The PEN test had picked up that a JBoss Enterprise Application was allowing TLS v1.0 and TLS v1.1- we have managed to disable this now but obviously we would need to build this in to a new System VM template to make the change persist a Console Proxy VM rebuild
Gary Dixon Senior Technical Consultant T: +44 161 537 4990 E: [email protected] W: www.quadris.co.uk The information contained in this e-mail from Quadris may be confidential and privileged for the private use of the named recipient. The contents of this e-mail may not necessarily represent the official views of Quadris. If you have received this information in error you must not copy, distribute or take any action or reliance on its contents. Please destroy any hard copies and delete this message. From: Kiran Chavala <[email protected]> Sent: Tuesday, March 7, 2023 12:59 PM To: [email protected] Subject: Re: Console Proxy VM TLS version and cipher suites Hi Gary AFAIK, I think cloudstack has disabled anything below TLS v1.2 from 4.11.0 release https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fpull%2F2480&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ezd9nXe6wavgsWaZntbfm6s3fj%2FdaWRle%2BNQbZYcaKg%3D&reserved=0 https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FCLOUDSTACK-10319&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=5DMAQJ38va8zfrqiNml2l6xp8KNEiQWjFVc8DQDjePQ%3D&reserved=0 [https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopengraph.githubassets.com%2F2b9813d128412ed49741e9c7523f4d3fb466d19b3c3b290539fb876ba1bcf0a9%2Fapache%2Fcloudstack%2Fpull%2F2480&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9lCnFXXAzx6fkhd1mm4ICMFgA1wqQwXAr%2BM4gQfOgFw%3D&reserved=0]<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fpull%2F2480&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ezd9nXe6wavgsWaZntbfm6s3fj%2FdaWRle%2BNQbZYcaKg%3D&reserved=0> CLOUDSTACK-10319: Prefer TLSv1.2, deprecate TLSv1.0,1.1 by rohityadavcloud · Pull Request #2480 · apache/cloudstack<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fpull%2F2480&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ezd9nXe6wavgsWaZntbfm6s3fj%2FdaWRle%2BNQbZYcaKg%3D&reserved=0> This deprecates and remove TLS 1.0 and 1.1 from preferred list of protocols and keeps only TLSv1.2. @blueorangutan package github.com Regards Kiran ________________________________ From: Gary Dixon <[email protected]> Sent: 07 March 2023 17:35 To: [email protected] <[email protected]> Subject: Console Proxy VM TLS version and cipher suites Hi all Is there a way of limiting the console proxy to allow nothing below TLS v1.2, 1.3 and only allow strong cipher suites – we are failing a PEN test currently and need to strengthen the CPVM security ? TIA Gary Gary Dixon Senior Technical Consultant T: +44 161 537 4990 E: v<tel:+44%207989717661>ms@quadris‑support.com W: https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.quadris.co.uk%2F&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ELMyfDyavuFHOtvcyf7PvqWUFkMwhmWHJPADH6nd%2FnE%3D&reserved=0 [cid:[email protected]] The information contained in this e-mail from Quadris may be confidential and privileged for the private use of the named recipient. The contents of this e-mail may not necessarily represent the official views of Quadris. If you have received this information in error you must not copy, distribute or take any action or reliance on its contents. Please destroy any hard copies and delete this message.
