Hello,

My RHEVM hypervisors (Red Hat Enterprise Virtualization Hypervisor release 7.2 (20160627.3.el7ev)) are failing corporate Nessus TCP/IP vulnerability scans spectacularly with the following.

1) "SSL Certificate Chain Contains RSA Keys Less Than 2048 bits": many ports in the 5900 range are presenting certificates signed by a key of 1024 bits. I can certainly see 1024-bit keys on the management server and the hypervisors:

management ovirt-engine]# openssl x509 -in ca.pem -noout -text | grep Public-Key
Public-Key: (1024 bit)

hypervisor admin]# openssl x509 -in /etc/pki/vdsm/certs/cacert.pem -noout -text | grep Public-Key
Public-Key: (1024 bit)

Can anyone point me at directions on how to regenerate the key(s) with 2048 bits, and all certificates, preferably without breaking anything?

The management server is running RHEL 6.8, rhevm-3.6.7.5.

2) "TLS Version 1.2 Protocol Detection": Port 54321 is failing because it doesn't support TLS v1.2 (and also because its certificate's key is less than 2048 bits). This port is used by "/usr/bin/python /usr/share/vdsm/vdsm".

Can I enable TLS v1.2 in vdsm? It doesn't have to accept TLSv1.2 exclusively, it just has to have v1.2 available (and NOT SSLv2 or 3).

If I firewall off these ports, I can't connect to VMs' consoles anymore, so hiding from the scanner isn't feasible for long. Please help point me in the right direction.

Thanks,

Chris

The Starflyer is real!