SYMC: POODLE HTTPS vulnerability

Bug #1475392 reported by Varun Lodaya
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R2.20
Fix Committed
High
Varun Lodaya
Trunk
Fix Committed
High
Varun Lodaya
OpenContrail
New
High
Varun Lodaya

Bug Description

LBaaS HAProxy allows SSLv3 communication. In recent future, SSLv3 has been identified as vulnerable to POODLE attack. Here's link to more details on this:
https://www.openssl.org/~bodo/ssl-poodle.pdf

We need to disable SSLv3 from default HAProxy config.

Tags: lbaas
Changed in opencontrail:
assignee: nobody → Varun Lodaya (varun-lodaya)
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/12449
Submitter: Varun Lodaya (<email address hidden>)

tags: added: lbaas
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/12449
Committed: http://github.org/Juniper/contrail-controller/commit/b6b691b9959f638af7df3624166cd0f4acbf8339
Submitter: Zuul
Branch: master

commit b6b691b9959f638af7df3624166cd0f4acbf8339
Author: Varun Lodaya <email address hidden>
Date: Thu Jul 16 12:42:25 2015 -0700

Fix for poodle vulnerability; ChangeId: I9432d035eb59b1ff53cb5d33350cd5f8063e077c; Closes-Bug: #1475392

Change-Id: I390a77261bc0d3257108c06951c79f1d2c3dadaa

Changed in opencontrail:
importance: Undecided → High
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.22-dev

Review in progress for https://review.opencontrail.org/13871
Submitter: Rudra Rugge (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/13871
Committed: http://github.org/Juniper/contrail-controller/commit/245f6d85c7d28aedb5bb28f4b09b8c2a766b5c56
Submitter: Zuul
Branch: R2.22-dev

commit 245f6d85c7d28aedb5bb28f4b09b8c2a766b5c56
Author: Rudra Rugge <email address hidden>
Date: Thu May 14 13:41:45 2015 -0700

LBAAS haproxy process manager

Manage haproxy daemon for lbaas. Two options avaialable:
- Manage through supervisor. This will run on non-daemon mode
as the process cannot be managed by supervisord if it runs in
background. Process monitoring provided by supervisor.
- Start/stop the daemon as we do today. Need additional changes
to ensure monitoring/restarting of the process.

Additional commit needed to enable this code from vrouter_netns.

Change-Id: I05c13d7c96c86bee2fcddc73342ba28c6010c8e6
Partial-Bug: #1452928

Enable haproxy config translation

Enable haproxy config translation from json format
Also enable haproxy daemon handling by supervisord

Change-Id: If3489ea66430ec0ac50bb6198093a0689fa16219
Closes-Bug: #1452928

Conflicts:

 src/nodemgr/haproxy_stats.py

Generate mac from instance ip for service VMs

Generate the same mac-address for all interfaces sharing the same
IP. In addition a change to daemonize the haproxy process instead
of managing through supervisor.

Change-Id: I2394f29c4a11bffeee4b0184ce6cd6867b01e0e9
Closes-Bug: #1461882

Haproxy config generation fixes for HTTPS protocol

Change-Id: I140361ad4785be2a87d23a04181e73ca999e8e2b
Closes-bug: #1466318

Fix for poodle vulnerability; ChangeId: I9432d035eb59b1ff53cb5d33350cd5f8063e077c; Closes-Bug: #1475392

Change-Id: I390a77261bc0d3257108c06951c79f1d2c3dadaa

Fix for FREAK SSL vulnerability

This fix pushes selected set of secure ciphers into
haproxy config file

Change-Id: Idfc11ce0411024e7154d3b2c46a095fb4f80337d
Closes-Bug: #1477400

HAProxy Performance Tuning

HAProxy's default config is non-performant.
This fix updates following config in HAProxy:
1) Increase TCP client/server timeouts.
2) Increase ulimit globally per HAProxy process.
3) Increase maxconn globally per HAProxy process.

