Re: [CentOS] POODLE on CentOS
The following nmap invocation may also be helpful with testing: nmap --script ssl-enum-ciphers -p 443 hostname Kahlil (Kal) Hodgson GPG: C9A02289 Head of Technology (m) +61 (0) 4 2573 0382 DealMax Pty Ltd Suite 1416 401 Docklands Drive Docklands VIC 3008 Australia "All parts should go together without forcing. You must remember that the parts you are reassembling were disassembled by you. Therefore, if you can't get them together again, there must be a reason. By all means, do not use a hammer." -- IBM maintenance manual, 1925 On Fri, Oct 17, 2014 at 3:32 PM, Tharun Kumar Allu wrote: > Modifying apache configuration to the following should take care of it. > The SSLProtocol directive disables SSLv2 and SSLv3 and leaves other on. > > SSLProtocol all -SSLv2 -SSLv3 > SSLHonorCipherOrder on > SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 > EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH > EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" > > > > On Thu, Oct 16, 2014 at 7:41 PM, James B. Byrne > wrote: > >> According to the centos wiki: >> >> Validating Changes >> >> You can use Qualys SSL Labs to verify that your web server is no longer >> vulnerable to POODLE or TLS_FALLBACK_SCSV once all action is complete. You >> might also want to only use TLSv1.2 for httpd on CentOS-6.5 (or higher) and >> CentOS-7, while using TLSv1 on CentOS-5. >> >> >> However, on my up-to-datestock CentOS-6.5 the httpd version is 2.2.15 and >> attems to use SSLProtocols greater than v1 yield this error: >> >> >> Syntax error on line 101 of /etc/httpd/conf.d/ssl.conf: >> SSLProtocol: Illegal protocol 'TLSv1.1' >> >> >> I presume that the wiki is in error but I would like confirmation of that >> or >> instructions on how to enable TLSv1.1 and 1.2 on CentOS-6.5. >> >> -- >> *** E-Mail is NOT a SECURE channel *** >> James B. Byrnemailto:byrn...@harte-lyne.ca >> Harte & Lyne Limited http://www.harte-lyne.ca >> 9 Brockley Drive vox: +1 905 561 1241 >> Hamilton, Ontario fax: +1 905 561 0757 >> Canada L8E 3C3 >> >> ___ >> CentOS mailing list >> CentOS@centos.org >> http://lists.centos.org/mailman/listinfo/centos >> > > > > -- > Tharun Kumar Allu > == > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] POODLE on CentOS
Modifying apache configuration to the following should take care of it. The SSLProtocol directive disables SSLv2 and SSLv3 and leaves other on. SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" On Thu, Oct 16, 2014 at 7:41 PM, James B. Byrne wrote: > According to the centos wiki: > > Validating Changes > > You can use Qualys SSL Labs to verify that your web server is no longer > vulnerable to POODLE or TLS_FALLBACK_SCSV once all action is complete. You > might also want to only use TLSv1.2 for httpd on CentOS-6.5 (or higher) and > CentOS-7, while using TLSv1 on CentOS-5. > > > However, on my up-to-datestock CentOS-6.5 the httpd version is 2.2.15 and > attems to use SSLProtocols greater than v1 yield this error: > > > Syntax error on line 101 of /etc/httpd/conf.d/ssl.conf: > SSLProtocol: Illegal protocol 'TLSv1.1' > > > I presume that the wiki is in error but I would like confirmation of that > or > instructions on how to enable TLSv1.1 and 1.2 on CentOS-6.5. > > -- > *** E-Mail is NOT a SECURE channel *** > James B. Byrnemailto:byrn...@harte-lyne.ca > Harte & Lyne Limited http://www.harte-lyne.ca > 9 Brockley Drive vox: +1 905 561 1241 > Hamilton, Ontario fax: +1 905 561 0757 > Canada L8E 3C3 > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > -- Tharun Kumar Allu == ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] POODLE on CentOS
According to the centos wiki: Validating Changes You can use Qualys SSL Labs to verify that your web server is no longer vulnerable to POODLE or TLS_FALLBACK_SCSV once all action is complete. You might also want to only use TLSv1.2 for httpd on CentOS-6.5 (or higher) and CentOS-7, while using TLSv1 on CentOS-5. However, on my up-to-datestock CentOS-6.5 the httpd version is 2.2.15 and attems to use SSLProtocols greater than v1 yield this error: Syntax error on line 101 of /etc/httpd/conf.d/ssl.conf: SSLProtocol: Illegal protocol 'TLSv1.1' I presume that the wiki is in error but I would like confirmation of that or instructions on how to enable TLSv1.1 and 1.2 on CentOS-6.5. -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] POODLE on CentOS
