RE: Console Proxy VM TLS version and cipher suites

[Gary Dixon]

Hi Wei

Thanks for checking and good to know!



Gary Dixon
Senior Technical Consultant
T:  +44 161 537 4990
E:  v...@quadris-support.com
W: www.quadris.co.uk
The information contained in this e-mail from Quadris may be confidential and 
privileged for the private use of the named recipient.  The contents of this 
e-mail may not necessarily represent the official views of Quadris.  If you 
have received this information in error you must not copy, distribute or take 
any action or reliance on its contents.  Please destroy any hard copies and 
delete this message.
-Original Message-
From: Wei ZHOU 
Sent: Thursday, March 9, 2023 8:56 AM
To: users@cloudstack.apache.org
Subject: Re: Console Proxy VM TLS version and cipher suites

Hi Gary,

I have checked 4.16.1, 4.17.2, 4.18.0 system vms, it looks like `TLSv1, 
TLSv1.1` has been already added to "jdk.tls.disabledAlgorithms".

root@s-1-VM:~# cat /etc/cloudstack-release Cloudstack Release 4.16.1 Mon 31 Jan 
2022 10:02:56 AM UTC

root@s-1-VM:~# grep ^jdk.tls.disabledAlgorithms 
/etc/java-11-openjdk/security/java.security -A3 
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves

root@v-2-VM:~# cat /etc/cloudstack-release Cloudstack Release 4.17.2 Fri 09 Dec 
2022 12:51:18 PM UTC

root@v-2-VM:~# grep ^jdk.tls.disabledAlgorithms 
/etc/java-11-openjdk/security/java.security -A3 
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves



root@v-11-VM:~# cat /etc/cloudstack-release Cloudstack Release 4.18.0 Wed 28 
Dec 2022 09:45:19 AM UTC

root@v-11-VM:~# grep ^jdk.tls.disabledAlgorithms 
/etc/java-11-openjdk/security/java.security -A3 
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves



-Wei

On Thu, 9 Mar 2023 at 09:41, Gary Dixon 
wrote:

> Hi Si
>
> We are on ACS 4.15.2 with KVM Hypervisor on Ubuntu 20.04 hosts
>
> we've added "TLSv1" and "TLSv1.1" in the
> /etc/java-11-openjdk/security/java.security file on the SystemVM, on
> the line starting with "jdk.tls.disableAlgorithms
>
> The scan reported TLS 1.0 and TLS 1.1 was enabled for" https port 443
> JBoss Enterprise Application Paltform" before we made the change above.
> After the config change the scan no longer shows this
>
> This may well be locked down to TLS 1.2 and higher in later versions
> of CloudStack ?
>
> BR
>
> Gary
>
>
>
> Gary Dixon​
> Senior Technical Consultant
> T:  +44 161 537 4990
> E:  *v* <+44%207989717661>ms@quadris‑support.com
> W:
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.q
> uadris.co.uk%2F&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C888509cb05
> 8d4525d4fe08db207c21be%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C63
> 8139489765419355%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV
> 2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=liiDG3iAUX
> PH6xhUMaeKCYOj9hfZBIKPgDBzs1RthCI%3D&reserved=0
> The information contained in this e-mail from Quadris may be
> confidential and privileged for the private use of the named
> recipient.  The contents of this e-mail may not necessarily represent the 
> official views of Quadris.
> If you have received this information in error you must not copy,
> distribute or take any action or reliance on its contents.  Please
> destroy any hard copies and delete this message.
> -Original Message-
> From: Simon Weller 
> Sent: Wednesday, March 8, 2023 9:34 PM
> To: users@cloudstack.apache.org
> Subject: Re: Console Proxy VM TLS version and cipher suites
>
> Gary,
>
> Can you provide more information as to which CloudStack version you're
> running and also where you made modifications? Was it to the Tomcat config?
> As Kiran indicated, you should not see any old TLS versions offered in
> modern versions of CloudStack. So, if you are, we want to get to the
> bottom of it quickly.
>
> -Si
>
> On Wed, Mar 8, 2023 at 3:48 AM Gary Dixon
>  >
> wrote:
>
> >
> > The PEN test had picked up that a JBoss Enterprise Application was
> > allowing TLS v1.0 and TLS v1.1- we have managed to disable this now
> > but obviously we would need to build this in to a new System VM
> > template to make the change persist a Console Proxy VM rebuild Gary
> > Dixon​ Senior Technical Consultant
> > T: +44 161 537 4990
> > E: *v* <+44%207989717661>ms@quadris‑support.com
> > W:
> > https://eur01.safelinks

