Re: SSL Medium Strength Cipher Suites Supported | port 8250 on Management servers

[Rohit Yadav]

Hi Vivek,

I think you can tune the following global settings to regenerate CloudStack's 
root-ca certificates with chosen cipher/algorithm and key size: (depending on 
the ACS version if it has CA framework)

ca.framework.cert.signature.algorithm
ca.framework.cert.keysize

(for an already deployed cloudstack env, after changing this you may need to 
delete old root-ca keypair for this to regenerate new server certificates and 
CA certificate, by removing the configurations found out by: `select * from 
configuration where name like 'ca.plugin.root%' and category='Hidden'\G;`; and 
then restarting management servers one by one).
​
Alternatively, you can also test and disable cipher algorithm via 
/etc/cloudstack/management/java.security.ciphers that you don't want. And of 
course, you want to test and validate these in a test environment before 
applying in production (and take db backups just in case).


Regards.

 



From: Vivek Kumar 
Sent: Monday, April 29, 2024 15:27
To: CloudStack Users Mailing list 
Subject: SSL Medium Strength Cipher Suites Supported | port 8250 on Management 
servers

Hello Folks,

Our security team has highlighted that services running on port 8250 supports 
the use of SSL ciphers that offer medium strength encryption. Nessus regards 
medium strength as any encryption  that uses key lengths at least 64 bits and 
less than 112 bits,

It is considerably easier to circumvent medium strength encryption if the 
attacker is on the same physical network.


Our security team has recommended to reconfigure the affected application if 
possible to avoid use of medium strength ciphers, so we do something about it 
or not ?




Vivek Kumar
Sr. Manager - Cloud & DevOps
TechOps | Indiqus Technologies

vivek.ku...@indiqus.com <mailto:vivek.ku...@indiqus.com>
www.indiqus.com<http://www.indiqus.com> <https://www.indiqus.com/>





--
This message is intended only for the use of the individual or entity to
which it is addressed and may contain confidential and/or privileged
information. If you are not the intended recipient, please delete the
original message and any copy of it from your computer system. You are
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited unless proper authorization has been
obtained for such action. If you have received this communication in error,
please notify the sender immediately. Although IndiQus attempts to sweep
e-mail and attachments for viruses, it does not guarantee that both are
virus-free and accepts no liability for any damage sustained as a result of
viruses.

SSL Medium Strength Cipher Suites Supported | port 8250 on Management servers

[Vivek Kumar]

Hello Folks,

Our security team has highlighted that services running on port 8250 supports 
the use of SSL ciphers that offer medium strength encryption. Nessus regards 
medium strength as any encryption  that uses key lengths at least 64 bits and 
less than 112 bits,

It is considerably easier to circumvent medium strength encryption if the 
attacker is on the same physical network.


Our security team has recommended to reconfigure the affected application if 
possible to avoid use of medium strength ciphers, so we do something about it 
or not ?




Vivek Kumar
Sr. Manager - Cloud & DevOps
TechOps | Indiqus Technologies

vivek.ku...@indiqus.com 
www.indiqus.com 





-- 
This message is intended only for the use of the individual or entity to 
which it is addressed and may contain confidential and/or privileged 
information. If you are not the intended recipient, please delete the 
original message and any copy of it from your computer system. You are 
hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited unless proper authorization has been 
obtained for such action. If you have received this communication in error, 
please notify the sender immediately. Although IndiQus attempts to sweep 
e-mail and attachments for viruses, it does not guarantee that both are 
virus-free and accepts no liability for any damage sustained as a result of 
viruses.