The following updates address POODLE on CentOS: CentOS-5: http://lists.centos.org/pipermail/centos-announce/2014-October/020696.html CentOS-6.5: http://lists.centos.org/pipermail/centos-announce/2014-October/020697.html CentOS-7: http://lists.centos.org/pipermail/centos-announce/2014-October/020695.html Please note that the CentOS-6.5 updates are built from: openssl-1.0.1e-30.el6_5.2.src.rpm This is the version that Red Hat released for RHEL 6.6 as openssl-1.0.1e-30.el6_6.2.src.rpm. Notice that the dist tag is different for our release. The reason is that we are currently working on CentOS-6.6 and it will not be released for several more days. Rather than wait on the POODLE issue, the CentOS team decided to build a version of this update for 6.5: (the current release, built from openssl-1.0.1e-30.el6_5.2.src.rpm) as well a version based on openssl-1.0.1e-30.el6_6.2.src.rpm as a zeroday update for CentOS-6.6 when it is released. You must also take action to disable SSLv3 as well as installing these update to mitigate POODLE on CentOS-5, CentOS-6 and/or CentOS-7, please see this link for details: http://wiki.centos.org/Security/POODLE Thanks, Johnny Hughes signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Filesystem writes unexpectedly slow (CentOS 6.4)
On 14/10/14, 6:45, Peter Kjellström wrote: On Mon, 13 Oct 2014 20:15:11 -0500 Joakim Ziegler wrote: ... So, if I use iozone -a to test write speeds on the raw device, I get results in the 500-800MB/sec range, depending on write sizes, which is about what I'd expect. However, when I have an ext4 filesystem on this device, mounted with noatime and data=writeback, (the filesystem is completely empty) and I test with dd, the results are less encouraging: ... Now, I'm sure there can be many reasons for this, but I wonder where I should start looking to debug this. First I'd suggest comparing apples to apples. That is try doing the dd test on the raw device and compare to dd on ext4. Then you may want to try changing io scheduler from the default cfq to deadline. This typically works better for many raid controllers but ymmv. Also testing with xfs instead of ext4 is probably worth it. xfs usually outperform ext4 in streaming writes (like dd). Of course this raises the question of whether that dd is a useful metric for your actual load... xfs may infact be needed (3T * 7 = 21 TB > ext4 max (if I remember correctly, refer to rh online data for rhel6 to make sure)). Upgrading to 6.5 with its new kernel did not fix the problem. I will be doing some more testing. The strange thing is, I have a near-identical machine also running CentOS 6.5, also with ext4 on the same controller (and another, newer Areca controller), and there it's extremely fast, on the fastest controller there, dd hits around 2GB/sec sustained over 200 GB of data on a 24-disk RAID6 (both systems have 96GB of RAM each). And yes, I've formatted with a newer version of e2fsprogs than is included with the distro, to get 16TB+ support, although in the case of the device I'm currently testing, it actually has two partitions, so I wouldn't have needed to. I'll do a bit more testing and come back with my results. -- Joakim Ziegler - Supervisor de postproducción - Terminal joa...@terminalmx.com - 044 55 2971 8514 - 5264 0864 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Loss of Ethernet adaptor
On Wed, Oct 15, 2014 at 8:41 AM, James B. Byrne wrote: > This is a return to an issue I first raised back in June. We had a similar > occurrence in September while I was away and so I am revisiting the entire > matter. > > Steve Clark on 6 Jun 16:02 2014 wrote: >> Hi, >> >> We ran into this problem also - the interface would disappear. >> There is newer e1000e driver that fixes it or you could >> add pcie_aspm=off to your kernel command line. >> >> HTH, >> Steve > > I have run into other reports of similar occurrences and some of these refer > to this bug report: https://bugzilla.redhat.com/show_bug.cgi?id=632650 I'm the one who did the submission. Some of my comments (which I thought were helpful) have been hidden by Red Hat. > However, that report is closed as being a duplicate of: > https://bugzilla.redhat.com/show_bug.cgi?id=562273 > > Which is not available to viewing by the great unwashed. I don't have access, either. > The host is running CentOS-6.5 with all updates applied to date. My question > is: Has this issue been addressed in the official e1000e module or not? if > not then does the recommendation to "add pcie_aspm=off to your kernel command > line" hold? My suggestion for you is to give ELRepo's kmod-e1000e a try. It has the latest version from Intel (3.1.0.2) as opposed to the version in the EL kernels (2.3.2-k). There are known cases in which a later version resolved issues. Akemi ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-announce Digest, Vol 116, Issue 9
