[Bugs] [Bug 1157661] New: GlusterFS allows insecure SSL modes
bugzilla at redhat.com
bugzilla at redhat.com
Mon Oct 27 12:45:51 UTC 2014
https://bugzilla.redhat.com/show_bug.cgi?id=1157661
Bug ID: 1157661
Summary: GlusterFS allows insecure SSL modes
Product: GlusterFS
Version: 3.5.2
Component: transport
Keywords: Patch, Triaged
Severity: urgent
Assignee: ndevos at redhat.com
Reporter: ndevos at redhat.com
CC: bugs at gluster.org, gluster-bugs at redhat.com,
jdarcy at redhat.com
Depends On: 1155328
Blocks: 1125231 (glusterfs-3.5.3)
+++ This bug was initially created as a clone of Bug #1155328 +++
+++ +++
+++ Use this bug to get the fix included in release-3.5. +++
This is related to the so-called POODLE attack.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
To summarize, POODLE involves a downgrade from TLS to SSLv3, combined with CBC
cipher modes. Users can avoid the downgrade by using an SSL library that
supports TLS_FALLBACK_SCSV, as recent versions of OpenSSL do. For users unable
to pursue that strategy, disabling CBC cipher modes is a potential workaround.
gluster volume set SOMEVOLUME ssl.cipherlist $something
Unfortunately, calculating $something is not trivial. The "openssl ciphers"
command does not have a built-in "CBC" group to exclude, nor does it support
wildcards. Therefore, it is necessary to create a list of cipher modes that
meet other criteria (e.g. "HIGH:!SSLv2") and manually delete "CBC" entries to
create a new list.
For users unwilling to calculate their own cipher lists, the default cipher
list in the GlusterFS TLS code should be changed to exclude CBC modes in
addition to other (current) restrictions ensuring optimal security. In the
very rare case that this might cause a communication failure due to lack of
compatible cipher modes between servers and clients (which would require a very
unlikely combination of GlusterFS and OpenSSL versions), we should also
document how to calculate and apply their own cipher list without making
themselves vulnerable to POODLE.
--- Additional comment from Anand Avati on 2014-10-22 00:17:59 CEST ---
REVIEW: http://review.gluster.org/8962 (socket: disallow CBC cipher modes)
posted (#1) for review on master by Jeff Darcy (jdarcy at redhat.com)
--- Additional comment from Anand Avati on 2014-10-27 12:40:59 CET ---
COMMIT: http://review.gluster.org/8962 committed in master by Vijay Bellur
(vbellur at redhat.com)
------
commit 378a0a19d95e552220d71b13be685f4772c576cd
Author: Jeff Darcy <jdarcy at redhat.com>
Date: Tue Oct 21 16:54:48 2014 -0400
socket: disallow CBC cipher modes
This is related to CVE-2014-3566 a.k.a. POODLE.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
POODLE is specific to CBC cipher modes in SSLv3. Because there is no
way to prevent SSLv3 fallback on a system with an unpatched version of
OpenSSL, users of such systems can only be protected by disallowing CBC
modes. The default cipher-mode specification in our code has been
changed accordingly. Users can still set their own cipher modes if they
wish. To support them, the ssl-authz.t test script provides an example
of how to combine the CBC exclusion with other criteria in a script.
Change-Id: Ib1fa547082fbb7de9df94ffd182b1800d6e354e5
BUG: 1155328
Signed-off-by: Jeff Darcy <jdarcy at redhat.com>
Reviewed-on: http://review.gluster.org/8962
Tested-by: Gluster Build System <jenkins at build.gluster.com>
Reviewed-by: Kaleb KEITHLEY <kkeithle at redhat.com>
Reviewed-by: Vijay Bellur <vbellur at redhat.com>
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1125231
[Bug 1125231] GlusterFS 3.5.3 Tracker
https://bugzilla.redhat.com/show_bug.cgi?id=1155328
[Bug 1155328] GlusterFS allows insecure SSL modes
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=eXLFk8Easw&a=cc_unsubscribe
More information about the Bugs
mailing list