[ovirt-users] Short SSL key sizes, and TLS 1.2 on vdsm

Chris H saturos at gmail.com
Mon Aug 15 17:20:15 UTC 2016


Hello,

My RHEVM hypervisors (Red Hat Enterprise Virtualization Hypervisor release
7.2 (20160627.3.el7ev)) are failing corporate Nessus TCP/IP vulnerability
scans spectacularly with the following.

1) "SSL Certificate Chain Contains RSA Keys Less Than 2048 bits": many
ports in the 5900 range are presenting certificates signed by a key of 1024
bits.  I can certainly see 1024-bit keys on the management server and the
hypervisors:

management ovirt-engine]# openssl x509 -in ca.pem -noout -text | grep
Public-Key
                Public-Key: (1024 bit)

hypervisor admin]# openssl x509 -in /etc/pki/vdsm/certs/cacert.pem -noout
-text | grep Public-Key
                Public-Key: (1024 bit)


Can anyone point me at directions on how to regenerate the key(s) with 2048
bits, and all certificates, preferably without breaking anything?
The management server is running RHEL 6.8, rhevm-3.6.7.5.

2) "TLS Version 1.2 Protocol Detection": Port 54321 is failing because it
doesn't support TLS v1.2 (and also because its certificate's key is less
than 2048 bits).  This port is used by "/usr/bin/python
/usr/share/vdsm/vdsm".

Can I enable TLS v1.2 in vdsm? It doesn't have to accept TLSv1.2
exclusively, it just has to have v1.2 available (and NOT SSLv2 or 3).



If I firewall off these ports, I can't connect to VMs' consoles anymore, so
hiding from the scanner isn't feasible for long. Please help point me in
the right direction.

Thanks,
Chris

-- 
*The Starflyer is real!*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20160815/d0ab6166/attachment-0001.html>


More information about the Users mailing list