SSLv3 POODLE Attack CVE-2014-3566

Overview

xCAT does not package OpenSSL RPM nor does it statically link to OpenSSL libraries.
Please try to get the latest OpenSSL fix from your OS distributor. No code changes to xCAT needed.

However, you can use site table attributes xcatsslciphers and xcatsslversion to tune what is and is not acceptable.
For detailed explanation and format, please read the SSL_version SSL_cipher_list section in http://search.cpan.org/~sullr/IO-Socket-SSL-2.002/lib/IO/Socket/SSL.pod

How to Configure SSL Version Between xcatd and xcat Client

SSL connection is used for communication between xcatd and xcat Client. In xCAT 2.10 and higher, the TLSv1 is set as default version for the ssl connection between xcatd and xcat client. For the lower version, you can set the SSL version manually by yourself.

The highest SSL version that can be supported by rhels6.x and sles11.x is TLSv1, so the only ssl you can set is 'TLSv1'.

chtab key=xcatsslversion site.value=TLSv1

The highest SSL version that can be supported by rhels7.x, sles12.x and Ubuntu14.x is TLSv1.2, so you can choose one of 'TLSv1', 'TLSv1.1', or 'TLSv1.2' (The highest version TLSv1.2 is recommended) to be set.

[For rhels7.x and sles12.x]
chtab key=xcatsslversion site.value=TLSv12

[For Ubuntu 14.x]
chtab key=xcatsslversion site.value=TLSv1_2

[For AIX 7.1.3.x]
chtab key=xcatsslversion site.value=TLSv1_2

If you want to disable some insecure ciphers, you can do the following set (This only works with xcatsslversion higher than TLSv1)

"xcatsslciphers","kDH:kEDH:kRSA:!SSLv3:!SSLv2:!aNULL:!eNULL:!MEDIUM:!LOW:!MD5:!EXPORT:!CAMELLIA:!ECDH",,

How to check the SSL version that xcatd can accept?

Run following command to check whether TLSv1 is supported by xcatd:

openssl s_client -connect 127.0.0.1:3001 -tls1

Related

Wiki: Main_Page

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks