Hi Si We are on ACS 4.15.2 with KVM Hypervisor on Ubuntu 20.04 hosts
we've added "TLSv1" and "TLSv1.1" in the /etc/java-11-openjdk/security/java.security file on the SystemVM, on the line starting with "jdk.tls.disableAlgorithms The scan reported TLS 1.0 and TLS 1.1 was enabled for" https port 443 JBoss Enterprise Application Paltform" before we made the change above. After the config change the scan no longer shows this This may well be locked down to TLS 1.2 and higher in later versions of CloudStack ? BR Gary Gary Dixon Senior Technical Consultant T: +44 161 537 4990 E: [email protected] W: www.quadris.co.uk The information contained in this e-mail from Quadris may be confidential and privileged for the private use of the named recipient. The contents of this e-mail may not necessarily represent the official views of Quadris. If you have received this information in error you must not copy, distribute or take any action or reliance on its contents. Please destroy any hard copies and delete this message. -----Original Message----- From: Simon Weller <[email protected]> Sent: Wednesday, March 8, 2023 9:34 PM To: [email protected] Subject: Re: Console Proxy VM TLS version and cipher suites Gary, Can you provide more information as to which CloudStack version you're running and also where you made modifications? Was it to the Tomcat config? As Kiran indicated, you should not see any old TLS versions offered in modern versions of CloudStack. So, if you are, we want to get to the bottom of it quickly. -Si On Wed, Mar 8, 2023 at 3:48 AM Gary Dixon <[email protected]> wrote: > > The PEN test had picked up that a JBoss Enterprise Application was > allowing TLS v1.0 and TLS v1.1- we have managed to disable this now > but obviously we would need to build this in to a new System VM > template to make the change persist a Console Proxy VM rebuild Gary > Dixon Senior Technical Consultant > T: +44 161 537 4990 > E: *v* <+44%207989717661>ms@quadris‑support.com > W: > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.q > uadris.co.uk%2F&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7Cd6fbad0d06 > 1646b0798d08db201d1487%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C63 > 8139081499335831%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV > 2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=fp0XzdxqdB > ocYlRM9dBdOH%2F5Gn87y4j0ZHJq49xrfB4%3D&reserved=0 > The information contained in this e-mail from Quadris may be > confidential and privileged for the private use of the named > recipient. The contents of this e-mail may not necessarily represent the > official views of Quadris. > If you have received this information in error you must not copy, > distribute or take any action or reliance on its contents. Please > destroy any hard copies and delete this message. > > From: Kiran Chavala <[email protected]> > Sent: Tuesday, March 7, 2023 12:59 PM > To: [email protected] > Subject: Re: Console Proxy VM TLS version and cipher suites > > Hi Gary > > AFAIK, I think cloudstack has disabled anything below TLS v1.2 from > 4.11.0 release > > > > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith > ub.com%2Fapache%2Fcloudstack%2Fpull%2F2480&data=05%7C01%7CGary.Dixon%4 > 0quadris.co.uk%7Cd6fbad0d061646b0798d08db201d1487%7Cf1d6abf3d3b44894ae > 16db0fb93a96a2%7C0%7C0%7C638139081499335831%7CUnknown%7CTWFpbGZsb3d8ey > JWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C300 > 0%7C%7C%7C&sdata=oCYSb6dI2ift9%2Bg2ReXuv%2BWHLTZ1blgPjMtjn%2B3%2B0PI%3 > D&reserved=0 > > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissu > es.apache.org%2Fjira%2Fbrowse%2FCLOUDSTACK-10319&data=05%7C01%7CGary.D > ixon%40quadris.co.uk%7Cd6fbad0d061646b0798d08db201d1487%7Cf1d6abf3d3b4 > 4894ae16db0fb93a96a2%7C0%7C0%7C638139081499335831%7CUnknown%7CTWFpbGZs > b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D > %7C3000%7C%7C%7C&sdata=p0m1mWEnJZJvNA9cvfbu0oDIncC1G2WM94w8VAA4Lrc%3D& > reserved=0 > > [ > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopen > graph.githubassets.com%2F2b9813d128412ed49741e9c7523f4d3fb466d19b3c3b2 > 90539fb876ba1bcf0a9%2Fapache%2Fcloudstack%2Fpull%2F2480&data=05%7C01%7 > CGary.Dixon%40quadris.co.uk%7Cd6fbad0d061646b0798d08db201d1487%7Cf1d6a > bf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638139081499335831%7CUnknown%7CT > WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI > 6Mn0%3D%7C3000%7C%7C%7C&sdata=nYJSVq%2FcNSEAOKNt%2FVM5x2%2F9g4rAsc3qWB > v90IsMpPU%3D&reserved=0 > ]< > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith > ub.com%2Fapache%2Fcloudstack%2Fpull%2F2480&data=05%7C01%7CGary.Dixon%4 > 0quadris.co.uk%7Cd6fbad0d061646b0798d08db201d1487%7Cf1d6abf3d3b44894ae > 16db0fb93a96a2%7C0%7C0%7C638139081499335831%7CUnknown%7CTWFpbGZsb3d8ey > JWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C300 > 0%7C%7C%7C&sdata=oCYSb6dI2ift9%2Bg2ReXuv%2BWHLTZ1blgPjMtjn%2B3%2B0PI%3 > D&reserved=0 > > > CLOUDSTACK-10319: Prefer TLSv1.2, deprecate TLSv1.0,1.1 by > rohityadavcloud · Pull Request #2480 · apache/cloudstack< > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith > ub.com%2Fapache%2Fcloudstack%2Fpull%2F2480&data=05%7C01%7CGary.Dixon%4 > 0quadris.co.uk%7Cd6fbad0d061646b0798d08db201d1487%7Cf1d6abf3d3b44894ae > 16db0fb93a96a2%7C0%7C0%7C638139081499335831%7CUnknown%7CTWFpbGZsb3d8ey > JWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C300 > 0%7C%7C%7C&sdata=oCYSb6dI2ift9%2Bg2ReXuv%2BWHLTZ1blgPjMtjn%2B3%2B0PI%3 > D&reserved=0 > > > This deprecates and remove TLS 1.0 and 1.1 from preferred list of > protocols and keeps only TLSv1.2. @blueorangutan package github.com > > > Regards > Kiran > ________________________________ > From: Gary Dixon <[email protected]> > Sent: 07 March 2023 17:35 > To: [email protected] <[email protected]> > Subject: Console Proxy VM TLS version and cipher suites > > > > > > > Hi all > > > > Is there a way of limiting the console proxy to allow nothing below > TLS v1.2, 1.3 and only allow strong cipher suites – we are failing a > PEN test currently and need to strengthen the CPVM security ? > > > > TIA > > > > Gary > > Gary Dixon > Senior Technical Consultant > T: +44 161 537 4990 > E: v<tel:+44%207989717661>ms@quadris‑support.com > W: > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.q > uadris.co.uk%2F&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7Cd6fbad0d06 > 1646b0798d08db201d1487%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C63 > 8139081499335831%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV > 2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=fp0XzdxqdB > ocYlRM9dBdOH%2F5Gn87y4j0ZHJq49xrfB4%3D&reserved=0 > [cid:[email protected]] > The information contained in this e-mail from Quadris may be > confidential and privileged for the private use of the named > recipient. The contents of this e-mail may not necessarily represent > the official views of Quadris. If you have received this information > in error you must not copy, distribute or take any action or reliance > on its contents. Please destroy any hard copies and delete this message. > > > >