Send CentOS-announce mailing list submissions to centos-annou...@centos.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.centos.org/mailman/listinfo/centos-announce or, via email, send a message with subject or body 'help' to centos-announce-requ...@centos.org You can reach the person managing the list at centos-announce-ow...@centos.org When replying, please edit your Subject line so it is more specific than "Re: Contents of CentOS-announce digest..." Today's Topics: 1. CESA-2014:1633 Important CentOS 5 java-1.7.0-openjdk Security Update (Johnny Hughes) 2. CESA-2014:1634 Important CentOS 5 java-1.6.0-openjdk Security Update (Johnny Hughes) 3. CEBA-2014:1639 CentOS 5 net-snmp BugFix Update (Johnny Hughes) 4. CESA-2014:1635 Critical CentOS 5 firefox Security Update (Johnny Hughes) 5. CEBA-2014:1642 CentOS 5 rsync BugFix Update (Johnny Hughes) 6. CESA-2014:1635 Critical CentOS 7 firefox Security Update (Johnny Hughes) 7. CESA-2014:1634 Important CentOS 7 java-1.6.0-openjdk Security Update (Johnny Hughes) 8. CESA-2014:1620 Important CentOS 7 java-1.7.0-openjdk Security Update (Johnny Hughes) 9. CEBA-2014:1644 CentOS 7 NetworkManager BugFix Update (Johnny Hughes) 10. CESA-2014:1647 Important CentOS 5 thunderbird Security Update (Johnny Hughes) -- Message: 1 Date: Wed, 15 Oct 2014 11:42:17 + From: Johnny Hughes To: centos-annou...@centos.org Subject: [CentOS-announce] CESA-2014:1633 Important CentOS 5 java-1.7.0-openjdk Security Update Message-ID: <20141015114217.ga32...@chakra.karan.org> Content-Type: text/plain; charset=us-ascii CentOS Errata and Security Advisory 2014:1633 Important Upstream details at : https://rhn.redhat.com/errata/RHSA-2014-1633.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: cda53101232eb6cd5602ef8753a3e211a2009ea72e6a428d6cd5a0ac53ec4ae9 java-1.7.0-openjdk-1.7.0.71-2.5.3.1.el5_11.i386.rpm 1f3b95aeb134a6e4bb5a4c21fab7dd29bb39045b49ec17805d3cc92f94d5e2ac java-1.7.0-openjdk-demo-1.7.0.71-2.5.3.1.el5_11.i386.rpm c36d94ab305e34ee6fbf0426b38ddfc311961469840b0e285d15c079da0f2452 java-1.7.0-openjdk-devel-1.7.0.71-2.5.3.1.el5_11.i386.rpm 450a1b7c215204619f677b0b8f1ec34f69bee537fced59bd46b3d8b112635479 java-1.7.0-openjdk-javadoc-1.7.0.71-2.5.3.1.el5_11.i386.rpm ff09dcdba9b572eda5bd338bf5b28aed10e8c2fc558597262da814e236813ff1 java-1.7.0-openjdk-src-1.7.0.71-2.5.3.1.el5_11.i386.rpm x86_64: 6052c5e61bbec143e623c9a91c2cce72f9f7f3aadbf924fc29b4555de0992501 java-1.7.0-openjdk-1.7.0.71-2.5.3.1.el5_11.x86_64.rpm 04537efd65f66d22657111f675d0da2597a8690a7d648a2b5e71a04d21646d79 java-1.7.0-openjdk-demo-1.7.0.71-2.5.3.1.el5_11.x86_64.rpm 52081c3a681a0bbe48c3eff1f0e38e9b40fb13ac1f4bc49209fc4e8c58faffbc java-1.7.0-openjdk-devel-1.7.0.71-2.5.3.1.el5_11.x86_64.rpm d60ec241efd0a10052570ca64736c54d754a79f4470ffb4e6a6aa6477d545bf5 java-1.7.0-openjdk-javadoc-1.7.0.71-2.5.3.1.el5_11.x86_64.rpm 9297219ee7607057e537e1c7742f1821b61c15b8b6ec62af79cb741984eb0ab9 java-1.7.0-openjdk-src-1.7.0.71-2.5.3.1.el5_11.x86_64.rpm Source: ed1eb38a7f79e0943f24bc846766a3186ec0bb1d38e17cb5ce7bef094ea9fc62 java-1.7.0-openjdk-1.7.0.71-2.5.3.1.el5_11.src.rpm -- Johnny Hughes CentOS Project { http://www.centos.org/ } irc: hughesjr, #cen...@irc.freenode.net -- Message: 2 Date: Wed, 15 Oct 2014 11:48:47 + From: Johnny Hughes To: centos-annou...@centos.org Subject: [CentOS-announce] CESA-2014:1634 Important CentOS 5 java-1.6.0-openjdk Security Update Message-ID: <20141015114847.ga32...@chakra.karan.org> Content-Type: text/plain; charset=us-ascii CentOS Errata and Security Advisory 2014:1634 Important Upstream details at : https://rhn.redhat.com/errata/RHSA-2014-1634.