If the version of openssl is new enough, the site values xcatsslciphers and xcatsslversion can be employed to tune what is and is not acceptable.
For xcatsslversion: Sets the version of the SSL protocol used to transmit data. 'SSLv23' uses a handshake compatible with SSL2.0, SSL3.0 and TLS1.x, while 'SSLv2', 'SSLv3', 'TLSv1', 'TLSv1_1' or 'TLSv1_2' restrict handshake and protocol to the specified version. All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can also use 'TLSv11' and 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires recent versions of Net::SSLeay and openssl. Independend from the handshake format you can limit to set of accepted SSL versions by adding !version separated by ':'. The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the handshake format is compatible to SSL2.0 and higher, but that the successful handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because both of these versions have serious security issues and should not be used anymore. You can also use !TLSv1_1 and !TLSv1_2 to disable TLS versions 1.1 and 1.2 while still allowing TLS version 1.0. Setting the version instead to 'TLSv1' might break interaction with older clients, which need and SSL2.0 compatible handshake. On the other side some clients just close the connection when they receive a TLS version 1.1 request. In this case setting the version to 'SSLv23:!SSLv2:!SSLv3:!TLSv1_1:!TLSv1_2' might help. For ciphers: If this option is set the cipher list for the connection will be set to the given value, e.g. something like 'ALL:!LOW:!EXP:!aNULL'. Look into the OpenSSL documentation (http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS) for more details. Unless you fail to contact your peer because of no shared ciphers it is recommended to leave this option at the default setting. The default setting prefers ciphers with forward secrecy, disables anonymous authentication and disables known insecure ciphers like MD5, DES etc. This gives a grade A result at the tests of SSL Labs. To use the less secure OpenSSL builtin default (whatever this is) set SSL_cipher_list to ''. From: Lissa Valletta [mailto:[email protected]] Sent: Thursday, October 30, 2014 10:15 AM To: xCAT Users Mailing list Subject: Re: [xcat-user] Force xCAT to only use TLS No there is no way to just use TLS, we use openssl to generate our credentials and secure our daemon to daemon communication. Can you not just disable sslV3 on the MN and service nodes, if you have them. disable SSLv3 in the HTTPD config: SSLProtocol All -SSLv2 -SSLv3 Lissa K. Valletta 8-3/B10 Poughkeepsie, NY 12601 (tie 293) 433-3102 [Inactive hide details for Phil Langerholc ---10/30/2014 09:48:32 AM---Hello, Is there a way to force xCAT to only use TLS vs]Phil Langerholc ---10/30/2014 09:48:32 AM---Hello, Is there a way to force xCAT to only use TLS vs sslV3? We have a From: Phil Langerholc <[email protected]<mailto:[email protected]>> To: xCAT User List <[email protected]<mailto:[email protected]>> Date: 10/30/2014 09:48 AM Subject: [xcat-user] Force xCAT to only use TLS ________________________________ Hello, Is there a way to force xCAT to only use TLS vs sslV3? We have a mandate to disable SSLV3 across the board due to POODLE and xCAT is being flagged. -- ---Phil ------------------------------------------------------------------------------ _______________________________________________ xCAT-user mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/xcat-user
------------------------------------------------------------------------------
_______________________________________________ xCAT-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/xcat-user
