Hi Gary,
I have checked 4.16.1, 4.17.2, 4.18.0 system vms, it looks like `TLSv1,
TLSv1.1` has been already added to "jdk.tls.disabledAlgorithms".
root@s-1-VM:~# cat /etc/cloudstack-release
Cloudstack Release 4.16.1 Mon 31 Jan 2022 10:02:56 AM UTC
root@s-1-VM:~# grep ^jdk.tls.disabledAlgorithms
/etc/java-11-openjdk/security/java.security -A3
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
root@v-2-VM:~# cat /etc/cloudstack-release
Cloudstack Release 4.17.2 Fri 09 Dec 2022 12:51:18 PM UTC
root@v-2-VM:~# grep ^jdk.tls.disabledAlgorithms
/etc/java-11-openjdk/security/java.security -A3
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
root@v-11-VM:~# cat /etc/cloudstack-release
Cloudstack Release 4.18.0 Wed 28 Dec 2022 09:45:19 AM UTC
root@v-11-VM:~# grep ^jdk.tls.disabledAlgorithms
/etc/java-11-openjdk/security/java.security -A3
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
-Wei
On Thu, 9 Mar 2023 at 09:41, Gary Dixon <[email protected]>
wrote:
> Hi Si
>
> We are on ACS 4.15.2 with KVM Hypervisor on Ubuntu 20.04 hosts
>
> we've added "TLSv1" and "TLSv1.1" in the
> /etc/java-11-openjdk/security/java.security file on the SystemVM, on the
> line starting with "jdk.tls.disableAlgorithms
>
> The scan reported TLS 1.0 and TLS 1.1 was enabled for" https port 443
> JBoss Enterprise Application Paltform" before we made the change above.
> After the config change the scan no longer shows this
>
> This may well be locked down to TLS 1.2 and higher in later versions of
> CloudStack ?
>
> BR
>
> Gary
>
>
>
> Gary Dixon
> Senior Technical Consultant
> T: +44 161 537 4990
> E: *v* <+44%207989717661>ms@quadris‑support.com
> W: www.quadris.co.uk
> The information contained in this e-mail from Quadris may be confidential
> and privileged for the private use of the named recipient. The contents of
> this e-mail may not necessarily represent the official views of Quadris.
> If you have received this information in error you must not copy,
> distribute or take any action or reliance on its contents. Please destroy
> any hard copies and delete this message.
> -----Original Message-----
> From: Simon Weller <[email protected]>
> Sent: Wednesday, March 8, 2023 9:34 PM
> To: [email protected]
> Subject: Re: Console Proxy VM TLS version and cipher suites
>
> Gary,
>
> Can you provide more information as to which CloudStack version you're
> running and also where you made modifications? Was it to the Tomcat config?
> As Kiran indicated, you should not see any old TLS versions offered in
> modern versions of CloudStack. So, if you are, we want to get to the bottom
> of it quickly.
>
> -Si
>
> On Wed, Mar 8, 2023 at 3:48 AM Gary Dixon <[email protected]
> >
> wrote:
>
> >
> > The PEN test had picked up that a JBoss Enterprise Application was
> > allowing TLS v1.0 and TLS v1.1- we have managed to disable this now
> > but obviously we would need to build this in to a new System VM
> > template to make the change persist a Console Proxy VM rebuild Gary
> > Dixon Senior Technical Consultant
> > T: +44 161 537 4990
> > E: *v* <+44%207989717661>ms@quadris‑support.com
> > W:
> > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.q
> > uadris.co.uk%2F&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7Cd6fbad0d06
> > 1646b0798d08db201d1487%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C63
> > 8139081499335831%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV
> > 2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=fp0XzdxqdB
> > ocYlRM9dBdOH%2F5Gn87y4j0ZHJq49xrfB4%3D&reserved=0
> > The information contained in this e-mail from Quadris may be
> > confidential and privileged for the private use of the named
> > recipient. The contents of this e-mail may not necessarily represent the
> official views of Quadris.
> > If you have received this information in error you must not copy,
> > distribute or take any action or reliance on its contents. Please
> > destroy any hard copies and delete this message.