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: 661ee4730f4b847a6759206f27d39ea88e796f5f75326a8e8b6a50c8534d0c50 java-1.6.0-openjdk-1.6.0.33-1.13.5.0.el5_11.i386.rpm 2e0b2410b3fb71b755e5425d8fdac9ce8cc32a16e9d5fdad7fe7de1b6fe69684 java-1.6.0-openjdk-demo-1.6.0.33-1.13.5.0.el5_11.i386.rpm 8cd100f0e593436a38106a1eb418d4015f7efda3ce22cd47bd2ff31c6dcff9b9 java-1.6.0-openjdk-devel-1.6.0.33-1.13.5.0.el5_11.i386.rpm c28a3885d6f74565bc890487d860e2ca144d9ab3480b514c49262ed5e597f54a java-1.6.0-openjdk-javadoc-1.6.0.33-1.13.5.0.el5_11.i386.rpm a631d1939042978f2aa4cf19899e35b6ff09c4decc439d471270871ef9105d1b java-1.6.0-openjdk-src-1.6.0.33-1.13.5.0.el5_11.i386.rpm x86_64: 08570abc3fa70ee0eb250bde4c3a7679b9f00acbf968c63d2308e30cb5713a83 java-1.6.0-openjdk-1.6.0.33-1.13.5.0.el5_11.x86_64.rpm af80d8b7b6e438c5a7bafab1f848c453bad845b01afbf10a83261b2707847342 java-1.6.0-openjdk-demo-1.6.0.33-1.13.5.0.el5_11.x86_64.rpm e53
Re: [CentOS] CentOS 5.11 / Firefox 31 -- totally borked...
> > It looks like it has been reported > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1150082 > > Good, at least its not my fault, this time :) firefox-31.2.0-3.el5.centos is still broken, as is upstream's package. The bug report has already been updated. What is also broken, again, is thunderbird calendaring, with the upgrade to thunderbird-31.2.0-2.el5.centos. I presume it's the same issue from tb24, http://lists.centos.org/pipermail/centos/2013-December/139325.html. No choice now but blocking this upgrade and going back to tb24, until an equivalent SRPM for lightning 3.3.1 becomes available. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.4 kernel panic on boot after upgrading kernel to 2.6.32-431.29.2
On 15/10/14, 8:22, Lamar Owen wrote: First question: can you boot with the old kernel still (by default CentOS 6 leaves a few old kernels around; I want to say the default is 3, but it might be 5, I don't recall, and I don't have a straight default C6 install to check against right at the moment)? Next question: did you also update the updated kernel-firmware package for the updated kernel? The first thing I would do is downgrade the kernel and make sure the system is working there; you then will need to very carefully check all your hardware components together that the kernel update should be ok. You mention GPU's; which drivers are you using there? Iterate over all hardware. Now, I'm going to sound like a broken record here. If you absolutely positively must stay at a point release for whatever reason (and there are valid reasons for this), then you don't need to be running CentOS; it is simply not supported. You either need to pay up for RHEL6 with EUS, or you need to install ScientificLinux 6 (built from the same sources that CentOS is built from, with a different rebranding); the SL team does support getting only critical updates but staying on a particular point release. Upgrading to 6.5 did fix the problem, and did not (so far) seem to break my proprietary software. For reference, I had already updated the kernel-firmware package (that happened automatically), and I could still boot the old kernel, which was how I got around to upgrading to 6.5. More than anything, it's a little annoying that this is such an easy mistake to make, and so hard (it seems) to debug. But well, I won't be making it again. -- Joakim Ziegler - Supervisor de postproducción - Terminal joa...@terminalmx.com - 044 55 2971 8514 - 5264 0864 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.4 kernel panic on boot after upgrading kernel to 2.6.32-431.29.2
On 15/10/14, 1:58, Greg Lindahl wrote: On Tue, Oct 14, 2014 at 06:56:23AM -0500, Johnny Hughes wrote: The advise to do a full upgrade is the best (most secure) option .. however, theoretically, the new kernel should boot and not cause issues based on the other packages. OP said he had an InfiniBand card. For a long time it was the case that every kernel point release needed the corresponding IB userspace libraries. It's also worth noting that running with an unusual set of packages means you're running something that is not well-tested. Most enterprise users like to run with the herd, in the middle of the herd. Mooo. That basically means "yum -y update", nothing different. "Yum let me do it" and "this is wise" are two different things! I can confirm that a full upgrade to 6.5 fixed the boot problem. I do think it's maybe a bit too easy to make this mistake, though. -- Joakim Ziegler - Supervisor de postproducción - Terminal joa...@terminalmx.com - 044 55 2971 8514 - 5264 0864 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos