(whoops - accidentally replied privately, bringing back to mailing list - hope Vadim’s OK with that)
Realize the SSVM and VR provide “public” services - https is open on the console proxy, vpn services are open on the virtual router. And unfortunately yes, people usually only think about improving security after issues are found - that’s why security geeks like me are around. :) I’ll see if I can drop in libressl in the next week or two and see what happens…. John > Begin forwarded message: > > From: Vadim <va...@ant.ee> > Subject: Re: [DISCUSS] Move from OpenSSL to LibreSSL > Date: February 4, 2016 at 11:43:07 PM PST > To: John Kinsella <jlkin...@gmail.com> > > Thank you for explanation, John. > > I am not involved into CS security assessment, but existing architecture > makes me feel safe, because SSVM and VR and any other system VM is accessible > (by SSH) only from hypervisor host due to link-local address limitation. I > don't know other ways, but it doesn't mean they do not exist. > > I do share your worries about OpenSSL library vulnerabilities, especially > after "heartbleed", but replacing it everywhere seems to be very hard task. > I don't think you will have discussion in this list on the subject unless > next "heartbleed" happens. > Vadim. > > > On 2016-02-04 18:01, John Kinsella wrote: > >> Hey Vadim - I should have clarified, sorry... >> >> SSL libraries are used in several areas in an ACS installation: >> >> 1) On management server, for secure communication with management UI, APIs, >> etc. >> 2) On system VMs - console proxies, secondary storage VMs, and possibly >> virtual routers (this is off top of my head, need to confirm). >> >> On management servers, whoever's building the system can choose whatever >> they want - you are correct here. What I was originally referring to was the >> second bullet - these are usually pre-built VM images downloaded into a >> CloudStack environment. That build is generated by ACS code, which currently >> uses OpenSSL. That's where I'm asking should we consider using LibreSSL >> instead. >> >> John >> >>> On Feb 4, 2016, at 7:47 AM, Vadim <va...@ant.ee <mailto:va...@ant.ee>> >>> wrote: >>> >>> John, >>> >>> Can CS community decide that? From my point of view this is OS >>> distribution owner who does. OpenSSL is system package and you probably >>> can't skip it, unless you create your own Linux distribution. >>> >>> Vadim. >>> >>> On 2016-02-03 17:48, John Kinsella wrote: >>> >>>> Folks - another OpenSSL vulnerability was announced last week[1]. I >>>> believe our current SSVMs are running Wheezy, so they should be OK >>>> according to [2]. >>>> This makes me ponder, though: Should we consider moving to LibreSSL[3] in >>>> the future? For those not familiar, it's a fork of OpenSSL with more >>>> emphasis on cleaning up the code and improving the security of the >>>> codebase. >>>> From what I've seen so far, it should be a "drop in" replacement for >>>> OpenSSL, but I haven't tested that theory out yet. >>>> I originally brought this up on security@, but it was quickly pointed out >>>> as it's not an actual vulnerability in ACS we should discuss in public, so >>>> here we are. >>>> Looking for thoughts, maybe somebody has experience moving from OpenSSL to >>>> LibreSSL in another project? >>>> John >>>> 1: https://www.openssl.org/news/secadv/20160128.txt >>>> <https://www.openssl.org/news/secadv/20160128.txt> >>>> 2: https://security-tracker.debian.org/tracker/CVE-2016-0701 >>>> <https://security-tracker.debian.org/tracker/CVE-2016-0701> >>>> 3: http://www.libressl.org/ <http://www.libressl.org/> >
