Skip to Content.
Sympa Menu

perfsonar-user - Re: [perfsonar-user] AW: Automatic yum update changed the ssl.conf file

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] AW: Automatic yum update changed the ssl.conf file


Chronological Thread 
  • From: Doug Wussler <>
  • To: Andrew Lake <>, Alex Hsia <>
  • Cc: "" <>, "" <>, "Garnizov, Ivan (RRZE)" <>
  • Subject: Re: [perfsonar-user] AW: Automatic yum update changed the ssl.conf file
  • Date: Fri, 9 Nov 2018 17:19:42 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:gid3zx3pmcotglSlsmDT+DRfVm0co7zxezQtwd8ZsesQLPjxwZ3uMQTl6Ol3ixeRBMOHs60C07KempujcFRI2YyGvnEGfc4EfD4+ouJSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFAnhOgppPOT1HZPZg9iq2+yo9JDffwdFiCChbb9uMR67sRjfus4KjIV4N60/0AHJonxGe+RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L281/szrugLdQgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9QKsqUjq+8ahkVB7oiD8GNzEn9mHXltdwh79frB64uhBz35LYbISTOfVwZKPdec4RS3RHUMhfSidNBpqwYoUKA+cHIO1WrZTyp0EWoBW+GweiGf/vxDFLiH/436I60vguHg7d0QM6A94OtW7ZoMnpOKoQV+2+0anGzS/Eb/NTwTrz5o/Icg0uofqRXb1wbNHRyVIrFwzblFWbtIvoMC6S1uQQvGiX9eRhVf+0i248rwF+vCKvy9wiionSm4IZ0E7L+jhkwIssI9CzVUB1YdmhEJRKtiGaMZN7QsM+Q2F0oCY60aQKtJChcycS0JsnyB/fa+CHc4iV+R3vTvqeITB9hH19YLKwmQyy8Ua7yu37UMm7ykxKoTJZktnLsXAN0x/T6smbSvRl/0ehwi2P1x3N5eFfOU84i67WJ4M5zr4xkJoTrVrMHjXwmErokK+aaF8o9fa15OT6ernmqJmcOJVwig3kPaQundK/Dfw9MggVUGiX5fiw2KHh8ED4WrlKjuE2kqzdsJzCKsQbp7K5Aw9I0ok49ha/FCmp0M4EknkAKlJFZAyIj471O13UPP/4CvK/j0yjkDdq2/DGPqDhDY7XInffl7fheK5x61ZGyAo0ytBf6YpUCrYAIPL1Rk/9rsDXDhg8MwCsxubnD9R81oIaWWKLGKCVKqTSsUWH5u43LemDfpIVtCzgJPc74fPlkHw3mUcFcKW3x5QbdG20E/F7L0mEfHbhh9kBHGgWsgYiSeHqhkONXDFJaHu3Wq8x5y83BYC+AYveWIygg6aN0Dq4E5BXfGxLBF6BHW32e4mYR/sAcCySLdFinzAYULWsTpEu2B6yuAL+zrdoNenZ9yIduJ/n1tV5++PTmBQp+jF2EciSz2eARHxukGwSXT85xqV/rFR9ylid1ah4hORVG8RP6v1OTgs3O4fQwvF4BNzsQw7BecyGR0i8TtWhHDExUsk+w9gTY0Z7BtqulAjD3zCtA78JibOEGIA08qPb33j3Pcp9zGvG1LUlj1khRctPNneqibJ49wjWH4LJkkOZmLi2dakEwiLC7nuPwXeLsU1FTQJ8TKDIXX4Qa0fKsdj0403CQKGhBLs9NwZMzM+PJrVIZ9HxiFVJXvbjONDQY2KrnGewAA6Fya6LbIr3dGURxivcCFUfkwAI+XaJKxI+Czyvo2LFETxiD0zgbF7x8eVmsnO0Ulc0zx2Wb01mz7e14gAaheaSS/MI2bIEvj0uqy9tEFagxNLZFcCAqhFlfKVdetM9/ExH2XzDuwx8OJygM75thkQYcwtpo0PiyQ97BZtdnsg3/zsXyhFvI/eYzE9ZbGHfmo3qPrHaJGT05x3pc7TR3V/G19eQ5uEE7/F/tQ+koRutQVd382l7y8IQiFKr0ZHLFxYJF5P3Tkst8RVm/ffXbjQK/JLRzXRbKqi7tDjM1eUxCfEr0RGmds0aao+ZDwLoXcFPK9eLBuUT1VP8TiohIPlP5pw2HPL9LuGa27+EBshmpXy82GV4wIR46EWv2DF9Y9Pn+rJZwOGZ4iW8cgnSjmyDjfjVq8V9dDUJQG6E13CqAdsKOoQudoIvL0iuHtaP3/JShJTxaSV86WKSWUw+9M6YSyq9VHjAwVJ3+G8Y72fygHOhxBp2yRAg96yojReL+bXbWihCBWcRb2B53He9HtWYhugFbEStKjFyzFWosBXHwbNGrvF/M3XLWhUPOCz3NH15FKq2qreYZcNTstUlvTgQS/W5eVndUb/ypRwU3WT7EnFQ3zc9fivvp470hU9Gjze0KnppoWWRXchzyF+L7drQVNZcxXwASTUuzXH+AlWsd/my/Nzcw57Hv/D4V3mgX7VVdiDii4yHqn3oy3dtBEiTmO280uL6ChM+3DWzg9VtSCqOswvneY3mzYy0Kv8hc0V1Ugyvo/FmE51zx9NjzKob3mIX09DMpSFdyzX6LMlb1KTibXEEWT8MxZvP7RP43FF4cCnb3Jr3A3OaxMYpJ8K3ZG8bwGoc14hLE+/Vid4Mhi5puhy9pAPVb+J6m2IRzuYhrmEHmPoNtRAFwD6ARL0eABoQMA==
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Thanks for explaining that.  I didn’t realize that was how it worked.

