perfSONAR User Q&A and Other Discussion

[Andrew Lake <>]

Hi,

Just a little background on this to add to what has already been said. By default on a Toolkit or another bundle with the perfsonar-toolkit-security package installed we follow the Mozilla “Intermediate compatibility” recommendations for CipherSuites as detailed here: https://wiki.mozilla.org/Security/Server_Side_TLS. This is a compromise between the most restrictive setting and the very open default settings you get when you install mod_ssl. These settings are changed by the script here on both fresh install and update: https://raw.githubusercontent.com/perfsonar/toolkit/master/scripts/configure_apache_security. We do this change on update because the recommendations change over time and we don’t want the average toolkit user to be stuck on whatever version they got first install. We also don’t ”leave alone if it has been changed” since we don’t want to get in the business of trying to figure out if it was made more or less restrictive or trying to figure out exactly who or what changed it. All of the above can obviously be revisited, but that is where it stands today.

That being said, we realize there are people that want more restrictive settings. The Toolkit is intended to be our most comprehensive bundle that takes control of a lot of the system settings. For people that want more control over settings like this, the best current solution is to run a different bundle such as perfsonar-core. One of the primary purposes of these bundles is to allow people to cherry-pick what system settings they want our packages to control. perfsonar-core does not touch the SSL configuration, firewall, sysctl, ntp or other various setting by default. One caveat is it also currently does not have the Toolkit GUI which can only be installed as part of the full toolkit since it makes various assumptions about how the system is setup. If all your tests come from a mesh currently, you may not have much need for the toolkit package anyways. 

If you don’t need the GUI and want to handle the SSL and firewall settings yourself, the following should turn your existing toolkit host into a “core” host with our extra bundles for managing the system minus the security package.

rpm -e perfsonar-toolkit perfsonar-toolkit-systemenv perfsonar-toolkit-security

You can’t just remove the “perfsonar-toolkit-security” as the other two packages create a dependency path that will restore it on update. Also note that you will now be responsible for keeping the firewall up-to-date yourself as well. I understand this is not a perfect solution if you need the GUI, but if you need an immediate solution, this might be your best bet. 

I think longer-term it might be beneficial to see how we can split-up the packages further so you can still get the GUI and the firewall settings. The perfSONAR project has a diverse set of requirements to serve and we are constantly trying to find ways to be more flexible for our users with specific requirements while giving sane defaults that protect users not as familiar with all the pieces. 

Thanks,

Andy

On November 9, 2018 at 8:30:04 AM, Alex Hsia () wrote:

I would like to add my support for a resolution to this issue.  For Federal Government users, we are getting scanned more often by external entities and getting flagged for insecure TLS/SSL, weak ciphers and HSTS.  

Alex Hsia ==============================================================
NOAA/OAR                                            Phone: (303)497-6351
Mailstop R/ESRL                                    GVoice: (303)536-5430
325 Broadway                                  e-mail:
Boulder, CO  80305                                   PGP keyid: 8A482A90
========================================================================

On Fri, Nov 9, 2018 at 6:13 AM Doug Wussler <> wrote:

I believe this is the same issue I reported in December last year.  For that email discussion see:

 

https://lists.internet2.edu/sympa/arc/perfsonar-user/2017-12/msg00076.html

 

For the GitHub issue, see https://github.com/perfsonar/toolkit/issues/291

 

Bottom line:  The SSL.CONF file distributed with PerfSonar needs to be changed.  The SSLProtocol and SSLCipherSuite settings need to be moved outside the VirtualHost.  That way, individual deployments can override the default settings with customized configuration files.  As the file is now distributed, these settings are being place inside the VirtualHost and thus cannot be overridden by a customized config file.

 

Doug

 

 

 

Doug Wussler

Florida State University

 

 

From: <> on behalf of "Garnizov, Ivan" <>
Date: Friday, November 9, 2018 at 3:57 AM
To: Darryl K Wohlt <>, "" <>
Subject: [perfsonar-user] AW: Automatic yum update changed the ssl.conf file

 

Hello Darryl,

 

Could you please provide more information about your installation?

Is this a pS Toolkit, pS Testpoint or is this Central management deployment, other?

 

Please keep in mind, that the pS Toolkit is delivered as a full featured product to a lot of users with different skill levels and different use cases. Still to better understand your issue we need to know at least what is installed on your machine.

 

Regards,

Ivan Garnizov

 

GEANT SA1T2: pS deployments GN Operations

GEANT SA2T3: pS development team

GEANT SA3T5: eduPERT team

 

Jubiläumsjahr 2018 - IT in Bewegung

Das RRZE - der IT-Dienstleister der FAU

www.50-jahre.rrze.fau.de

 

Von: [mailto:] Im Auftrag von Darryl K Wohlt
Gesendet: Freitag, 9. November 2018 00:32
An:
Betreff: [perfsonar-user] Automatic yum update changed the ssl.conf file

 

I received an alert from our computer security group saying that my PS instance “supports the use of TLS 1.0&1.1 and/or 3DES in one or more cipher suites.”  This is a big deal at our site.

 

When I upgraded this host in late October I made sure to update ssl.conf to allow only TLSv1.2.  After this alert I checked it again, and found it was modified (replaced?) at the same time an automatic yum update occurred.  This has happened before.

 

Can we please not modify this file during updates?

 

Thanks

 

Darryl K. Wohlt

Network Architect I

 

CCD/NCS/Network Services

Fermi National Accelerator Laboratory

P.O. Box 500, MS 368

Batavia, Illinois 60510

USA

 

630 840 2901 office

630 945 5687  mobile

www.fnal.gov

 

--
To unsubscribe from this list: https://lists.internet2.edu/sympa/signoff/perfsonar-user