Re: Console Proxy VM TLS version and cipher suites

[Wei ZHOU]

Hi Gary,

I have checked 4.16.1, 4.17.2, 4.18.0 system vms, it looks like `TLSv1,
TLSv1.1` has been already added to "jdk.tls.disabledAlgorithms".

root@s-1-VM:~# cat /etc/cloudstack-release
Cloudstack Release 4.16.1 Mon 31 Jan 2022 10:02:56 AM UTC

root@s-1-VM:~# grep ^jdk.tls.disabledAlgorithms
/etc/java-11-openjdk/security/java.security -A3
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves

root@v-2-VM:~# cat /etc/cloudstack-release
Cloudstack Release 4.17.2 Fri 09 Dec 2022 12:51:18 PM UTC

root@v-2-VM:~# grep ^jdk.tls.disabledAlgorithms
/etc/java-11-openjdk/security/java.security -A3
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves



root@v-11-VM:~# cat /etc/cloudstack-release
Cloudstack Release 4.18.0 Wed 28 Dec 2022 09:45:19 AM UTC

root@v-11-VM:~# grep ^jdk.tls.disabledAlgorithms
/etc/java-11-openjdk/security/java.security -A3
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves



-Wei

On Thu, 9 Mar 2023 at 09:41, Gary Dixon 
wrote:

> Hi Si
>
> We are on ACS 4.15.2 with KVM Hypervisor on Ubuntu 20.04 hosts
>
> we've added "TLSv1" and "TLSv1.1" in the
> /etc/java-11-openjdk/security/java.security file on the SystemVM, on the
> line starting with "jdk.tls.disableAlgorithms
>
> The scan reported TLS 1.0 and TLS 1.1 was enabled for" https port 443
> JBoss Enterprise Application Paltform" before we made the change above.
> After the config change the scan no longer shows this
>
> This may well be locked down to TLS 1.2 and higher in later versions of
> CloudStack ?
>
> BR
>
> Gary
>
>
>
> Gary Dixon​
> Senior Technical Consultant
> T:  +44 161 537 4990
> E:  *v* <+44%207989717661>ms@quadris‑support.com
> W: www.quadris.co.uk
> The information contained in this e-mail from Quadris may be confidential
> and privileged for the private use of the named recipient.  The contents of
> this e-mail may not necessarily represent the official views of Quadris.
> If you have received this information in error you must not copy,
> distribute or take any action or reliance on its contents.  Please destroy
> any hard copies and delete this message.
> -Original Message-
> From: Simon Weller 
> Sent: Wednesday, March 8, 2023 9:34 PM
> To: users@cloudstack.apache.org
> Subject: Re: Console Proxy VM TLS version and cipher suites
>
> Gary,
>
> Can you provide more information as to which CloudStack version you're
> running and also where you made modifications? Was it to the Tomcat config?
> As Kiran indicated, you should not see any old TLS versions offered in
> modern versions of CloudStack. So, if you are, we want to get to the bottom
> of it quickly.
>
> -Si
>
> On Wed, Mar 8, 2023 at 3:48 AM Gary Dixon  >
> wrote:
>
> >
> > The PEN test had picked up that a JBoss Enterprise Application was
> > allowing TLS v1.0 and TLS v1.1- we have managed to disable this now
> > but obviously we would need to build this in to a new System VM
> > template to make the change persist a Console Proxy VM rebuild Gary
> > Dixon​ Senior Technical Consultant
> > T: +44 161 537 4990
> > E: *v* <+44%207989717661>ms@quadris‑support.com
> > W:
> > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.q
> > uadris.co.uk%2F&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7Cd6fbad0d06
> > 1646b0798d08db201d1487%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C63
> > 8139081499335831%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV
> > 2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=fp0XzdxqdB
> > ocYlRM9dBdOH%2F5Gn87y4j0ZHJq49xrfB4%3D&reserved=0
> > The information contained in this e-mail from Quadris may be
> > confidential and privileged for the private use of the named
> > recipient. The contents of this e-mail may not necessarily represent the
> official views of Quadris.
> > If you have received this information in error you must not copy,
> > distribute or take any action or reliance on its contents. Please
> > destroy any hard copies and delete this message.
> >
> > From: Kiran Chavala 
> > Sent: Tuesday, March 7, 2023 12:59 PM
> > To: users@cloudstack.apache.org
> > Subject: Re: Console Proxy VM TLS version and cipher suites
> >
> > Hi Gary
> >
> > AFAIK, I think cloudstack has disabled anything

