CloudStack management java.security.ciphers has no effect on JVM process

[yadvr]

The /etc/cloudstack/management/java.security.ciphers has no effect on the list of disabled TLS algorithms in the management server JVM process. For example, on port 8250 TLS1.0, 1.1 are still allowed/supported protocols. (Tested using openssl s_client -connect localhost:8250 -tls1)

However, workaround exists to configure jdk.tls.disabledAlgorithms in the global security file: $JRE_HOME/lib/security/java.security.

ISSUE TYPE

• Bug Report

COMPONENT NAME

Management Server

CLOUDSTACK VERSION

4.11

CONFIGURATION

[yadvr]

In 4.11, until we've a mechanism to enforce this through global settings or discovering any env flag, the fix is to configure this globally in the JRE's java.security file.

[yadvr]

@GabrielBrascher there is a fix for this on the way, I can work on that and send this by mid of next week. Unless you want to go ahead with 4.12.0.0-rc1, I would suggest to include the fix for this issue as it's security related.