perfSONAR User Q&A and Other Discussion

[Alex Hsia <>]

Thanks for the update.  For further information about the Federal initiative you can reference the following <https://https.cio.gov/technical-guidelines/>.

Alex Hsia ==============================================================
NOAA/OAR                                            Phone: (303)497-6351
Mailstop R/ESRL                                    GVoice: (303)536-5430
325 Broadway                                  e-mail:
Boulder, CO  80305                                   PGP keyid: 8A482A90
========================================================================

On Fri, Nov 9, 2018 at 8:10 AM Michael Johnson <> wrote:

Hi Alex/Doug/Darryl,

Thanks for the feedback; I've added this issue to the 4.2.0 release plan (which should be released late this year/early next year). This is something we've been meaning to address, but obviously have not had a chance to do so yet.

Thanks,
Michael

On Fri, Nov 09, 2018 at 06:29:19AM -0700, Alex Hsia wrote:
>I would like to add my support for a resolution to this issue.  For Federal
>Government users, we are getting scanned more often by external entities
>and getting flagged for insecure TLS/SSL, weak ciphers and HSTS.
>
>Alex Hsia ==============================================================
>NOAA/OAR                                            Phone: (303)497-6351
>Mailstop R/ESRL                                    GVoice: (303)536-5430
>325 Broadway                                  e-mail:
>Boulder, CO  80305                                   PGP keyid: 8A482A90
>========================================================================
>
>
>On Fri, Nov 9, 2018 at 6:13 AM Doug Wussler <> wrote:
>
>> I believe this is the same issue I reported in December last year.  For
>> that email discussion see:
>>
>>
>>
>> https://lists.internet2.edu/sympa/arc/perfsonar-user/2017-12/msg00076.html
>>
>>
>>
>> For the GitHub issue, see https://github.com/perfsonar/toolkit/issues/291
>>
>>
>>
>> Bottom line:  The SSL.CONF file distributed with PerfSonar needs to be
>> changed.  The SSLProtocol and SSLCipherSuite settings need to be moved
>> outside the VirtualHost.  That way, individual deployments can override the
>> default settings with customized configuration files.  As the file is now
>> distributed, these settings are being place inside the VirtualHost and thus
>> cannot be overridden by a customized config file.
>>
>>
>>
>> Doug
>>
>>
>>
>>
>>
>>
>>
>> *Doug Wussler*
>>
>> Florida State University
>>
>>
>>
>>
>>
>> *From: *<> on behalf of "Garnizov,
>> Ivan" <>
>> *Date: *Friday, November 9, 2018 at 3:57 AM
>> *To: *Darryl K Wohlt <>, ""
>> <>
>> *Subject: *[perfsonar-user] AW: Automatic yum update changed the ssl.conf
>> file
>>
>>
>>
>> Hello Darryl,
>>
>>
>>
>> Could you please provide more information about your installation?
>>
>> Is this a pS Toolkit, pS Testpoint or is this Central management
>> deployment, other?
>>
>>
>>
>> Please keep in mind, that the pS Toolkit is delivered as a full featured
>> product to a lot of users with different skill levels and different use
>> cases. Still to better understand your issue we need to know at least what
>> is installed on your machine.
>>
>>
>>
>> Regards,
>>
>> Ivan Garnizov
>>
>>
>>
>> *GEANT SA1T2: pS deployments GN Operations*
>>
>> *GEANT SA2T3: pS development team*
>>
>> *GEANT SA3T5: eduPERT team*
>>
>>
>>
>> Jubiläumsjahr 2018 - IT in Bewegung
>>
>> Das RRZE - der IT-Dienstleister der FAU
>>
>> www.50-jahre.rrze.fau.de
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.50-2Djahre.rrze.fau.de&d=DwMFAw&c=HPMtquzZjKY31rtkyGRFnQ&r=iWHlmRoKGsiAUGML4kxiTFSMVFjSJWPJZ-Qyls6lSv0&m=HMLjcXUw5xvbmaBhYJvPoC6SIRrwYrcSFBQRRNyqDpo&s=o-sStYE28RhcYYJCALe9M0p9GTdX-_rR6PL3kKi4XiM&e=>
>>
>>
>>
>> *Von:* [mailto:
>> ] *Im Auftrag von *Darryl K Wohlt
>> *Gesendet:* Freitag, 9. November 2018 00:32
>> *An:*
>> *Betreff:* [perfsonar-user] Automatic yum update changed the ssl.conf file
>>
>>
>>
>> I received an alert from our computer security group saying that my PS
>> instance “supports the use of TLS 1.0&1.1 and/or 3DES in one or more cipher
>> suites.”  This is a big deal at our site.
>>
>>
>>
>> When I upgraded this host in late October I made sure to update ssl.conf
>> to allow only TLSv1.2.  After this alert I checked it again, and found it
>> was modified (replaced?) at the same time an automatic yum update
>> occurred.  This has happened before.
>>
>>
>>
>> Can we please not modify this file during updates?
>>
>>
>>
>> Thanks
>>
>>
>>
>> *Darryl K. Wohlt*
>>
>> *Network Architect I*
>>
>>
>>
>> CCD/NCS/Network Services
>>
>> Fermi National Accelerator Laboratory
>>
>> P.O. Box 500, MS 368
>>
>> Batavia, Illinois 60510
>>
>> USA
>>
>>
>>
>> 630 840 2901 office
>>
>> 630 945 5687  mobile
>>
>> www.fnal.gov
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.fnal.gov_&d=DwMFAw&c=HPMtquzZjKY31rtkyGRFnQ&r=iWHlmRoKGsiAUGML4kxiTFSMVFjSJWPJZ-Qyls6lSv0&m=HMLjcXUw5xvbmaBhYJvPoC6SIRrwYrcSFBQRRNyqDpo&s=MChkXMUhFILzNf1iouS2AkZ3uG2qUE47KUiaUxxRQ6I&e=>
>>
>>
>>
>>
>>

>--
>To unsubscribe from this list: https://lists.internet2.edu/sympa/signoff/perfsonar-user


--
Michael Johnson
GlobalNOC DevOps Engineer