RE: Console Proxy VM TLS version and cipher suites

[Gary Dixon]

Hi Si

We are on ACS 4.15.2 with KVM Hypervisor on Ubuntu 20.04 hosts

we've added "TLSv1" and "TLSv1.1" in the 
/etc/java-11-openjdk/security/java.security file on the SystemVM, on the line 
starting with "jdk.tls.disableAlgorithms

The scan reported TLS 1.0 and TLS 1.1 was enabled for" https port 443 JBoss 
Enterprise Application Paltform" before we made the change above. After the 
config change the scan no longer shows this

This may well be locked down to TLS 1.2 and higher in later versions of 
CloudStack ?

BR

Gary




Gary Dixon
Senior Technical Consultant
T:  +44 161 537 4990
E:  v...@quadris-support.com
W: www.quadris.co.uk
The information contained in this e-mail from Quadris may be confidential and 
privileged for the private use of the named recipient.  The contents of this 
e-mail may not necessarily represent the official views of Quadris.  If you 
have received this information in error you must not copy, distribute or take 
any action or reliance on its contents.  Please destroy any hard copies and 
delete this message.
-Original Message-
From: Simon Weller 
Sent: Wednesday, March 8, 2023 9:34 PM
To: users@cloudstack.apache.org
Subject: Re: Console Proxy VM TLS version and cipher suites

Gary,

Can you provide more information as to which CloudStack version you're running 
and also where you made modifications? Was it to the Tomcat config?
As Kiran indicated, you should not see any old TLS versions offered in modern 
versions of CloudStack. So, if you are, we want to get to the bottom of it 
quickly.

-Si

On Wed, Mar 8, 2023 at 3:48 AM Gary Dixon 
wrote:

