Skip to Content.
Sympa Menu

perfsonar-user - Re: [perfsonar-user] AW: Automatic yum update changed the ssl.conf file

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] AW: Automatic yum update changed the ssl.conf file


Chronological Thread 
  • From: Michael Johnson <>
  • To: Alex Hsia <>
  • Cc: , "Garnizov, Ivan (RRZE)" <>, ,
  • Subject: Re: [perfsonar-user] AW: Automatic yum update changed the ssl.conf file
  • Date: Fri, 9 Nov 2018 10:10:41 -0500
  • Ironport-phdr: 9a23:3IX5Vx/brqbJS/9uRHKM819IXTAuvvDOBiVQ1KB21OIcTK2v8tzYMVDF4r011RmVBdqds6oMotGVmpioYXYH75eFvSJKW713fDhBt/8rmRc9CtWOE0zxIa2iRSU7GMNfSA0tpCnjYgBaF8nkelLdvGC54yIMFRXjLwp1Ifn+FpLPg8it2O2+55/ebx9UiDahfLh/MAi4oQLNu8cMnIBsMLwxyhzHontJf+RZ22ZlLk+Nkhj/+8m94odt/zxftPw9+cFAV776f7kjQrxDEDsmKWE169b1uhTFUACC+2ETUmQSkhpPHgjF8BT3VYr/vyfmquZw3jSRMNboRr4oRzut86ZrSAfpiCgZMT457HrXgdF0gK5CvR6tuwBzz4vSbYqINvRxY7ndcMsUS2RBQMhfSi9PAo2zYIQTEuUOP/1Vr4bhq1YUtxayGRWgCeHpxzRVhnH2x6o60+E5HA/B3QwvA9IOv27Ko9XxKawcVee1zKnOzTXYaPNW3yr25Y/NchAjovyAQ6l9ccXVyUkoDAzKlFGQqYriPzyJzOgNsnWb4/B+Wu2ylm4qsgd8qSWhyMcrj4nGnIMVylbc+CV4xoY1OcO3SFR9YdG6DJtcqTuWOJVrTcM/W21otiA6xacCuZKhcygKz4onywbQa/yGb4iI4g/jW/2LLThkg3Jlfaqzhw6o8Uinze38WNG00FFLripDjtnArGwC1xvW6sSfRPty5Fqh1SyS2A/N7OxPPEM6lbLDJpI8zbM9koAfvVnCEyL2gkn6kaGbe0o+9uWq6+nqZKjtqIWGOI9ukA7+N7wjmsyhDuQ8NQgDR22b9v691L3n50H2XKlKgeEsnqnWqpDaI8MbqbKjDw9Uz4Yv8QiwACq70NgAnHkHKkxKeA6fgoT0NFzDJOr0Aeq+jlmsijtn2v7LM7L7DpjPLnXPiLLhcqx8605Yxgoz19df55dMB7EEIvL+WVH9ucfXDh89NAy72PzoCNF71oMZRW2DGK6ZML7IvVCW++0vPvGAZJUJtzblN/gl+/nugGchmVADZ6mp04AXaHe+Hvt8OUWVeGfsgswfHmcQpQc+SO3qiEaeUT5IeXq+RaM85jcnCI24F4fDQJ6igKCf0CuhAJJZe31GWRixF2z1fdCER+sUc3DVZctgiSAfE7mnV4I70xyy7kn3x6cgNfvR4iRfrpPs0t976arLmAs87jtyBt7YznqAVTJImTYhQzImlIBkoEU1nl6H3Lg+g+dZHPRV4PpAFAg9K8iP4fZ9DoXXWwnBd9qNAHShQtO9Bjd5Gtczk4UmbEJ6EdymiBfImSu3RbIZiurYV9QP7qvA0i2pdI5GwHHc2fxk1gF+Tw==

Hi Alex/Doug/Darryl,

Thanks for the feedback; I've added this issue to the 4.2.0 release plan
(which should be released late this year/early next year). This is something
we've been meaning to address, but obviously have not had a chance to do so
yet.

Thanks,
Michael

On Fri, Nov 09, 2018 at 06:29:19AM -0700, Alex Hsia wrote:
I would like to add my support for a resolution to this issue. For Federal
Government users, we are getting scanned more often by external entities
and getting flagged for insecure TLS/SSL, weak ciphers and HSTS.