Change-Id: I28be29d5ab3dcb2a35fcbe9168300edf18b2c23c
Closes-Bug: #1477781

Allow custom configs with LBaaS

This fix takes care of haproxy parsing and
validation changes on vrouter agent. Removing
extra white spaces

Closes-Bug: #1475393
Change-Id: I822e27792f78168a178d555db5703fa1e73d0cc9

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.20

Review in progress for https://review.opencontrail.org/14371
Submitter: Varun Lodaya (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/14576
Submitter: Varun Lodaya (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged
Download full text (4.3 KiB)

Reviewed: https://review.opencontrail.org/14576
Committed: http://github.org/Juniper/contrail-controller/commit/888049f626fbd7d6ad349ffb2270bcc3886958f1
Submitter: Zuul
Branch: R2.20

commit 888049f626fbd7d6ad349ffb2270bcc3886958f1
Author: Rudra Rugge <email address hidden>
Date: Fri May 8 10:54:27 2015 -0700

Generate loadbalancer config in json format

Currently the agent generates loadbalancer configuration in
haproxy specific format. Going forward agent will generate
a generic json based loadbalancer config. This config will
be handled by driver specific configuration parser. Currently
only haproxy parsing is supported.

Closes-Bug: #1452928
Change-Id: I2d198aff0a569615ac5c331e4b6c582b93d9d3a3

Conflicts:
 src/vnsw/agent/oper/loadbalancer_haproxy.cc

LBAAS haproxy process manager

Manage haproxy daemon for lbaas. Two options avaialable:
- Manage through supervisor. This will run on non-daemon mode
as the process cannot be managed by supervisord if it runs in
background. Process monitoring provided by supervisor.
- Start/stop the daemon as we do today. Need additional changes
to ensure monitoring/restarting of the process.

Additional commit needed to enable this code from vrouter_netns.

Change-Id: I05c13d7c96c86bee2fcddc73342ba28c6010c8e6
Partial-Bug: #1452928

Enable haproxy config translation

Enable haproxy config translation from json format
Also enable haproxy daemon handling by supervisord

Change-Id: If3489ea66430ec0ac50bb6198093a0689fa16219
Closes-Bug: #1452928

Conflicts:

 src/nodemgr/haproxy_stats.py

Generate mac from instance ip for service VMs

Generate the same mac-address for all interfaces sharing the same
IP. In addition a change to daemonize the haproxy process instead
of managing through supervisor.

Change-Id: I2394f29c4a11bffeee4b0184ce6cd6867b01e0e9
Closes-Bug: #1461882

Haproxy config generation fixes for HTTPS protocol

Change-Id: I140361ad4785be2a87d23a04181e73ca999e8e2b
Closes-bug: #1466318

Fix for poodle vulnerability; ChangeId: I9432d035eb59b1ff53cb5d33350cd5f8063e077c; Closes-Bug: #1475392

Change-Id: I390a77261bc0d3257108c06951c79f1d2c3dadaa

Fix for FREAK SSL vulnerability

This fix pushes selected set of secure ciphers into
haproxy config file

Change-Id: Idfc11ce0411024e7154d3b2c46a095fb4f80337d
Closes-Bug: #1477400

HAProxy Performance Tuning

HAProxy's default config is non-performant.
This fix updates following config in HAProxy:
1) Increase TCP client/server timeouts.
2) Increase ulimit globally per HAProxy process.
3) Increase maxconn globally per HAProxy process.

Change-Id: I28be29d5ab3dcb2a35fcbe9168300edf18b2c23c
Closes-Bug: #1477781

Allow custom configs with LBaaS

This fix takes care of haproxy parsing and
validation changes on vrouter agent. Removing
extra white spaces

Closes-Bug: #1475393
Change-Id: I822e27792f78168a178d555db5703fa1e73d0cc9

Allow custom configs with LBaaS

This fix enables a new field "custom-attr" in loadbalancer_pool
properties in the schema.

Change-Id: I17eecc2fedea4d1d3889b7e114e99732ac2eecc9
Closes-Bug: #1475393

Allow custom configs with LBaaS

This fix commits the vrouter agent code to read
the custom_attributes from ifmap node and copy it
to config.json file...

Read more...

summary: - POODLE HTTPS vulnerability
+ SYMC: POODLE HTTPS vulnerability
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.