libvirt users - Apr 2015 - Disable weak ciphers in vnc_tls

Dear libvirt team,

we a currently in a pci-dss certification process and our security
scanner found weak ciphers in the vlc_tls service on our centos6 box:

When I scan using sslscan I can see that sslv3 and rc4 is accepted:

inf0rmix@tardis:~$ sslscan myhost:16514 | grep Accepted
    Accepted  SSLv3  256 bits  DHE-RSA-AES256-SHA
    Accepted  SSLv3  256 bits  AES256-SHA
    Accepted  SSLv3  128 bits  DHE-RSA-AES128-SHA
    Accepted  SSLv3  128 bits  AES128-SHA
    Accepted  SSLv3  128 bits  RC4-SHA
    Accepted  SSLv3  128 bits  RC4-MD5
    Accepted  SSLv3  112 bits  EDH-RSA-DES-CBC3-SHA
    Accepted  SSLv3  112 bits  DES-CBC3-SHA
    Accepted  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  DHE-RSA-CAMELLIA256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  256 bits  CAMELLIA256-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-CAMELLIA128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  128 bits  CAMELLIA128-SHA
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5
    Accepted  TLSv1  112 bits  EDH-RSA-DES-CBC3-SHA
    Accepted  TLSv1  112 bits  DES-CBC3-SHA

how do we turn it off and only allow tlv>=1.1

Kind regards,
Matthias Fenner

On Tue, Apr 28, 2015 at 01:16:52PM +0200, Matthias Fenner
wrote:
> Dear libvirt team,
> 
> we a currently in a pci-dss certification process and our security
> scanner found weak ciphers in the vlc_tls service on our centos6 box:
> 
> When I scan using sslscan I can see that sslv3 and rc4 is accepted:
> 
> inf0rmix@tardis:~$ sslscan myhost:16514 | grep Accepted
>     Accepted  SSLv3  256 bits  DHE-RSA-AES256-SHA
>     Accepted  SSLv3  256 bits  AES256-SHA
>     Accepted  SSLv3  128 bits  DHE-RSA-AES128-SHA
>     Accepted  SSLv3  128 bits  AES128-SHA
>     Accepted  SSLv3  128 bits  RC4-SHA
>     Accepted  SSLv3  128 bits  RC4-MD5
>     Accepted  SSLv3  112 bits  EDH-RSA-DES-CBC3-SHA
>     Accepted  SSLv3  112 bits  DES-CBC3-SHA
>     Accepted  TLSv1  256 bits  DHE-RSA-AES256-SHA
>     Accepted  TLSv1  256 bits  DHE-RSA-CAMELLIA256-SHA
>     Accepted  TLSv1  256 bits  AES256-SHA
>     Accepted  TLSv1  256 bits  CAMELLIA256-SHA
>     Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
>     Accepted  TLSv1  128 bits  DHE-RSA-CAMELLIA128-SHA
>     Accepted  TLSv1  128 bits  AES128-SHA
>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>     Accepted  TLSv1  128 bits  RC4-SHA
>     Accepted  TLSv1  128 bits  RC4-MD5
>     Accepted  TLSv1  112 bits  EDH-RSA-DES-CBC3-SHA
>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
> 
> how do we turn it off and only allow tlv>=1.1
There's no configuration option to achieve that at this time. QEMU
just calls gnutls_set_default_priority(), so relues on GNUTLS
defaults being sensible. Unfortunately GNUTLS defaults are not
currently configurable, but there is work to add a global config
file for GNUTLS that would allow this to be tweaked by the admin
in the future.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|