XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    OpenSSL vs XS-OpenSSL?

    Scheduled Pinned Locked Moved Development
    6 Posts 3 Posters 735 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      throk
      last edited by

      I'm not sure the best way to ask, I apologize for being verbose.

      I'm trying to remediate a finding in Nessus, that is reporting SSL Compression DEFLATE is being detected, which triggers a vulnerability that says it could be vulnerable to the CRIME attack. I'm not sure if this is a false positive or what, but I "feel" that the culprit may be openssl.

      In searching around I found the xs-openssl package on the XCP Koji thingy. Which has openssl version 1.1.1c, and in the change logs there is an entry:

      * Tue Feb 19 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-2
- disable ZLIB loading by default (due to CRIME attack)

      However, from the terminal of my XCP-ng 8.2 server running openssl version returns an older version version OpenSSL 1.0.2k-fips 26 Jan 2017

      In the Yum repo it shows both versions:
      openssl vs xs-openssl in yum.png

      On a whim I tried to install xs-openssl but it errored out saying it conflicted with openssl.

      SOOOOO, is this as intended?
      Is XCP-NG using the openssl from xs-openssl or is it using the older openssl that's located in /user/bin/openssl?

      Does this make any sense?

      1 Reply Last reply Reply Quote 0
      • olivierlambertO Online
        olivierlambert Vates 🪐 Co-Founder CEO
        last edited by

        Hi throk

        I think stormi investigated on that recently.

        1 Reply Last reply Reply Quote 0
        • stormiS Offline
          stormi Vates 🪐 XCP-ng Team
          last edited by stormi

          Yes, the situation is not simple.

          The base openssl version is from the CentOS openssl RPM, running in version 1.0.2k. Any piece of software on the server that needs openssl will use this except: blktap and stunnel (which is used to encapsulate traffic between hosts). Those two are built against xs-openssl and thus link against xs-openssl-libs.

          On Citrix Hypervisor, there exists a third version of openssl, because they use citrix-crypto-module, a closed-source openssl with FIPS support, for the certification of their product, instead of xs-openssl.

          T 2 Replies Last reply Reply Quote 1
          • T Offline
            throk @stormi
            last edited by

            This post is deleted!
            1 Reply Last reply Reply Quote 0
            • T Offline
              throk @stormi
              last edited by

              stormi Thank you for your response!

              BTW, I fell down a rabbit hole, the OpenSSL FIPS Provider 3.0 was submitted for testing Oct of 2020. It's currently on the Implementation Under Test List. It would be very cool if XCP-ng were to be able to leverage that in the future. As I'm in the process of getting XCP-ng approved for a branch of the dep of def. If I can get that through, I'd like to get XOA approved as well.

              1 Reply Last reply Reply Quote 1
              • olivierlambertO Online
                olivierlambert Vates 🪐 Co-Founder CEO
                last edited by

                We should probably talk in private for some details throk 😉
                Also ping ch_s

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post