>
> The PEN test had picked up that a JBoss Enterprise Application was
> allowing TLS v1.0 and TLS v1.1- we have managed to disable this now
> but obviously we would need to build this in to a new System VM
> template to make the change persist a Console Proxy VM rebuild Gary
> Dixon​ Senior Technical Consultant
> T:  +44 161 537 4990
> E:  *v* <+44%207989717661>ms@quadris‑support.com
> W:
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.q
> uadris.co.uk%2F&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7Cd6fbad0d06
> 1646b0798d08db201d1487%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C63
> 8139081499335831%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV
> 2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=fp0XzdxqdB
> ocYlRM9dBdOH%2F5Gn87y4j0ZHJq49xrfB4%3D&reserved=0
> The information contained in this e-mail from Quadris may be
> confidential and privileged for the private use of the named
> recipient.  The contents of this e-mail may not necessarily represent the 
> official views of Quadris.
> If you have received this information in error you must not copy,
> distribute or take any action or reliance on its contents.  Please
> destroy any hard copies and delete this message.
>
> From: Kiran Chavala 
> Sent: Tuesday, March 7, 2023 12:59 PM
> To: users@cloudstack.apache.org
> Subject: Re: Console Proxy VM TLS version and cipher suites
>
> Hi Gary
>
> AFAIK, I think cloudstack has disabled anything below TLS v1.2 from
> 4.11.0 release
>
>
>
>
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
> ub.com%2Fapache%2Fcloudstack%2Fpull%2F2480&data=05%7C01%7CGary.Dixon%4
> 0quadris.co.uk%7Cd6fbad0d061646b0798d08db201d1487%7Cf1d6abf3d3b44894ae
> 16db0fb93a96a2%7C0%7C0%7C638139081499335831%7CUnknown%7CTWFpbGZsb3d8ey
> JWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C300
> 0%7C%7C%7C&sdata=oCYSb6dI2ift9%2Bg2ReXuv%2BWHLTZ1blgPjMtjn%2B3%2B0PI%3
> D&reserved=0
>
>
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissu
> es.apache.org%2Fjira%2Fbrowse%2FCLOUDSTACK-10319&data=05%7C01%7CGary.D
> ixon%40quadris.co.uk%7Cd6fbad0d061646b0798d08db201d1487%7Cf1d6abf3d3b4
> 4894ae16db0fb93a96a2%7C0%7C0%7C638139081499335831%7CUnknown%7CTWFpbGZs
> b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D
> %7C3000%7C%7C%7C&sdata=p0m1mWEnJZJvNA9cvfbu0oDIncC1G2WM94w8VAA4Lrc%3D&
> reserved=0
>
> [
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopen
> graph.githubassets.com%2F2b9813d128412ed49741e9c7523f4d3fb466d19b3c3b2
> 90539fb876ba1bcf0a9%2Fapache%2Fcloudstack%2Fpull%2F2480&data=05%7C01%7
> CGary.Dixon%40quadris.co.uk%7Cd6fbad0d061646b0798d08db201d1487%7Cf1d6a
> bf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638139081499335831%7CUnknown%7CT
> WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI
> 6Mn0%3D%7C3000%7C%7C%7C&sdata=nYJSVq%2FcNSEAOKNt%2FVM5x2%2F9g4rAsc3qWB
> v90IsMpPU%3D&reserved=0
> ]<
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
> ub.com%2Fapache%2Fcloudstack%2Fpull%2F2480&data=05%7C

Re: Console Proxy VM TLS version and cipher suites

[Simon Weller]

Gary,

Can you provide more information as to which CloudStack version you're
running and also where you made modifications? Was it to the Tomcat config?
As Kiran indicated, you should not see any old TLS versions offered in
modern versions of CloudStack. So, if you are, we want to get to the bottom
of it quickly.

-Si

On Wed, Mar 8, 2023 at 3:48 AM Gary Dixon 
wrote:

