You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Rohit Yadav <ro...@shapeblue.com> on 2016/12/02 06:17:13 UTC
[DISCUSS] Bountycastle upgrade
All,
I've sent a PR that will upgrade bountycastle dependency to the latest version [1]. In terms of security, an upgrade is necessary though it would also require for users (who are upgrading to 4.9.1.0, 4.10.0.0 or later) to destroy old systemvms such as CPVM and SSVM so the agents that will be started in new system vms will use the same dependency jar (version/release) and use the same cipher suites as the mgmt server (i.e. there will be no SSL-based communication issue afterwards) as provided by bountycastle v1.55.
Thoughts, feedback?
[1] https://github.com/apache/cloudstack/pull/1799
Regards.
rohit.yadav@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
Re: [DISCUSS] Bountycastle upgrade
Posted by Rohit Yadav <ro...@shapeblue.com>.
John,
I'll have a look at where/how the fingerprint method is used, if necessary I'll upgrade it to use SHA-256. Thanks for the pointers.
Regards.
________________________________
From: John Kinsella <jl...@gmail.com>
Sent: 02 December 2016 13:12:12
To: dev@cloudstack.apache.org
Subject: Re: [DISCUSS] Bountycastle upgrade
2 thoughts:
1) I know this is partially git’s fault on the diff, and i know this is a standard gripe from me, but for reviewers things are much easier if syntax/whitespace changes are separated out into a separate patch from logic/functionality.
2) One thing that caught my eye was the SHA-1 use on the fingerprint. That got me looking around the codebase, and I see SHA-1/SHA1 sprinkled around. It’s not considered secure anymore [1]. Some of the uses are just for naming, that’s fine. I don’t think any of the use I saw was OMGFIXNOW. But at some point might be nice to replace all that with SHA-256. Would require a data migration, though.
3) Awesome, run with it. :)
John
1: https://en.wikipedia.org/wiki/SHA-1#Cryptanalysis_and_validation
rohit.yadav@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
> On Dec 1, 2016, at 10:17 PM, Rohit Yadav <ro...@shapeblue.com> wrote:
>
> All,
>
>
> I've sent a PR that will upgrade bountycastle dependency to the latest version [1]. In terms of security, an upgrade is necessary though it would also require for users (who are upgrading to 4.9.1.0, 4.10.0.0 or later) to destroy old systemvms such as CPVM and SSVM so the agents that will be started in new system vms will use the same dependency jar (version/release) and use the same cipher suites as the mgmt server (i.e. there will be no SSL-based communication issue afterwards) as provided by bountycastle v1.55.
>
>
> Thoughts, feedback?
>
>
> [1] https://github.com/apache/cloudstack/pull/1799
>
>
> Regards.
>
> rohit.yadav@shapeblue.com
> www.shapeblue.com<http://www.shapeblue.com>
> 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> @shapeblue
>
>
>
Re: [DISCUSS] Bountycastle upgrade
Posted by John Kinsella <jl...@gmail.com>.
2 thoughts:
1) I know this is partially git’s fault on the diff, and i know this is a standard gripe from me, but for reviewers things are much easier if syntax/whitespace changes are separated out into a separate patch from logic/functionality.
2) One thing that caught my eye was the SHA-1 use on the fingerprint. That got me looking around the codebase, and I see SHA-1/SHA1 sprinkled around. It’s not considered secure anymore [1]. Some of the uses are just for naming, that’s fine. I don’t think any of the use I saw was OMGFIXNOW. But at some point might be nice to replace all that with SHA-256. Would require a data migration, though.
3) Awesome, run with it. :)
John
1: https://en.wikipedia.org/wiki/SHA-1#Cryptanalysis_and_validation
> On Dec 1, 2016, at 10:17 PM, Rohit Yadav <ro...@shapeblue.com> wrote:
>
> All,
>
>
> I've sent a PR that will upgrade bountycastle dependency to the latest version [1]. In terms of security, an upgrade is necessary though it would also require for users (who are upgrading to 4.9.1.0, 4.10.0.0 or later) to destroy old systemvms such as CPVM and SSVM so the agents that will be started in new system vms will use the same dependency jar (version/release) and use the same cipher suites as the mgmt server (i.e. there will be no SSL-based communication issue afterwards) as provided by bountycastle v1.55.
>
>
> Thoughts, feedback?
>
>
> [1] https://github.com/apache/cloudstack/pull/1799
>
>
> Regards.
>
> rohit.yadav@shapeblue.com
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> @shapeblue
>
>
>