Thanks Ilya, I'll have a go at it.
-- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message ----- > From: "ilya musayev" <ilya.mailing.li...@gmail.com> > To: dev@cloudstack.apache.org > Sent: Monday, 9 March, 2015 21:33:08 > Subject: Re: Disable ciphers in Console VM's Java server #FREAK > OpenJDK 1.7 is a requirement for this to work. > > On 3/9/15 2:31 PM, ilya musayev wrote: >> This might be relevant, ways to disable weak ciphers for port 8250, >> i'm under impression same can be done for all java related processes. >> This came from Citrix security team sometime in August, when we >> reached and mentioned that 8250 exposes weak ciphers as per internal >> audit. >> >> ------------ >> >> Who Should apply this workaround? >> >> This workaround is to make SSL Ciphers stronger than 128 bits. This >> workaround is for customers running Citrix CloudPlatform version 3.x >> and above. Apply this workaround on all the CloudPlatform 3.x and >> above Management Servers. >> >> >> Package Name >> >> NA >> >> Issues Resolved In This Hotfix >> >> This workaround resolves the following issue: >> CS-17504: Weak SSL ciphers supported by the management server >> >> >> Installing the Hotfix >> >> Use the following steps to for the workaround. As with any software >> update, please back up your data before applying this workaround. >> >> 1. Stop the Management Server:# service cloudstack-management stop. >> >> 2. First Backup and then Modify java.security file at following >> location (You may have different location based on your Java version), >> if you are unsure, do a “find / -name java.security” to get the exact >> location): # >> >> cp >> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51.x86_64/jre/lib/security/java.security >> java.security.backup >> >> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51.x86_64/jre/lib/security/java.security >> >> >> 3. Make following changes to java.security:# >> >> #Start of Edit >> >> #Following are the default settings, needs to be commented. >> #jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 >> >> #Following needs to be added >> jdk.tls.disabledAlgorithms=DH keySize < 128, RSA keySize < 128, DES >> keySize < 128, SHA1 keySize < 128, MD5 keySize < 128, RC4 keySize < 128 >> >> # End of edit >> >> 4. Start the Management Server: # service cloudstack-management start. >> >> >> Log in to the CloudPlatform UI as administrator, and check the status >> of the hosts. All hosts should come to Up state (except those that you >> know to be offline). You may need to wait 20 or 30 minutes, depending >> on the number of hosts. >> >> Troubleshooting: If login fails, clear your browser cache and reload >> the page. >> >> >> >> >> >> On 3/9/15 11:23 AM, Nux! wrote: >>> Hello, >>> >>> Can anyone advise how to disable SSLv2, SSLv3, TLSv1 and various >>> ciphers in the Java process which serves CPVM:443 ? >>> >>> The CPVM is currently affected by the FREAK issue, we'd like to fix >>> that. >>> >>> -- >>> Sent from the Delta quadrant using Borg technology! >>> >>> Nux! >>> www.nux.ro
