[libvirt-users] Disable weak ciphers in vnc_tls
Daniel P. Berrange
berrange at redhat.com
Wed Apr 29 08:24:44 UTC 2015
On Tue, Apr 28, 2015 at 01:16:52PM +0200, Matthias Fenner wrote:
> Dear libvirt team,
>
> we a currently in a pci-dss certification process and our security
> scanner found weak ciphers in the vlc_tls service on our centos6 box:
>
> When I scan using sslscan I can see that sslv3 and rc4 is accepted:
>
> inf0rmix at tardis:~$ sslscan myhost:16514 | grep Accepted
> Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
> Accepted SSLv3 256 bits AES256-SHA
> Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
> Accepted SSLv3 128 bits AES128-SHA
> Accepted SSLv3 128 bits RC4-SHA
> Accepted SSLv3 128 bits RC4-MD5
> Accepted SSLv3 112 bits EDH-RSA-DES-CBC3-SHA
> Accepted SSLv3 112 bits DES-CBC3-SHA
> Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
> Accepted TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA
> Accepted TLSv1 256 bits AES256-SHA
> Accepted TLSv1 256 bits CAMELLIA256-SHA
> Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
> Accepted TLSv1 128 bits DHE-RSA-CAMELLIA128-SHA
> Accepted TLSv1 128 bits AES128-SHA
> Accepted TLSv1 128 bits CAMELLIA128-SHA
> Accepted TLSv1 128 bits RC4-SHA
> Accepted TLSv1 128 bits RC4-MD5
> Accepted TLSv1 112 bits EDH-RSA-DES-CBC3-SHA
> Accepted TLSv1 112 bits DES-CBC3-SHA
>
> how do we turn it off and only allow tlv>=1.1
There's no configuration option to achieve that at this time. QEMU
just calls gnutls_set_default_priority(), so relues on GNUTLS
defaults being sensible. Unfortunately GNUTLS defaults are not
currently configurable, but there is work to add a global config
file for GNUTLS that would allow this to be tweaked by the admin
in the future.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvirt-users
mailing list