Hi there,
Hope my feedback will be somewhat helpful ;)
Just to put it in context, this exception is an SSLException thrown at
the com.cloud.utils.nio.Link.doHandshakeUnwrap(SocketChannel, SSLEngine,
ByteBuffer, ByteBuffer, int) method [1]; thus, the exception occurs only
at the unwrap phase. Also, SSLv2Hello is disabled by default since Java
7 [2] (disabled for sending, it accepts only when receiving).
Due to known security issues [3], [4], ACS has disabled SSLv2 and SSLv3
from its system VMs at least since 4.6.0. Files as
"/etc/apache2/mods-available/ssl.conf" and "/etc/httpd/conf/httpd.conf"
have been configured to disable them [5], [6].
I am not sure yet of the cause of this exception. It might be something
related to the process of upgrading from 4.2 (when SSLv2 was enabled);
e.g. System VMs could stay with SSLv2 enabled at their configurations.
Just by curiosity. Besides those log messages, do you noticed something
wrong in your environment?
Cheers,
Gabriel.
[2]
https://github.com/apache/cloudstack/blob/87ef8137534fa798101f65c6691fcf71513ac978/utils/src/main/java/com/cloud/utils/nio/Link.java
[1]
https://convincingbits.wordpress.com/2016/02/17/ssl-tls-with-java-7-and-the-death-of-sslv2hello/
[3] https://drownattack.com/
[4] https://access.redhat.com/articles/1232123
[5]
https://github.com/apache/cloudstack/blob/87ef8137534fa798101f65c6691fcf71513ac978/systemvm/scripts/config_ssl.sh
[6]
https://github.com/apache/cloudstack/blob/87ef8137534fa798101f65c6691fcf71513ac978/tools/appliance/definitions/systemvmtemplate/configure_systemvm_services.sh
Em 21/10/2016 01:53, Cloud List escreveu:
Dear all,
I have an ACS 4.9 test environment after upgraded from 4.2, using Ubuntu OS
and KVM hypervisor.
I am seeing below error messages on the management server logs after
upgrading to ACS 4.9.0, is it normal?
===
2016-10-21 11:50:27,579 ERROR [c.c.u.n.Link]
(AgentManager-SSLHandshakeHandler-1:null) (logid:) SSL error occurred while
processing unwrap data: SSLv2Hello is disabled
2016-10-21 11:50:27,603 ERROR [c.c.u.n.Link]
(AgentManager-SSLHandshakeHandler-1:null) (logid:) SSL error occurred while
processing unwrap data: SSLv2Hello is disabled
2016-10-21 11:50:32,621 ERROR [c.c.u.n.Link]
(AgentManager-SSLHandshakeHandler-1:null) (logid:) SSL error occurred while
processing unwrap data: SSLv2Hello is disabled
2016-10-21 11:50:32,642 ERROR [c.c.u.n.Link]
(AgentManager-SSLHandshakeHandler-1:null) (logid:) SSL error occurred while
processing unwrap data: SSLv2Hello is disabled
===
It seems to be some Java error complaining about SSLv2Hello which is
supposed to be disabled (based on what I've read) so not too sure if I can
safely ignore the above messages?
Any advice is appreciated.
Thank you.
-ip-
