Skip to Content.
Sympa Menu

perfsonar-user - Re: [perfsonar-user] AW: Automatic yum update changed the ssl.conf file

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] AW: Automatic yum update changed the ssl.conf file


Chronological Thread 
  • From: Alex Hsia <>
  • To:
  • Cc: , "Garnizov, Ivan (RRZE)" <>, ,
  • Subject: Re: [perfsonar-user] AW: Automatic yum update changed the ssl.conf file
  • Date: Fri, 9 Nov 2018 09:41:33 -0700
  • Ironport-phdr: 9a23:AfnKlheG55e/xnpGe6bc8DmLlGMj4u6mDksu8pMizoh2WeGdxc26ZRCN2/xhgRfzUJnB7Loc0qyK6/+mATRIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSizexfbF/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbDVwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4rx1QxH0ligIKz858HnWisNuiqJbvAmhrAF7z4LNfY2ZKOZycqbbcNwUX2pBWttaWTJHDI2ycoADC/MNMOZdo4T7ulAArwaxBRO0CezgxD9HhH/406M53eo8Dw/JwBctEMgSvHnOttj5KLseXOKzwaLVzTvDdfRW2TLl5YXUdhAuv/6NVq9yf8rKyEkgDR7Og1KKpozhITyU2f4Bs2iA7+phT+2ikGgnqwZrrTe13MsshY7JhpwMx13C6C53zoE1JdiiR056Z96pCIdftyCdN4dsTcMiRH9otD47yr0ApZ60YjIKyJI5yB7DdfCLaZaH7Q/+VOqJLzd4gmhqeLalixa99kig1PXwVsa10FZWripFj8LDumoR2BzU78iLUuN9/l2m2TaI2QDT8uZEIUEylarHMZIu3rkwlp8LvUTNBCD2hV/6g7KIeUgi5+Om6Pznb634qpCGK4N4lgTzPrkhl8G/Heg1NwcDUmua9Omz0bDv41H1TbBPg/EojKXUtJbXLtkBqKGjGQ9ayIMj5g6/Dzi41NQYmmEKLFdfdxKGi4jlIlXOIPLlAfumjFWgjilnyvTcMr3uBZXNKXfDkLP/crpn90Fczw8zwche55JSFL4BPOr+VlHru9DEEhM0NhG4zunnBdlh044TVmGCD66WPa7Xr1OE+uciLuySaIMLvDvxM/0l6OTvjX89l18dZ66p3Z4PZX+iGvRpPUqYbWDsgtcaEGcFpBEzTOrtiFKYSzFffXmyX6Ui5j0jEoKpEZ/DRpyxgLyGxCq7BoNZZnpIClCXFnfocZ+LW+0VZCKPOc9ujCYEWKOlS48gzhGuqBT6x6R9IurV/C0YqYzs1MJz5+LNiRE+6yZ4ANqA3GGQHClJmHgVTWo2wLxnuh46jVOCyrRjxf1eCdFJ4f5VCEE3OYOb1P1/E9m1QQPOeNCHRhG+T8+oGjY3R8h03sQDeRVBHICnjECZ9yWuBLUck7qMD9o17+TR02WiCdx6ziPv0KQxx3k9Q8IHYWSii7459xPSDqbPlEyQ0amta/JPj2b26G6fwD/W7wljWwlqXPCABChCaw==

Thanks for the update.  For further information about the Federal initiative you can reference the following <https://https.cio.gov/technical-guidelines/>.

Alex Hsia ==============================================================
NOAA/OAR                                            Phone: (303)497-6351
Mailstop R/ESRL                                    GVoice: (303)536-5430
325 Broadway                                  e-mail:
Boulder, CO  80305                                   PGP keyid: 8A482A90
========================================================================



On Fri, Nov 9, 2018 at 8:10 AM Michael Johnson <> wrote:
Hi Alex/Doug/Darryl,

Thanks for the feedback; I've added this issue to the 4.2.0 release plan (which should be released late this year/early next year). This is something we've been meaning to address, but obviously have not had a chance to do so yet.

