Juniper Openstack

SYMC: FREAK SSL vulnerability

  1. Series r2.0
  2. Bug #1477400
Bug #1477400 reported by Varun Lodaya
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R2.0
Fix Committed
Medium
Varun Lodaya
R2.1
Fix Committed
Medium
Varun Lodaya
R2.20
Fix Committed
Medium
Varun Lodaya
Juniper Openstack r2.22
Trunk
Fix Committed
Medium
Varun Lodaya
OpenContrail
New
Medium
Varun Lodaya

Bug Description

HAProxy by default supports all the openssl supported ciphers which includes which ciphers too. The usage of these ciphers could allow an attacker with sufficient time and resources to crack the encrypted connection. Once the attacker has broken the encryption, they would be able to eavesdrop on and/or modify any data sent over the connection.

Need to configure haproxy to support only strong ciphers.

Tags: haproxy lbaas
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.1

Review in progress for https://review.opencontrail.org/12570
Submitter: Varun Lodaya (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.0

Review in progress for https://review.opencontrail.org/12591
Submitter: Varun Lodaya (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/12592
Submitter: Varun Lodaya (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.20

Review in progress for https://review.opencontrail.org/12593
Submitter: Varun Lodaya (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.0

Review in progress for https://review.opencontrail.org/12594
Submitter: Varun Lodaya (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.20

Review in progress for https://review.opencontrail.org/12593
Submitter: Varun Lodaya (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.1

Review in progress for https://review.opencontrail.org/12570
Submitter: Varun Lodaya (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/12592
Submitter: Varun Lodaya (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/12592
Committed: http://github.org/Juniper/contrail-controller/commit/488f753d5753a8f793378f5b6e1faecce0660631
Submitter: Zuul
Branch: master

commit 488f753d5753a8f793378f5b6e1faecce0660631
Author: Varun Lodaya <email address hidden>
Date: Thu Jul 23 14:09:03 2015 -0700

Fix for FREAK SSL vulnerability

This fix pushes selected set of secure ciphers into
haproxy config file

Change-Id: Idfc11ce0411024e7154d3b2c46a095fb4f80337d
Closes-Bug: #1477400

Nagabhushana R (bhushana)
Changed in opencontrail:
assignee: nobody → Varun Lodaya (varun-lodaya)
importance: Undecided → Medium
tags: added: lbaas
Nagabhushana R (bhushana)
tags: added: haproxy
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/12594
Committed: http://github.org/Juniper/contrail-controller/commit/59937d44f788edefb11650d8f3b4a37d8e9066ca
Submitter: Zuul
Branch: R2.0

commit 59937d44f788edefb11650d8f3b4a37d8e9066ca
Author: Varun Lodaya <email address hidden>
Date: Thu Jul 23 14:00:22 2015 -0700

Fix for SSL Freak vulnerability

This fix pushes selected set of secure ciphers into
haproxy config file.

Change-Id: I3d93da64aa48c42b7150ca7846215b51df5274ba
Closes-Bug: #1477400

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/12570
Committed: http://github.org/Juniper/contrail-controller/commit/517551968f583143a66e900d9a9184efb1606f40
Submitter: Zuul
Branch: R2.1

commit 517551968f583143a66e900d9a9184efb1606f40
Author: Varun Lodaya <email address hidden>
Date: Wed Jul 22 22:57:57 2015 -0700

Fix to remediate FREAK SSL vulnerability

This fix pushes selected set of secure ciphers into
haproxy config file

Change-Id: Ic7154a961879e1bb56e4567159b8f5614116cc14
Closes-Bug: #1477400

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/12593
Committed: http://github.org/Juniper/contrail-controller/commit/722886b7faceb6e03545fb9ad1552ea0aac179d8
Submitter: Zuul
Branch: R2.20

commit 722886b7faceb6e03545fb9ad1552ea0aac179d8
Author: Varun Lodaya <email address hidden>
Date: Thu Jul 23 14:13:52 2015 -0700

Fix for FREAK SSL vulnerability

This fix pushes selected set of secure ciphers into
haproxy config file

Change-Id: I7aff0fab44484fb235ee0432dbee8dc13efc3a63
Closes-Bug: #1477400

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.22-dev

Review in progress for https://review.opencontrail.org/13871
Submitter: Rudra Rugge (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/13871
Committed: http://github.org/Juniper/contrail-controller/commit/245f6d85c7d28aedb5bb28f4b09b8c2a766b5c56
Submitter: Zuul
Branch: R2.22-dev

commit 245f6d85c7d28aedb5bb28f4b09b8c2a766b5c56
Author: Rudra Rugge <email address hidden>
Date: Thu May 14 13:41:45 2015 -0700

LBAAS haproxy process manager

Manage haproxy daemon for lbaas. Two options avaialable:
- Manage through supervisor. This will run on non-daemon mode
as the process cannot be managed by supervisord if it runs in
background. Process monitoring provided by supervisor.
- Start/stop the daemon as we do today. Need additional changes
to ensure monitoring/restarting of the process.

Additional commit needed to enable this code from vrouter_netns.

Change-Id: I05c13d7c96c86bee2fcddc73342ba28c6010c8e6
Partial-Bug: #1452928

Enable haproxy config translation

Enable haproxy config translation from json format
Also enable haproxy daemon handling by supervisord

Change-Id: If3489ea66430ec0ac50bb6198093a0689fa16219
Closes-Bug: #1452928

Conflicts:

 src/nodemgr/haproxy_stats.py

Generate mac from instance ip for service VMs

Generate the same mac-address for all interfaces sharing the same
IP. In addition a change to daemonize the haproxy process instead
of managing through supervisor.

