workaround. As with any software
> update, please back up your data before applying this workaround.
>
> 1. Stop the Management Server:# service cloudstack-management stop.
>
> 2. First Backup and then Modify java.security file at following
> location (You may have different location based on your Java version),
> if you are unsure, do a “find / -name java.security” to get the exact
> location): #
>
> cp
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51.x86_64/jre/lib/security/java.security
> java.security.backup
>
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51.x86_64/jre/lib/security/java.security
>
>
> 3. Make following changes to java.security:#
>
> #Start of Edit
>
> #Following are the default settings, needs to be commented.
> #jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
>
> #Following needs to be added
> jdk.tls.disabledAlgorithms=DH keySize < 128, RSA keySize < 128, DES
> keySize < 128, SHA1 keySize < 128, MD5 keySize < 128, RC4 keySize < 128
>
> # End of edit
>
> 4. Start the Management Server: # service cloudstack-management start.
>
>
> Log in to the CloudPlatform UI as administrator, and check the status
> of the hosts. All hosts should come to Up state (except those that you
> know to be offline). You may need to wait 20 or 30 minutes, depending
> on the number of hosts.
>
> Troubleshooting: If login fails, clear your browser cache and reload
> the page.
>
>
>
>
>
> On 3/9/15 11:23 AM, Nux! wrote:
>> Hello,
>>
>> Can anyone advise how to disable SSLv2, SSLv3, TLSv1 and various
>> ciphers in the Java process which serves CPVM:443 ?
>>
>> The CPVM is currently affected by the FREAK issue, we'd like to fix
>> that.
>>
>> --
>> Sent from the Delta quadrant using Borg technology!
>>
>> Nux!
>> www.nux.ro
>
Re: Disable ciphers in Console VM's Java server #FREAK
Posted by ilya musayev <il...@gmail.com>.
This might be relevant, ways to disable weak ciphers for port 8250, i'm
under impression same can be done for all java related processes. This
came from Citrix security team sometime in August, when we reached and
mentioned that 8250 exposes weak ciphers as per internal audit.
------------
Who Should apply this workaround?
This workaround is to make SSL Ciphers stronger than 128 bits. This
workaround is for customers running Citrix CloudPlatform version 3.x and
above. Apply this workaround on all the CloudPlatform 3.x and above
Management Servers.
Package Name
NA
Issues Resolved In This Hotfix
This workaround resolves the following issue:
CS-17504: Weak SSL ciphers supported by the management server
Installing the Hotfix
Use the following steps to for the workaround. As with any software
update, please back up your data before applying this workaround.
1. Stop the Management Server:# service cloudstack-management stop.
2. First Backup and then Modify java.security file at following
location (You may have different location based on your Java version),
if you are unsure, do a “find / -name java.security” to get the exact
location): #
cp
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51.x86_64/jre/lib/security/java.security
java.security.backup
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51.x86_64/jre/lib/security/java.security
3. Make following changes to java.security:#
#Start of Edit
#Following are the default settings, needs to be commented.
#jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
#Following needs to be added
jdk.tls.disabledAlgorithms=DH keySize < 128, RSA keySize < 128, DES
keySize < 128, SHA1 keySize < 128, MD5 keySize < 128, RC4 keySize < 128
# End of edit
4. Start the Management Server: # service cloudstack-management start.
Log in to the CloudPlatform UI as administrator, and check the status of
the hosts. All hosts should come to Up state (except those that you know
to be offline). You may need to wait 20 or 30 minutes, depending on the
number of hosts.
Troubleshooting: If login fails, clear your browser cache and reload the
page.
On 3/9/15 11:23 AM, Nux! wrote:
> Hello,
>
> Can anyone advise how to disable SSLv2, SSLv3, TLSv1 and various ciphers in the Java process which serves CPVM:443 ?
>
> The CPVM is currently affected by the FREAK issue, we'd like to fix that.
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro