John,
I think you touched up serious problem that should be cosidered
by security team to judge how this may influence product development
cycle and make a decision. Big players (like Google
https://www.imperialviolet.org/2015/10/17/boringssl.html) has already
made this. To broaden the scope I will suggest to consider several
candidates for this position : LibreSSL, BoringSSL (or more).
Vadim.
On 2016-02-05 19:25, John Kinsella wrote:
(whoops - accidentally replied privately, bringing back to mailing list
- hope Vadim's OK with that)
Realize the SSVM and VR provide "public" services - https is open on the
console proxy, vpn services are open on the virtual router.
And unfortunately yes, people usually only think about improving
security after issues are found - that's why security geeks like me are
around. :)
I'll see if I can drop in libressl in the next week or two and see what
happens....
John
Begin forwarded message:
FROM: Vadim <va...@ant.ee>
SUBJECT: RE: [DISCUSS] MOVE FROM OPENSSL TO LIBRESSL
DATE: February 4, 2016 at 11:43:07 PM PST
TO: John Kinsella <jlkin...@gmail.com>
Thank you for explanation, John.
I am not involved into CS security assessment, but existing architecture
makes me feel safe, because SSVM and VR and any other system VM is
accessible (by SSH) only from hypervisor host due to link-local address
limitation. I don't know other ways, but it doesn't mean they do not
exist.
I do share your worries about OpenSSL library vulnerabilities,
especially after "heartbleed", but replacing it everywhere seems to be
very hard task. I don't think you will have discussion in this list on
the subject unless next "heartbleed" happens.
Vadim.
On 2016-02-04 18:01, John Kinsella wrote:
Hey Vadim - I should have clarified, sorry...
SSL libraries are used in several areas in an ACS installation:
1) On management server, for secure communication with management UI,
APIs, etc.
2) On system VMs - console proxies, secondary storage VMs, and possibly
virtual routers (this is off top of my head, need to confirm).
On management servers, whoever's building the system can choose whatever
they want - you are correct here. What I was originally referring to was
the second bullet - these are usually pre-built VM images downloaded
into a CloudStack environment. That build is generated by ACS code,
which currently uses OpenSSL. That's where I'm asking should we consider
using LibreSSL instead.
John
On Feb 4, 2016, at 7:47 AM, Vadim <va...@ant.ee> wrote:
John,
Can CS community decide that? From my point of view this is OS
distribution owner who does. OpenSSL is system package and you probably
can't skip it, unless you create your own Linux distribution.
Vadim.
On 2016-02-03 17:48, John Kinsella wrote:
Folks - another OpenSSL vulnerability was announced last week[1]. I
believe our current SSVMs are running Wheezy, so they should be OK
according to [2].
This makes me ponder, though: Should we consider moving to LibreSSL[3]
in the future? For those not familiar, it's a fork of OpenSSL with more
emphasis on cleaning up the code and improving the security of the
codebase.
From what I've seen so far, it should be a "drop in" replacement for
OpenSSL, but I haven't tested that theory out yet.
I originally brought this up on security@, but it was quickly pointed
out as it's not an actual vulnerability in ACS we should discuss in
public, so here we are.
Looking for thoughts, maybe somebody has experience moving from OpenSSL
to LibreSSL in another project?
John
1: https://www.openssl.org/news/secadv/20160128.txt
2: https://security-tracker.debian.org/tracker/CVE-2016-0701
3: http://www.libressl.org/