Change-Id: I2394f29c4a11bffeee4b0184ce6cd6867b01e0e9
Closes-Bug: #1461882

Haproxy config generation fixes for HTTPS protocol

Change-Id: I140361ad4785be2a87d23a04181e73ca999e8e2b
Closes-bug: #1466318

Fix for poodle vulnerability; ChangeId: I9432d035eb59b1ff53cb5d33350cd5f8063e077c; Closes-Bug: #1475392

Change-Id: I390a77261bc0d3257108c06951c79f1d2c3dadaa

Fix for FREAK SSL vulnerability

This fix pushes selected set of secure ciphers into
haproxy config file

Change-Id: Idfc11ce0411024e7154d3b2c46a095fb4f80337d
Closes-Bug: #1477400

HAProxy Performance Tuning

HAProxy's default config is non-performant.
This fix updates following config in HAProxy:
1) Increase TCP client/server timeouts.
2) Increase ulimit globally per HAProxy process.
3) Increase maxconn globally per HAProxy process.

Change-Id: I28be29d5ab3dcb2a35fcbe9168300edf18b2c23c
Closes-Bug: #1477781

Allow custom configs with LBaaS

This fix takes care of haproxy parsing and
validation changes on vrouter agent. Removing
extra white spaces

Closes-Bug: #1475393
Change-Id: I822e27792f78168a178d555db5703fa1e73d0cc9

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.22-dev

Review in progress for https://review.opencontrail.org/13927
Submitter: Vinay Vithal Mahuli (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.20

Review in progress for https://review.opencontrail.org/14371
Submitter: Varun Lodaya (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/14576
Submitter: Varun Lodaya (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged
Download full text (4.3 KiB)

Reviewed: https://review.opencontrail.org/14576
Committed: http://github.org/Juniper/contrail-controller/commit/888049f626fbd7d6ad349ffb2270bcc3886958f1
Submitter: Zuul
Branch: R2.20

commit 888049f626fbd7d6ad349ffb2270bcc3886958f1
Author: Rudra Rugge <email address hidden>
Date: Fri May 8 10:54:27 2015 -0700

Generate loadbalancer config in json format

Currently the agent generates loadbalancer configuration in
haproxy specific format. Going forward agent will generate
a generic json based loadbalancer config. This config will
be handled by driver specific configuration parser. Currently
only haproxy parsing is supported.

Closes-Bug: #1452928
Change-Id: I2d198aff0a569615ac5c331e4b6c582b93d9d3a3

Conflicts:
 src/vnsw/agent/oper/loadbalancer_haproxy.cc

LBAAS haproxy process manager

Manage haproxy daemon for lbaas. Two options avaialable:
- Manage through supervisor. This will run on non-daemon mode
as the process cannot be managed by supervisord if it runs in
background. Process monitoring provided by supervisor.
- Start/stop the daemon as we do today. Need additional changes
to ensure monitoring/restarting of the process.

Additional commit needed to enable this code from vrouter_netns.

Change-Id: I05c13d7c96c86bee2fcddc73342ba28c6010c8e6
Partial-Bug: #1452928

Enable haproxy config translation

Enable haproxy config translation from json format
Also enable haproxy daemon handling by supervisord

Change-Id: If3489ea66430ec0ac50bb6198093a0689fa16219
Closes-Bug: #1452928

Conflicts:

 src/nodemgr/haproxy_stats.py

Generate mac from instance ip for service VMs

Generate the same mac-address for all interfaces sharing the same
IP. In addition a change to daemonize the haproxy process instead
of managing through supervisor.

Change-Id: I2394f29c4a11bffeee4b0184ce6cd6867b01e0e9
Closes-Bug: #1461882

Haproxy config generation fixes for HTTPS protocol

Change-Id: I140361ad4785be2a87d23a04181e73ca999e8e2b
Closes-bug: #1466318

Fix for poodle vulnerability; ChangeId: I9432d035eb59b1ff53cb5d33350cd5f8063e077c; Closes-Bug: #1475392

Change-Id: I390a77261bc0d3257108c06951c79f1d2c3dadaa

Fix for FREAK SSL vulnerability

This fix pushes selected set of secure ciphers into
haproxy config file

Change-Id: Idfc11ce0411024e7154d3b2c46a095fb4f80337d
Closes-Bug: #1477400

HAProxy Performance Tuning

HAProxy's default config is non-performant.
This fix updates following config in HAProxy:
1) Increase TCP client/server timeouts.
2) Increase ulimit globally per HAProxy process.
3) Increase maxconn globally per HAProxy process.

Change-Id: I28be29d5ab3dcb2a35fcbe9168300edf18b2c23c
Closes-Bug: #1477781

Allow custom configs with LBaaS

This fix takes care of haproxy parsing and
validation changes on vrouter agent. Removing
extra white spaces

Closes-Bug: #1475393
Change-Id: I822e27792f78168a178d555db5703fa1e73d0cc9

Allow custom configs with LBaaS

This fix enables a new field "custom-attr" in loadbalancer_pool
properties in the schema.

Change-Id: I17eecc2fedea4d1d3889b7e114e99732ac2eecc9
Closes-Bug: #1475393

Allow custom configs with LBaaS

This fix commits the vrouter agent code to read
the custom_attributes from ifmap node and copy it
to config.json file...

Read more...

Varun Lodaya (varun-lodaya)
summary: - FREAK SSL vulnerability
+ SYMC: FREAK SSL vulnerability
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.