TLS/SSL Server Supports Anonymous Cipher Suites with no Key Authentication (Cobbler, TCP port 443)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Fuel for OpenStack |
Fix Committed
|
Low
|
Sergii Rizvan | ||
7.0.x |
Fix Released
|
Low
|
Sergii Rizvan | ||
8.0.x |
Fix Released
|
Low
|
Sergii Rizvan | ||
Mitaka |
Fix Released
|
Low
|
Sergii Rizvan | ||
Newton |
Fix Committed
|
Low
|
Sergii Rizvan |
Bug Description
Detailed bug description:
The server is configured to support anonymous cipher suites with no key authentication. These ciphers are highly vulnerable to man in the middle attacks.
Steps to reproduce:
Negotiated with the following insecure cipher suites:
* TLS 1.0 ciphers:
* TLS_ECDH_
* TLS_ECDH_
* TLS_ECDH_
* TLS 1.1 ciphers:
* TLS_ECDH_
* TLS_ECDH_
* TLS_ECDH_
* TLS 1.2 ciphers:
* TLS_ECDH_
* TLS_ECDH_
* TLS_ECDH_
Expected results:
The following recommended configuration provides a higher level of security. This configuration is compatible with Firefox 27, Chrome 22, IE 11, Opera 14 and Safari 7. SSLv2, SSLv3, and TLSv1 protocols are not recommended in this configuration. Instead, use TLSv1.1 and TLSv1.2 protocols.
Refer to your server vendor documentation to apply the recommended cipher configuration:
ECDHE-RSA-
Changed in fuel: | |
assignee: | nobody → MOS Maintenance (mos-maintenance) |
summary: |
TLS/SSL Server Supports Anonymous Cipher Suites with no Key - Authentication (Cobbler) + Authentication (Cobbler, TCP port 443) |
Changed in fuel: | |
assignee: | MOS Maintenance (mos-maintenance) → Sergii Rizvan (srizvan) |
Changed in fuel: | |
milestone: | 8.0-mu-4 → 12.0 |
tags: | added: on-verification |
Fix proposed to branch: master /review. openstack. org/452144
Review: https:/