[Bugs] [Bug 1155630] New: GlusterFS allows insecure SSL modes

bugzilla at redhat.com bugzilla at redhat.com
Wed Oct 22 13:48:05 UTC 2014 

https://bugzilla.redhat.com/show_bug.cgi?id=1155630

            Bug ID: 1155630
           Summary: GlusterFS allows insecure SSL modes
           Product: GlusterFS
           Version: 3.4.5
         Component: transport
          Severity: urgent
          Assignee: bugs at gluster.org
          Reporter: kkeithle at redhat.com
                CC: bugs at gluster.org, gluster-bugs at redhat.com,
                    jdarcy at redhat.com
        Depends On: 1155328
            Blocks: 1117822 (glusterfs-3.6.0), 1125231 (glusterfs-3.5.3),
                    1125245 (glusterfs-3.4.6)



+++ This bug was initially created as a clone of Bug #1155328 +++

This is related to the so-called POODLE attack.

    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566

To summarize, POODLE involves a downgrade from TLS to SSLv3, combined with CBC
cipher modes.  Users can avoid the downgrade by using an SSL library that
supports TLS_FALLBACK_SCSV, as recent versions of OpenSSL do.  For users unable
to pursue that strategy, disabling CBC cipher modes is a potential workaround.

   gluster volume set SOMEVOLUME ssl.cipherlist $something

Unfortunately, calculating $something is not trivial.  The "openssl ciphers"
command does not have a built-in "CBC" group to exclude, nor does it support
wildcards.  Therefore, it is necessary to create a list of cipher modes that
meet other criteria (e.g. "HIGH:!SSLv2") and manually delete "CBC" entries to
create a new list.

For users unwilling to calculate their own cipher lists, the default cipher
list in the GlusterFS TLS code should be changed to exclude CBC modes in
addition to other (current) restrictions ensuring optimal security.  In the
very rare case that this might cause a communication failure due to lack of
compatible cipher modes between servers and clients (which would require a very
unlikely combination of GlusterFS and OpenSSL versions), we should also
document how to calculate and apply their own cipher list without making
themselves vulnerable to POODLE.

--- Additional comment from Anand Avati on 2014-10-21 18:17:59 EDT ---

REVIEW: http://review.gluster.org/8962 (socket: disallow CBC cipher modes)
posted (#1) for review on master by Jeff Darcy (jdarcy at redhat.com)


Referenced Bugs:

https://bugzilla.redhat.com/show_bug.cgi?id=1117822
[Bug 1117822] Tracker bug for GlusterFS 3.6.0
https://bugzilla.redhat.com/show_bug.cgi?id=1125231
[Bug 1125231] GlusterFS 3.5.3 Tracker
https://bugzilla.redhat.com/show_bug.cgi?id=1125245
[Bug 1125245] GlusterFS 3.4.6 Tracker
https://bugzilla.redhat.com/show_bug.cgi?id=1155328
[Bug 1155328] GlusterFS allows insecure SSL modes
-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.

More information about the Bugs mailing list