Thanks,
Michael

On Fri, Nov 09, 2018 at 06:29:19AM -0700, Alex Hsia wrote:
>I would like to add my support for a resolution to this issue.  For Federal
>Government users, we are getting scanned more often by external entities
>and getting flagged for insecure TLS/SSL, weak ciphers and HSTS.
>
>Alex Hsia ==============================================================
>NOAA/OAR                                            Phone: (303)497-6351
>Mailstop R/ESRL                                    GVoice: (303)536-5430
>325 Broadway                                  e-mail:
>Boulder, CO  80305                                   PGP keyid: 8A482A90
>========================================================================
>
>
>On Fri, Nov 9, 2018 at 6:13 AM Doug Wussler <> wrote:
>
>> I believe this is the same issue I reported in December last year.  For
>> that email discussion see:
>>
>>
>>
>> https://lists.internet2.edu/sympa/arc/perfsonar-user/2017-12/msg00076.html
>>
>>
>>
>> For the GitHub issue, see https://github.com/perfsonar/toolkit/issues/291
>>
>>
>>
>> Bottom line:  The SSL.CONF file distributed with PerfSonar needs to be
>> changed.  The SSLProtocol and SSLCipherSuite settings need to be moved
>> outside the VirtualHost.  That way, individual deployments can override the
>> default settings with customized configuration files.  As the file is now
>> distributed, these settings are being place inside the VirtualHost and thus
>> cannot be overridden by a customized config file.
>>
>>
>>
>> Doug
>>
>>
>>
>>
>>
>>
>>
>> *Doug Wussler*
>>
>> Florida State University
>>
>>
>>
>>
>>
>> *From: *<> on behalf of "Garnizov,
>> Ivan" <>
>> *Date: *Friday, November 9, 2018 at 3:57 AM
>> *To: *Darryl K Wohlt <>, ""
>> <>
>> *Subject: *[perfsonar-user] AW: Automatic yum update changed the ssl.conf
>> file
>>
>>
>>
>> Hello Darryl,
>>
>>
>>
>> Could you please provide more information about your installation?
>>
>> Is this a pS Toolkit, pS Testpoint or is this Central management
>> deployment, other?
>>
>>
>>
>> Please keep in mind, that the pS Toolkit is delivered as a full featured
>> product to a lot of users with different skill levels and different use
>> cases. Still to better understand your issue we need to know at least what
>> is installed on your machine.
>>
>>
>>
>> Regards,
>>
>> Ivan Garnizov
>>
>>
>>
>> *GEANT SA1T2: pS deployments GN Operations*
>>
>> *GEANT SA2T3: pS development team*
>>
>> *GEANT SA3T5: eduPERT team*
>>
>>
>>
>> Jubiläumsjahr 2018 - IT in Bewegung
>>
>> Das RRZE - der IT-Dienstleister der FAU
>>
>> www.50-jahre.rrze.fau.de
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.50-2Djahre.rrze.fau.de&d=DwMFAw&c=HPMtquzZjKY31rtkyGRFnQ&r=iWHlmRoKGsiAUGML4kxiTFSMVFjSJWPJZ-Qyls6lSv0&m=HMLjcXUw5xvbmaBhYJvPoC6SIRrwYrcSFBQRRNyqDpo&s=o-sStYE28RhcYYJCALe9M0p9GTdX-_rR6PL3kKi4XiM&e=>
>>
>>
>>
>> *Von:* [mailto:
>> ] *Im Auftrag von *Darryl K Wohlt
>> *Gesendet:* Freitag, 9. November 2018 00:32
>> *An:*
>> *Betreff:* [perfsonar-user] Automatic yum update changed the ssl.conf file
>>
>>
>>
>> I received an alert from our computer security group saying that my PS
>> instance “supports the use of TLS 1.0&1.1 and/or 3DES in one or more cipher
>> suites.”  This is a big deal at our site.
>>
>>
>>
>> When I upgraded this host in late October I made sure to update ssl.conf
>> to allow only TLSv1.2.  After this alert I checked it again, and found it
>> was modified (replaced?) at the same time an automatic yum update
>> occurred.  This has happened before.
>>
>>
>>
>> Can we please not modify this file during updates?
>>
>>
>>
>> Thanks
>>
>>
>>
>> *Darryl K. Wohlt*
>>
>> *Network Architect I*
>>
>>
>>
>> CCD/NCS/Network Services
>>
>> Fermi National Accelerator Laboratory
>>
>> P.O. Box 500, MS 368
>>
>> Batavia, Illinois 60510
>>
>> USA
>>
>>
>>
>> 630 840 2901 office
>>
>> 630 945 5687  mobile
>>
>> www.fnal.gov
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.fnal.gov_&d=DwMFAw&c=HPMtquzZjKY31rtkyGRFnQ&r=iWHlmRoKGsiAUGML4kxiTFSMVFjSJWPJZ-Qyls6lSv0&m=HMLjcXUw5xvbmaBhYJvPoC6SIRrwYrcSFBQRRNyqDpo&s=MChkXMUhFILzNf1iouS2AkZ3uG2qUE47KUiaUxxRQ6I&e=>
>>
>>
>>
>>
>>

>--
>To unsubscribe from this list: https://lists.internet2.edu/sympa/signoff/perfsonar-user


--
Michael Johnson
GlobalNOC DevOps Engineer




Archive powered by MHonArc 2.6.19.

Top of Page