ifmap-server breaks with openjdk-7-jre=7u79-2.5.6-0ubuntu1.14.04.1
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Juniper Openstack |
Fix Committed
|
Undecided
|
Unassigned | ||
Bug Description
We previously had trouble with ifmap-server, since Ubuntu disabled SSLv3 in Java:
https:/
This prevented clients from connecting to ifmap-server using SSLv3. Back then
we disabled SSLv3 in as suggested in the workaround Stefan Andres posted on
that bug.
Now we have more of the same and indentified yet another java security upgrade
(openjdk-7-jre 7u79-2.
getting errors in /var/log/
2015-07-31 14:22:14,440 [pool-6-thread-1] ERROR - ChannelThread: SSLHandshakeExc
2015-07-31 14:22:14,440 [pool-6-thread-1] ERROR - ChannelThread: Setting channel 127.0.0.1:58786:75 into state 'BROKEN'
We do not know what exactly is the problem, since openjdk-
fixes a whole bunch of security problems:
https:/
What we do know is that a downgrade to
openjdk-
stopgap measure, though. Remaining at this version is absolutely inaccetable.
It already means missing a lot of critical security upgrades for Java and it
will mean missing a lot more in the future.
As for fixing the problem: It would be best to expose SSL settings through
configuration files for all Opencontrail services, since cipher or digest
algorithms turn out to be broken from time to time. In that case it would be
nice if one could simply disable them through a configuration file (as opposed
to filing a bug).
We observed the Problem on Ubuntu 14.04 with the following contrail versions
(installed from our in-house packages available from https:/
Contrail 2.01 (list of packages in the attached file packages.txt)
Contrail 2.20 (list of packages in the attached file packages.txt)
i
| Johannes Grassler (jgr-launchpad) wrote | #1 |
| information type: | Private Security → Public Security |
| Changed in juniperopenstack: | |
| status: | New → Fix Committed |
