On Tue, Apr 28, 2015 at 01:16:52PM +0200, Matthias Fenner wrote: > Dear libvirt team, > > we a currently in a pci-dss certification process and our security > scanner found weak ciphers in the vlc_tls service on our centos6 box: > > When I scan using sslscan I can see that sslv3 and rc4 is accepted: > > inf0rmix@tardis:~$ sslscan myhost:16514 | grep Accepted > Accepted SSLv3 256 bits DHE-RSA-AES256-SHA > Accepted SSLv3 256 bits AES256-SHA > Accepted SSLv3 128 bits DHE-RSA-AES128-SHA > Accepted SSLv3 128 bits AES128-SHA > Accepted SSLv3 128 bits RC4-SHA > Accepted SSLv3 128 bits RC4-MD5 > Accepted SSLv3 112 bits EDH-RSA-DES-CBC3-SHA > Accepted SSLv3 112 bits DES-CBC3-SHA > Accepted TLSv1 256 bits DHE-RSA-AES256-SHA > Accepted TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA > Accepted TLSv1 256 bits AES256-SHA > Accepted TLSv1 256 bits CAMELLIA256-SHA > Accepted TLSv1 128 bits DHE-RSA-AES128-SHA > Accepted TLSv1 128 bits DHE-RSA-CAMELLIA128-SHA > Accepted TLSv1 128 bits AES128-SHA > Accepted TLSv1 128 bits CAMELLIA128-SHA > Accepted TLSv1 128 bits RC4-SHA > Accepted TLSv1 128 bits RC4-MD5 > Accepted TLSv1 112 bits EDH-RSA-DES-CBC3-SHA > Accepted TLSv1 112 bits DES-CBC3-SHA > > how do we turn it off and only allow tlv>=1.1 There's no configuration option to achieve that at this time. QEMU just calls gnutls_set_default_priority(), so relues on GNUTLS defaults being sensible. Unfortunately GNUTLS defaults are not currently configurable, but there is work to add a global config file for GNUTLS that would allow this to be tweaked by the admin in the future. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