>
> The PEN test had picked up that a JBoss Enterprise Application was
> allowing TLS v1.0 and TLS v1.1- we have managed to disable this now but
> obviously we would need to build this in to a new System VM template to
> make the change persist a Console Proxy VM rebuild
> Gary Dixon​
> Senior Technical Consultant
> T:  +44 161 537 4990
> E:  *v* <+44%207989717661>ms@quadris‑support.com
> W: www.quadris.co.uk
> The information contained in this e-mail from Quadris may be confidential
> and privileged for the private use of the named recipient.  The contents of
> this e-mail may not necessarily represent the official views of Quadris.
> If you have received this information in error you must not copy,
> distribute or take any action or reliance on its contents.  Please destroy
> any hard copies and delete this message.
>
> From: Kiran Chavala 
> Sent: Tuesday, March 7, 2023 12:59 PM
> To: users@cloudstack.apache.org
> Subject: Re: Console Proxy VM TLS version and cipher suites
>
> Hi Gary
>
> AFAIK, I think cloudstack has disabled anything below TLS v1.2 from 4.11.0
> release
>
>
>
>
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fpull%2F2480&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ezd9nXe6wavgsWaZntbfm6s3fj%2FdaWRle%2BNQbZYcaKg%3D&reserved=0
>
>
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FCLOUDSTACK-10319&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=5DMAQJ38va8zfrqiNml2l6xp8KNEiQWjFVc8DQDjePQ%3D&reserved=0
>
> [
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopengraph.githubassets.com%2F2b9813d128412ed49741e9c7523f4d3fb466d19b3c3b290539fb876ba1bcf0a9%2Fapache%2Fcloudstack%2Fpull%2F2480&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9lCnFXXAzx6fkhd1mm4ICMFgA1wqQwXAr%2BM4gQfOgFw%3D&reserved=0
> ]<
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fpull%2F2480&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ezd9nXe6wavgsWaZntbfm6s3fj%2FdaWRle%2BNQbZYcaKg%3D&reserved=0
> >
> CLOUDSTACK-10319: Prefer TLSv1.2, deprecate TLSv1.0,1.1 by rohityadavcloud
> · Pull Request #2480 · apache/cloudstack<
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fpull%2F2480&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ezd9nXe6wavgsWaZntbfm6s3fj%2FdaWRle%2BNQbZYcaKg%3D&reserved=0
> >
> This deprecates and remove TLS 1.0 and 1.1 from preferred list of
> protocols and keeps only TLSv1.2. @blueorangutan package github.com 
>
>
> Regards
> Kiran
> 
> From: Gary Dixon 
> Sent: 07 March 2023 17:35
> To: users@cloudstack.apache.org 
> Subject: Console Proxy VM TLS version and cipher suites
>
>
>
>
>
>
> Hi all
>
>
>
> Is there a way of limiting the console proxy to allow nothing below TLS
> v1.2, 1.3 and only allow strong cipher suites – we are failing a PEN test
> currently and need to strengthen the CPVM security ?
>
>
>
> TIA
>
>
>
> Gary
>
> Gary Dixon​
> Senior Technical Consultant
> T: +44 161 537 4990
> E: vms@quadris‑support.com
> W:
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.quadris.co.uk%2F&data=05%7C01%7CGar

RE: Console Proxy VM TLS version and cipher suites

[Gary Dixon]

The PEN test had picked up that a JBoss Enterprise Application was allowing TLS 
v1.0  and TLS v1.1- we have managed to disable this now but obviously we would 
need to build this in to a new System VM template to make the change persist a 
Console Proxy VM rebuild


Gary Dixon
Senior Technical Consultant
T:  +44 161 537 4990
E:  v...@quadris-support.com
W: www.quadris.co.uk
The information contained in this e-mail from Quadris may be confidential and 
privileged for the private use of the named recipient.  The contents of this 
e-mail may not necessarily represent the official views of Quadris.  If you 
have received this information in error you must not copy, distribute or take 
any action or reliance on its contents.  Please destroy any hard copies and 
delete this message.
From: Kiran Chavala 
Sent: Tuesday, March 7, 2023 12:59 PM
To: users@cloudstack.apache.org
Subject: Re: Console Proxy VM TLS version and cipher suites

Hi Gary

AFAIK, I think cloudstack has disabled  anything below TLS v1.2 from 4.11.0 
release



https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fpull%2F2480&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ezd9nXe6wavgsWaZntbfm6s3fj%2FdaWRle%2BNQbZYcaKg%3D&reserved=0

https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FCLOUDSTACK-10319&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=5DMAQJ38va8zfrqiNml2l6xp8KNEiQWjFVc8DQDjePQ%3D&reserved=0

