Bug 1264479

Summary: [vmconsole] ovirt-vmconsole-list.py does not create secure ssl session
Product: [oVirt] ovirt-engine Reporter: Alon Bar-Lev <alonbl>
Component: VMConsoleAssignee: Francesco Romani <fromani>
Status: CLOSED CURRENTRELEASE QA Contact: Nikolai Sednev <nsednev>
Severity: low Docs Contact:
Priority: low    
Version: ---CC: bugs, fromani, gklein, iheim, lsurette, michal.skrivanek, rbalakri, sbonazzo, tjelinek, yeylon, ykaul
Target Milestone: ovirt-3.6.2Keywords: Triaged
Target Release: 3.6.2Flags: ylavi: ovirt-3.6.z?
ylavi: planning_ack?
tjelinek: devel_ack+
rule-engine: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-18 11:04:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Virt RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1223671    

Description Alon Bar-Lev 2015-09-18 14:47:07 UTC 
When communicating with engine we need to specify CA certificate we trust.

Currently script is using insecure method.

Also, if the server name is localhost we need to disable host name validation.

An example of how to perform url get is available here[1], in any implementation you choose the CA must be checked.

Configuration of script should add the following additional two parameters:

ENGINE_CA=$PKIDIR/apache-ca.pem
ENGINE_VERIFY_HOST=false if engine_host == 'localhost' else true

[1] https://gerrit.ovirt.org/#/c/45270/12/src/ovirt_hosted_engine_setup/util.py
Comment 1 Alon Bar-Lev 2015-09-18 14:58:00 UTC 
If you like you can also add:

ENGINE_VERIFY_CERTIFICATE=true/false

To enable/disable verification of certificate, default and settings should be true of course.
Comment 2 Sandro Bonazzola 2015-09-29 10:06:21 UTC 
3.6.0 RC is out, please mark this as blocker for 3.6.0 GA or postpone to a later release
Comment 3 Michal Skrivanek 2015-09-29 11:04:33 UTC 
in 3.6 we only support deployment on engine host hence securing the connection is not critical.
We do plan to support deployment on other host in the future
Comment 4 Francesco Romani 2015-09-29 12:33:31 UTC 
aligning target release to target milestone as per https://bugzilla.redhat.com/show_bug.cgi?id=1264479#c3
Comment 5 Red Hat Bugzilla Rules Engine 2015-10-19 10:51:00 UTC 
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
Comment 6 Yaniv Lavi 2015-10-29 12:35:06 UTC 
In oVirt testing is done on single release by default. Therefore I'm removing the 4.0 flag. If you think this bug must be tested in 4.0 as well, please re-add the flag. Please note we might not have testing resources to handle the 4.0 clone.
Comment 7 Nikolai Sednev 2015-11-23 15:27:35 UTC 
Hi Francesco,
Can you provide the exact reproduction steps for the QA please?
Comment 8 Francesco Romani 2015-11-25 10:15:22 UTC 
From the user's perspective this fix should be transparent, so to verify we could check that the helper is using SSL ports, and that it loads the right certificate. I think this has to be checked using system tools (e.g. strace, netstat...) can't think of a simpler way.
Comment 9 Sandro Bonazzola 2015-12-23 13:41:47 UTC 
oVirt 3.6.2 RC1 has been released for testing, moving to ON_QA