So, you’re saying that you currently replace SSL.CONF with every update.  You will change this so that an update does not touch SSL.CONF.  Your SSL* options will be global defaults set in an ancillary config file and this is the file that will get replaced with every update.

 

Yes, that definitely works.  Thank you.


Doug

 

 

From: Andrew Lake <>
Date: Friday, November 9, 2018 at 11:13 AM
To: Doug Wussler <>, Alex Hsia <>
Cc: "" <>, "" <>, "Garnizov, Ivan (RRZE)" <>
Subject: Re: [perfsonar-user] AW: Automatic yum update changed the ssl.conf file

 

Hi Doug,

 

Yes, I think you are correct we could shuffle things a bit differently to get this to work. Just to clarify, we don’t actually put the ssl.conf in place, mod_ssl creates the version that has those options in a VirtualHost, we just use sed to replace them wherever they are in the file. That being said I think below summarizes what you are suggesting which I think would work:

 

1. On install, update the ssl.conf installed by mod_ssl to exclude the options in question from the default VirtualHost defined by mod_ssl. After initial install, perfsonar never touches ssl.conf again.

 

2. Create a separate file controlled by a perfsonar package that globally sets the SSL* options we care about. This is the file that will get modified on perfsonar package update and should not be manually edited.

 

3. If someone wants to override our options, they can edit the VirtualHost in ssl.conf. Since it is inside the VirtualHost, those options will take precedence over the global options set by perfSONAR and we all live happily ever after. 

 

Does that sound correct? As Michael said in the note before mine, I think that is something we can tackle.

 

Thanks,

Andy

 

 

 

 

I had to give myself on a refresher about who makes what change but to summarize what we could 

 

On November 9, 2018 at 10:27:11 AM, Doug Wussler () wrote:

But Andy, please note that the Mozilla SSL Configuration Generator places “SSLProtocol”, “SSLCipherSuite”, and “SSLHonoCipherOrder” OUTSIDE of the VirtualHost section.  This allows those settings to be customized per VirtualHost without losing those settings after an update.  When you distribute your SSL.CONF file, you are placing those settings INSIDE the VirtualHost section, which I believe the root of the problem.

 

Doug

 

 

 

From: Andrew Lake <>
Date: Friday, November 9, 2018 at 10:16 AM
To: Doug Wussler <>, Alex Hsia <>
Cc: "" <>, "Garnizov, Ivan (RRZE)" <>, "" <>
Subject: Re: [perfsonar-user] AW: Automatic yum update changed the ssl.conf file

 

Hi,

 

Just a little background on this to add to what has already been said. By default on a Toolkit or another bundle with the perfsonar-toolkit-security package installed we follow the Mozilla “Intermediate compatibility” recommendations for CipherSuites as detailed here: https://wiki.mozilla.org/Security/Server_Side_TLS. This is a compromise between the most restrictive setting and the very open default settings you get when you install mod_ssl. These settings are changed by the script here on both fresh install and update: https://raw.githubusercontent.com/perfsonar/toolkit/master/scripts/configure_apache_security. We do this change on update because the recommendations change over time and we don’t want the average toolkit user to be stuck on whatever version they got first install. We also don’t ”leave alone if it has been changed” since we don’t want to get in the business of trying to figure out if it was made more or less restrictive or trying to figure out exactly who or what changed it. All of the above can obviously be revisited, but that is where it stands today.

