Bug 1412547

Summary: Allow negotiation of highest available TLS version for engine <-> VDSM communication
Product: [oVirt] ovirt-engine Reporter: Martin Perina <mperina>
Component: Backend.CoreAssignee: Piotr Kliczewski <pkliczew>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Belka <jbelka>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.0.0CC: bugs, melewis
Target Milestone: ovirt-4.1.1Keywords: ZStream
Target Release: 4.1.1Flags: rule-engine: ovirt-4.1+
rule-engine: planning_ack+
mperina: devel_ack+
pstehlik: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Previously, when the Manager attempted to connect to VDSM it tried to negotiate the highest available version of TLS but due to previous issues there was a limitation to try TLSv1.0 as the highest version and to not try any higher version. Now, the limit has been removed so that TLSv1.1 and TLSv1.2 can be negotiated if they are available on the VDSM side. Removing this limit will allow TLSv1.0 to be dropped from future versions of VDSM.
Story Points: ---
Clone Of:
: 1419540 (view as bug list) Environment:
Last Closed: 2017-04-21 09:51:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1408847, 1414696, 1414923, 1419540    

Description Martin Perina 2017-01-12 09:25:01 UTC
Description of problem:

At the moment we limit protocol negotiation to TLSv1.0, because issues with m2crypto in the past. We were not able to reproduce those issues in latest m2crypto on EL7, so we can remove this limit and allow engine to negotiate highest TLS version available on VDSM side.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Martin Perina 2017-01-13 06:08:12 UTC
Retargeting to 4.1.1 to allow more extensive testing of the feature

Comment 3 Jiri Belka 2017-03-06 14:22:14 UTC
ok, ovirt-engine-4.1.1.3-0.1.el7.noarch

1. VdsmSSLProtocol = TLSv1.2 vs ssl_protocol = tlsv1
   > client tls 1.2, agreed tls 1.0

2. VdsmSSLProtocol = TLSv1.2 vs ssl_protocol = sslv23
   > client tls 1.2, agreed tls 1.2