[https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopengraph.githubassets.com%2F2b9813d128412ed49741e9c7523f4d3fb466d19b3c3b290539fb876ba1bcf0a9%2Fapache%2Fcloudstack%2Fpull%2F2480&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9lCnFXXAzx6fkhd1mm4ICMFgA1wqQwXAr%2BM4gQfOgFw%3D&reserved=0]<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fpull%2F2480&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ezd9nXe6wavgsWaZntbfm6s3fj%2FdaWRle%2BNQbZYcaKg%3D&reserved=0>
CLOUDSTACK-10319: Prefer TLSv1.2, deprecate TLSv1.0,1.1 by rohityadavcloud · 
Pull Request #2480 · 
apache/cloudstack<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fpull%2F2480&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ezd9nXe6wavgsWaZntbfm6s3fj%2FdaWRle%2BNQbZYcaKg%3D&reserved=0>
This deprecates and remove TLS 1.0 and 1.1 from preferred list of protocols and 
keeps only TLSv1.2. @blueorangutan package github.com 


Regards
Kiran

From: Gary Dixon 
Sent: 07 March 2023 17:35
To: users@cloudstack.apache.org 
Subject: Console Proxy VM TLS version and cipher suites






Hi all



Is there a way of limiting the console proxy to allow nothing below TLS v1.2, 
1.3 and only allow strong cipher suites – we are failing a PEN test currently 
and need to strengthen the CPVM security ?



TIA



Gary

Gary Dixon​
Senior Technical Consultant
T:  +44 161 537 4990
E:  vms@quadris‑support.com
W: 
https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.quadris.co.uk%2F&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ELMyfDyavuFHOtvcyf7PvqWUFkMwhmWHJPADH6nd%2FnE%3D&reserved=0
[cid:image056775.png@576B6FF7.488A06BD]
The information contained in this e-mail from Quadris may be confidential and 
privileged for the private use of the named recipient.  The contents of this 
e-mail may not necessarily represent the official views of Quadris.  If you 
have received this information in error you must not copy, distribute or take 
any action or reliance on its contents.  Please destroy any hard copies and 
delete this message.

Re: Console Proxy VM TLS version and cipher suites

[Kiran Chavala]

Hi Gary

AFAIK, I think cloudstack has disabled  anything below TLS v1.2 from 4.11.0 
release



https://github.com/apache/cloudstack/pull/2480

https://issues.apache.org/jira/browse/CLOUDSTACK-10319

[https://opengraph.githubassets.com/2b9813d128412ed49741e9c7523f4d3fb466d19b3c3b290539fb876ba1bcf0a9/apache/cloudstack/pull/2480]
CLOUDSTACK-10319: Prefer TLSv1.2, deprecate TLSv1.0,1.1 by rohityadavcloud · 
Pull Request #2480 · 
apache/cloudstack
This deprecates and remove TLS 1.0 and 1.1 from preferred list of protocols and 
keeps only TLSv1.2. @blueorangutan package
github.com



Regards
Kiran

From: Gary Dixon 
Sent: 07 March 2023 17:35
To: users@cloudstack.apache.org 
Subject: Console Proxy VM TLS version and cipher suites






Hi all



Is there a way of limiting the console proxy to allow nothing below TLS v1.2, 
1.3 and only allow strong cipher suites – we are failing a PEN test currently 
and need to strengthen the CPVM security ?



TIA



Gary

Gary Dixon​
Senior Technical Consultant
T:  +44 161 537 4990
E:  vms@quadris‑support.com
W: www.quadris.co.uk
[cid:image056775.png@576B6FF7.488A06BD]
The information contained in this e-mail from Quadris may be confidential and 
privileged for the private use of the named recipient.  The contents of this 
e-mail may not necessarily represent the official views of Quadris.  If you 
have received this information in error you must not copy, distribute or take 
any action or reliance on its contents.  Please destroy any hard copies and 
delete this message.