<div dir="ltr"><div><div><div>Hello,<br><br></div>My RHEVM hypervisors (Red Hat Enterprise Virtualization Hypervisor release 7.2 (20160627.3.el7ev)) are failing corporate Nessus TCP/IP vulnerability scans spectacularly with the following.<br><br>1) "SSL Certificate Chain Contains RSA Keys Less Than 2048 bits": many ports in the 5900 range are presenting certificates signed by a key of 1024 bits. I can certainly see 1024-bit keys on the management server and the hypervisors:<br></div><br>management ovirt-engine]# openssl x509 -in ca.pem -noout -text | grep Public-Key<br> Public-Key: (1024 bit)<br><br>hypervisor admin]# openssl x509 -in /etc/pki/vdsm/certs/cacert.pem -noout -text | grep Public-Key<br> Public-Key: (1024 bit)<br><br><br></div><div>Can anyone point me at directions on how to regenerate the key(s) with 2048 bits, and all certificates, preferably without breaking anything?<br></div><div>The management server is running RHEL 6.8, rhevm-3.6.7.5.<br></div><div><br>2) "TLS Version 1.2 Protocol Detection": Port 54321 is failing because it doesn't support TLS v1.2 (and also because its certificate's key is less than 2048 bits). This port is used by "/usr/bin/python /usr/share/vdsm/vdsm".<br><br></div><div>Can I enable TLS v1.2 in vdsm? It doesn't have to accept TLSv1.2 exclusively, it just has to have v1.2 available (and NOT SSLv2 or 3).<br><br></div><div><br><br>If I firewall off these ports, I can't connect to VMs' consoles anymore, so hiding from the scanner isn't feasible for long. Please help point me in the right direction.<br><br></div>Thanks,<br><div><div><div>Chris<br clear="all"></div><div><br>-- <br><div data-smartmail="gmail_signature"><i><font size="1">The Starflyer is real!</font></i></div>
</div></div></div></div>