2
0
mirror of https://github.com/xcat2/xcat-core.git synced 2024-12-25 12:41:45 +00:00
1 2014_11_04_Poodle_Attack
Victor Hu edited this page 2016-01-06 08:27:53 -05:00

Advisory CVE

  • CVE-2014-3566, The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.

##Overview

xCAT does not package the OpenSSL RPM nor does it statically link to the OpenSSL libraries. Please obtain the lastest OpenSSL fixes from your Operating System distribution. No code changes to xCAT is required.

Use the xCAT site table attributes xcatsslciphers and xcatsslversion to tune the SSL configurations. For detailed explanation and format, read about SSL_version and SSL_cipher_list from http://search.cpan.org/~sullr/IO-Socket-SSL-2.002/lib/IO/Socket/SSL.pod

##How to Configure SSL Version Between xcatd and xcat client

SSL connection is used for communication between xcatd and xcat client. In xCAT 2.10 and higher, TLSv1 is set as default version for the SSL connection between xcatd and xcat client. For the lower version, you can set the SSL version manually by yourself.

The highest SSL version supported by RHEL 6.x and SLES 11.x is TLSv1. To set:

chtab key=xcatsslversion site.value=TLSv1

The highest SSL version supported by RHEL 7.x, SLES 12.x, and Ubuntu 14.x is TLSv1.2.
Valid versions are 'TLSv1', 'TLSv1.1', or 'TLSv1.2' and setting the highest is recommended. To set:

[For RHEL 7.x and SLES 12.x]
chtab key=xcatsslversion site.value=TLSv12

[For Ubuntu 14.x]
chtab key=xcatsslversion site.value=TLSv1_2

[For AIX 7.1.3.x]
chtab key=xcatsslversion site.value=TLSv1_2

To disable some insecure ciphers, you can set the following values to xcatsslciphers. (This only works with xcatsslversion higher than TLSv1)

"xcatsslciphers","kDH:kEDH:kRSA:!SSLv3:!SSLv2:!aNULL:!eNULL:!MEDIUM:!LOW:!MD5:!EXPORT:!CAMELLIA:!ECDH",,

Checking the SSL version that xcatd can accept

Run following command to check whether TLSv1 is supported by xcatd:

openssl s_client -connect 127.0.0.1:3001 -tls1