Stackato 2.10.X-Security: Disable SSLv2 in Stackato

Posted by lorned on 2013-09-11 14:14
OS: All / Any | Product: Stackato | tags: 2.10.X patch router Security sslv2 stackato
Question: 

I've noticed stackato allows communication via SSLv2 and I have some concerns about how secure that is. Is there any way to disable SSLv2?

Answer: 

We're aware of security concerns related to SSLv2, as discussed in http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Security. To this end we've created a patch for stackato that replaces a package used by our routers and disables SSLv2.

##2.10.4
2.10.4 users can download this patch from http://get.stackato.com/patch/2.10/stackato-2.10.4-sslv2-disable.sh. This patch should be applied to (at least) all of the routers in the cluster. After uploading the patch to the affected nodes, install it via 'sh stackato-2.10.4-sslv2-disable.sh'.

After installing this patch, the router role will need to be restarted via 'kato restart router'. This will result in a brief interruption to router services, which will interrupt communication to your cluster for several seconds if your cluster has one router only.

*IMPORTANT NOTE* Edited in October 18, 2013: Due to a security fix with NodeJS, we've created basically a newer binary for this component. More information at http://community.activestate.com/node/10409, but you should note that this patch does not need to be installed anymore, and the patch in the above link will provide this functionality as well as providing a security fix. If you have already installed this patch, please install the patch linked above as well as it will overwrite the binary created here.

##2.10.6
This patch can be installed via kato patch. Execute 'kato patch update' to download the most recent list of patches. After this is finished, execute 'kato patch install' to install all patches. This will restart the router role on any node running that role, which will result in an interruption of service for several seconds if your cluster has one router only.