perfSONAR User Q&A and Other Discussion

[Michael Johnson <>]

Hi Alex/Doug/Darryl,

Thanks for the feedback; I've added this issue to the 4.2.0 release plan 
(which should be released late this year/early next year). This is something 
we've been meaning to address, but obviously have not had a chance to do so 
yet.

Thanks,
Michael

On Fri, Nov 09, 2018 at 06:29:19AM -0700, Alex Hsia wrote:
> I would like to add my support for a resolution to this issue.  For Federal
> Government users, we are getting scanned more often by external entities
> and getting flagged for insecure TLS/SSL, weak ciphers and HSTS.
>
> Alex Hsia ==============================================================
> NOAA/OAR                                            Phone: (303)497-6351
> Mailstop R/ESRL                                    GVoice: (303)536-5430
> 325 Broadway                                  e-mail: 
>
> Boulder, CO  80305                                   PGP keyid: 8A482A90
> ========================================================================
>
>
> On Fri, Nov 9, 2018 at 6:13 AM Doug Wussler 
> <>
>  wrote:
>
> > I believe this is the same issue I reported in December last year.  For
> > that email discussion see:
> >
> >
> >
> > https://lists.internet2.edu/sympa/arc/perfsonar-user/2017-12/msg00076.html
> >
> >
> >
> > For the GitHub issue, see https://github.com/perfsonar/toolkit/issues/291
> >
> >
> >
> > Bottom line:  The SSL.CONF file distributed with PerfSonar needs to be
> > changed.  The SSLProtocol and SSLCipherSuite settings need to be moved
> > outside the VirtualHost.  That way, individual deployments can override the
> > default settings with customized configuration files.  As the file is now
> > distributed, these settings are being place inside the VirtualHost and thus
> > cannot be overridden by a customized config file.
> >
> >
> >
> > Doug
> >
> >
> >
> >
> >
> >
> >
> > *Doug Wussler*
> >
> > Florida State University
> >
> >
> >
> >
> >
> > *From: 
> > *<>
> >  on behalf of "Garnizov,
> > Ivan" 
> > <>
> > *Date: *Friday, November 9, 2018 at 3:57 AM
> > *To: *Darryl K Wohlt 
> > <>,
> >  
> > ""
> > <>
> > *Subject: *[perfsonar-user] AW: Automatic yum update changed the ssl.conf
> > file
> >
> >
> >
> > Hello Darryl,
> >
> >
> >
> > Could you please provide more information about your installation?
> >
> > Is this a pS Toolkit, pS Testpoint or is this Central management
> > deployment, other?
> >
> >
> >
> > Please keep in mind, that the pS Toolkit is delivered as a full featured
> > product to a lot of users with different skill levels and different use
> > cases. Still to better understand your issue we need to know at least what
> > is installed on your machine.
> >
> >
> >
> > Regards,
> >
> > Ivan Garnizov
> >
> >
> >
> > *GEANT SA1T2: pS deployments GN Operations*
> >
> > *GEANT SA2T3: pS development team*
> >
> > *GEANT SA3T5: eduPERT team*
> >
> >
> >
> > Jubiläumsjahr 2018 - IT in Bewegung
> >
> > Das RRZE - der IT-Dienstleister der FAU
> >
> > www.50-jahre.rrze.fau.de
> > <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.50-2Djahre.rrze.fau.de&d=DwMFAw&c=HPMtquzZjKY31rtkyGRFnQ&r=iWHlmRoKGsiAUGML4kxiTFSMVFjSJWPJZ-Qyls6lSv0&m=HMLjcXUw5xvbmaBhYJvPoC6SIRrwYrcSFBQRRNyqDpo&s=o-sStYE28RhcYYJCALe9M0p9GTdX-_rR6PL3kKi4XiM&e=>
> >
> >
> >
> > *Von:* 
> >
> >  [mailto:
> > ]
> >  *Im Auftrag von *Darryl K Wohlt
> > *Gesendet:* Freitag, 9. November 2018 00:32
> > *An:* 
> >
> > *Betreff:* [perfsonar-user] Automatic yum update changed the ssl.conf file
> >
> >
> >
> > I received an alert from our computer security group saying that my PS
> > instance “supports the use of TLS 1.0&1.1 and/or 3DES in one or more cipher
> > suites.”  This is a big deal at our site.
> >
> >
> >
> > When I upgraded this host in late October I made sure to update ssl.conf
> > to allow only TLSv1.2.  After this alert I checked it again, and found it
> > was modified (replaced?) at the same time an automatic yum update
> > occurred.  This has happened before.
> >
> >
> >
> > Can we please not modify this file during updates?
> >
> >
> >
> > Thanks
> >
> >
> >
> > *Darryl K. Wohlt*
> >
> > *Network Architect I*
> >
> >
> >
> > CCD/NCS/Network Services
> >
> > Fermi National Accelerator Laboratory
> >
> > P.O. Box 500, MS 368
> >
> > Batavia, Illinois 60510
> >
> > USA
> >
> >
> >
> > 630 840 2901 office
> >
> > 630 945 5687  mobile
> >
> > www.fnal.gov
> > <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.fnal.gov_&d=DwMFAw&c=HPMtquzZjKY31rtkyGRFnQ&r=iWHlmRoKGsiAUGML4kxiTFSMVFjSJWPJZ-Qyls6lSv0&m=HMLjcXUw5xvbmaBhYJvPoC6SIRrwYrcSFBQRRNyqDpo&s=MChkXMUhFILzNf1iouS2AkZ3uG2qUE47KUiaUxxRQ6I&e=>

> --
> To unsubscribe from this list: 
> https://lists.internet2.edu/sympa/signoff/perfsonar-user


--
Michael Johnson
GlobalNOC DevOps Engineer

Attachment: smime.p7s
Description: S/MIME cryptographic signature