> >
> > From: Kiran Chavala <[email protected]>
> > Sent: Tuesday, March 7, 2023 12:59 PM
> > To: [email protected]
> > Subject: Re: Console Proxy VM TLS version and cipher suites
> >
> > Hi Gary
> >
> > AFAIK, I think cloudstack has disabled anything below TLS v1.2 from
> > 4.11.0 release
> >
> >
> >
> >
> > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
> > ub.com%2Fapache%2Fcloudstack%2Fpull%2F2480&data=05%7C01%7CGary.Dixon%4
> > 0quadris.co.uk%7Cd6fbad0d061646b0798d08db201d1487%7Cf1d6abf3d3b44894ae
> > 16db0fb93a96a2%7C0%7C0%7C638139081499335831%7CUnknown%7CTWFpbGZsb3d8ey
> > JWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C300
> > 0%7C%7C%7C&sdata=oCYSb6dI2ift9%2Bg2ReXuv%2BWHLTZ1blgPjMtjn%2B3%2B0PI%3
> > D&reserved=0
> >
> >
> > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissu
> > es.apache.org%2Fjira%2Fbrowse%2FCLOUDSTACK-10319&data=05%7C01%7CGary.D
> > ixon%40quadris.co.uk%7Cd6fbad0d061646b0798d08db201d1487%7Cf1d6abf3d3b4
> > 4894ae16db0fb93a96a2%7C0%7C0%7C638139081499335831%7CUnknown%7CTWFpbGZs
> > b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D
> > %7C3000%7C%7C%7C&sdata=p0m1mWEnJZJvNA9cvfbu0oDIncC1G2WM94w8VAA4Lrc%3D&
> > reserved=0
> >
> > [
> > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopen
> > graph.githubassets.com%2F2b9813d128412ed49741e9c7523f4d3fb466d19b3c3b2
> > 90539fb876ba1bcf0a9%2Fapache%2Fcloudstack%2Fpull%2F2480&data=05%7C01%7
> > CGary.Dixon%40quadris.co.uk%7Cd6fbad0d061646b0798d08db201d1487%7Cf1d6a
> > bf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638139081499335831%7CUnknown%7CT
> > WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI
> > 6Mn0%3D%7C3000%7C%7C%7C&sdata=nYJSVq%2FcNSEAOKNt%2FVM5x2%2F9g4rAsc3qWB
> > v90IsMpPU%3D&reserved=0
> > ]<
> > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
> > ub.com%2Fapache%2Fcloudstack%2Fpull%2F2480&data=05%7C01%7CGary.Dixon%4
> > 0quadris.co.uk%7Cd6fbad0d061646b0798d08db201d1487%7Cf1d6abf3d3b44894ae
> > 16db0fb93a96a2%7C0%7C0%7C638139081499335831%7CUnknown%7CTWFpbGZsb3d8ey
> > JWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C300
> > 0%7C%7C%7C&sdata=oCYSb6dI2ift9%2Bg2ReXuv%2BWHLTZ1blgPjMtjn%2B3%2B0PI%3
> > D&reserved=0
> > >
> > CLOUDSTACK-10319: Prefer TLSv1.2, deprecate TLSv1.0,1.1 by
> > rohityadavcloud · Pull Request #2480 · apache/cloudstack<
> > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
> > ub.com%2Fapache%2Fcloudstack%2Fpull%2F2480&data=05%7C01%7CGary.Dixon%4
> > 0quadris.co.uk%7Cd6fbad0d061646b0798d08db201d1487%7Cf1d6abf3d3b44894ae
> > 16db0fb93a96a2%7C0%7C0%7C638139081499335831%7CUnknown%7CTWFpbGZsb3d8ey
> > JWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C300
> > 0%7C%7C%7C&sdata=oCYSb6dI2ift9%2Bg2ReXuv%2BWHLTZ1blgPjMtjn%2B3%2B0PI%3
> > D&reserved=0
> > >
> > This deprecates and remove TLS 1.0 and 1.1 from preferred list of
> > protocols and keeps only TLSv1.2. @blueorangutan package github.com
> >
> >
> > Regards
> > Kiran
> > ________________________________
> > From: Gary Dixon <[email protected]>
> > Sent: 07 March 2023 17:35
> > To: [email protected] <[email protected]>
> > Subject: Console Proxy VM TLS version and cipher suites
> >
> >
> >
> >
> >
> >
> > Hi all
> >
> >
> >
> > Is there a way of limiting the console proxy to allow nothing below
> > TLS v1.2, 1.3 and only allow strong cipher suites – we are failing a
> > PEN test currently and need to strengthen the CPVM security ?
> >
> >
> >
> > TIA
> >
> >
> >
> > Gary
> >
> > Gary Dixon
> > Senior Technical Consultant
> > T: +44 161 537 4990
> > E: v<tel:+44%207989717661>ms@quadris‑support.com
> > W:
> > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.q
> > uadris.co.uk%2F&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7Cd6fbad0d06
> > 1646b0798d08db201d1487%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C63
> > 8139081499335831%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV
> > 2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=fp0XzdxqdB
> > ocYlRM9dBdOH%2F5Gn87y4j0ZHJq49xrfB4%3D&reserved=0
> > [cid:[email protected]]
> > The information contained in this e-mail from Quadris may be
> > confidential and privileged for the private use of the named
> > recipient. The contents of this e-mail may not necessarily represent
> > the official views of Quadris. If you have received this information
> > in error you must not copy, distribute or take any action or reliance
> > on its contents. Please destroy any hard copies and delete this message.
> >
> >
> >
> >
>