Alex Hsia ==============================================================
NOAA/OAR Phone: (303)497-6351
Mailstop R/ESRL GVoice: (303)536-5430
325 Broadway e-mail:

Boulder, CO 80305 PGP keyid: 8A482A90
========================================================================


On Fri, Nov 9, 2018 at 6:13 AM Doug Wussler
<>
wrote:

I believe this is the same issue I reported in December last year. For
that email discussion see:



https://lists.internet2.edu/sympa/arc/perfsonar-user/2017-12/msg00076.html



For the GitHub issue, see https://github.com/perfsonar/toolkit/issues/291



Bottom line: The SSL.CONF file distributed with PerfSonar needs to be
changed. The SSLProtocol and SSLCipherSuite settings need to be moved
outside the VirtualHost. That way, individual deployments can override the
default settings with customized configuration files. As the file is now
distributed, these settings are being place inside the VirtualHost and thus
cannot be overridden by a customized config file.



Doug







*Doug Wussler*

Florida State University





*From:
*<>
on behalf of "Garnizov,
Ivan"
<>
*Date: *Friday, November 9, 2018 at 3:57 AM
*To: *Darryl K Wohlt
<>,

""
<>
*Subject: *[perfsonar-user] AW: Automatic yum update changed the ssl.conf
file



Hello Darryl,



Could you please provide more information about your installation?

Is this a pS Toolkit, pS Testpoint or is this Central management
deployment, other?



Please keep in mind, that the pS Toolkit is delivered as a full featured
product to a lot of users with different skill levels and different use
cases. Still to better understand your issue we need to know at least what
is installed on your machine.



Regards,

Ivan Garnizov



*GEANT SA1T2: pS deployments GN Operations*

*GEANT SA2T3: pS development team*

*GEANT SA3T5: eduPERT team*



Jubiläumsjahr 2018 - IT in Bewegung

Das RRZE - der IT-Dienstleister der FAU

www.50-jahre.rrze.fau.de
<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.50-2Djahre.rrze.fau.de&d=DwMFAw&c=HPMtquzZjKY31rtkyGRFnQ&r=iWHlmRoKGsiAUGML4kxiTFSMVFjSJWPJZ-Qyls6lSv0&m=HMLjcXUw5xvbmaBhYJvPoC6SIRrwYrcSFBQRRNyqDpo&s=o-sStYE28RhcYYJCALe9M0p9GTdX-_rR6PL3kKi4XiM&e=>



*Von:*

[mailto:
]
*Im Auftrag von *Darryl K Wohlt
*Gesendet:* Freitag, 9. November 2018 00:32
*An:*

*Betreff:* [perfsonar-user] Automatic yum update changed the ssl.conf file



I received an alert from our computer security group saying that my PS
instance “supports the use of TLS 1.0&1.1 and/or 3DES in one or more cipher
suites.” This is a big deal at our site.



When I upgraded this host in late October I made sure to update ssl.conf
to allow only TLSv1.2. After this alert I checked it again, and found it
was modified (replaced?) at the same time an automatic yum update
occurred. This has happened before.



Can we please not modify this file during updates?



Thanks



*Darryl K. Wohlt*

*Network Architect I*



CCD/NCS/Network Services

Fermi National Accelerator Laboratory

P.O. Box 500, MS 368

Batavia, Illinois 60510

USA



630 840 2901 office

630 945 5687 mobile

www.fnal.gov
<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.fnal.gov_&d=DwMFAw&c=HPMtquzZjKY31rtkyGRFnQ&r=iWHlmRoKGsiAUGML4kxiTFSMVFjSJWPJZ-Qyls6lSv0&m=HMLjcXUw5xvbmaBhYJvPoC6SIRrwYrcSFBQRRNyqDpo&s=MChkXMUhFILzNf1iouS2AkZ3uG2qUE47KUiaUxxRQ6I&e=>






--
To unsubscribe from this list:
https://lists.internet2.edu/sympa/signoff/perfsonar-user


--
Michael Johnson
GlobalNOC DevOps Engineer

Attachment: smime.p7s
Description: S/MIME cryptographic signature




Archive powered by MHonArc 2.6.19.

Top of Page