 

That being said, we realize there are people that want more restrictive settings. The Toolkit is intended to be our most comprehensive bundle that takes control of a lot of the system settings. For people that want more control over settings like this, the best current solution is to run a different bundle such as perfsonar-core. One of the primary purposes of these bundles is to allow people to cherry-pick what system settings they want our packages to control. perfsonar-core does not touch the SSL configuration, firewall, sysctl, ntp or other various setting by default. One caveat is it also currently does not have the Toolkit GUI which can only be installed as part of the full toolkit since it makes various assumptions about how the system is setup. If all your tests come from a mesh currently, you may not have much need for the toolkit package anyways. 

 

If you don’t need the GUI and want to handle the SSL and firewall settings yourself, the following should turn your existing toolkit host into a “core” host with our extra bundles for managing the system minus the security package.

 

rpm -e perfsonar-toolkit perfsonar-toolkit-systemenv perfsonar-toolkit-security

 

You can’t just remove the “perfsonar-toolkit-security” as the other two packages create a dependency path that will restore it on update. Also note that you will now be responsible for keeping the firewall up-to-date yourself as well. I understand this is not a perfect solution if you need the GUI, but if you need an immediate solution, this might be your best bet. 

 

I think longer-term it might be beneficial to see how we can split-up the packages further so you can still get the GUI and the firewall settings. The perfSONAR project has a diverse set of requirements to serve and we are constantly trying to find ways to be more flexible for our users with specific requirements while giving sane defaults that protect users not as familiar with all the pieces. 

 

 

Thanks,

Andy

 

 

On November 9, 2018 at 8:30:04 AM, Alex Hsia () wrote:

I would like to add my support for a resolution to this issue.  For Federal Government users, we are getting scanned more often by external entities and getting flagged for insecure TLS/SSL, weak ciphers and HSTS.  


Alex Hsia ==============================================================
NOAA/OAR                                            Phone: (303)497-6351
Mailstop R/ESRL                                    GVoice: (303)536-5430
325 Broadway                                  e-mail:
Boulder, CO  80305                                   PGP keyid: 8A482A90
========================================================================

 

 

On Fri, Nov 9, 2018 at 6:13 AM Doug Wussler <> wrote:

I believe this is the same issue I reported in December last year.  For that email discussion see:

 

https://lists.internet2.edu/sympa/arc/perfsonar-user/2017-12/msg00076.html

 

For the GitHub issue, see https://github.com/perfsonar/toolkit/issues/291

 

Bottom line:  The SSL.CONF file distributed with PerfSonar needs to be changed.  The SSLProtocol and SSLCipherSuite settings need to be moved outside the VirtualHost.  That way, individual deployments can override the default settings with customized configuration files.  As the file is now distributed, these settings are being place inside the VirtualHost and thus cannot be overridden by a customized config file.

 

Doug

 

 

 

Doug Wussler

Florida State University

 

 

From: <> on behalf of "Garnizov, Ivan" <>
Date: Friday, November 9, 2018 at 3:57 AM
To: Darryl K Wohlt <>, "" <>
Subject: [perfsonar-user] AW: Automatic yum update changed the ssl.conf file

 

Hello Darryl,

 

Could you please provide more information about your installation?

Is this a pS Toolkit, pS Testpoint or is this Central management deployment, other?

 

Please keep in mind, that the pS Toolkit is delivered as a full featured product to a lot of users with different skill levels and different use cases. Still to better understand your issue we need to know at least what is installed on your machine.

 

Regards,

Ivan Garnizov

 

GEANT SA1T2: pS deployments GN Operations

GEANT SA2T3: pS development team

GEANT SA3T5: eduPERT team

 

Jubiläumsjahr 2018 - IT in Bewegung

Das RRZE - der IT-Dienstleister der FAU

www.50-jahre.rrze.fau.de

 

Von: [mailto:] Im Auftrag von Darryl K Wohlt
Gesendet: Freitag, 9. November 2018 00:32
An:
Betreff: [perfsonar-user] Automatic yum update changed the ssl.conf file

 

I received an alert from our computer security group saying that my PS instance “supports the use of TLS 1.0&1.1 and/or 3DES in one or more cipher suites.”  This is a big deal at our site.

 

When I upgraded this host in late October I made sure to update ssl.conf to allow only TLSv1.2.  After this alert I checked it again, and found it was modified (replaced?) at the same time an automatic yum update occurred.  This has happened before.

 

Can we please not modify this file during updates?

 

Thanks

 

Darryl K. Wohlt

Network Architect I

 

CCD/NCS/Network Services

Fermi National Accelerator Laboratory

P.O. Box 500, MS 368

Batavia, Illinois 60510

USA

 

630 840 2901 office

630 945 5687  mobile

www.fnal.gov

 

--
To unsubscribe from this list: https://lists.internet2.edu/sympa/signoff/perfsonar-user




Archive powered by MHonArc 2.6.19.

Top of Page