Bug 1473344
| Summary: | vdsm's ssl_excludes not working, can't connect to engine | ||
|---|---|---|---|
| Product: | [oVirt] vdsm | Reporter: | Jiri Belka <jbelka> |
| Component: | General | Assignee: | Piotr Kliczewski <pkliczew> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Jiri Belka <jbelka> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.19.23 | CC: | bugs, igoihman, lveyde, mperina, oourfali, pkliczew, pstehlik |
| Target Milestone: | ovirt-4.1.5 | Flags: | rule-engine:
ovirt-4.1+
rule-engine: blocker+ |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | v4.19.26 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-23 08:03:05 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1412552 | ||
|
Description
Jiri Belka
2017-07-20 14:37:47 UTC
It is possible to use SSL_OP_NO_TLSv1 for m2crypto but SSL_OP_NO_TLSv1_1 is not available for some of the versions so it was code change required. Reducing severity as default configuration works. it seems it's unable to exluce tlsv1.2 on m2crypto:
# grep ^ssl /etc/vdsm/vdsm.conf
ssl = true
ssl_protocol = sslv23
ssl_excludes = OP_NO_TLSv1_2
2017-08-07 14:49:37,277+0200 ERROR (MainThread) [vds] Exception raised (vdsm:154)
Traceback (most recent call last):
File "/usr/share/vdsm/vdsm", line 152, in run
serve_clients(log)
File "/usr/share/vdsm/vdsm", line 101, in serve_clients
cif = clientIF.getInstance(irs, log, scheduler)
File "/usr/share/vdsm/clientIF.py", line 205, in getInstance
cls._instance = clientIF(irs, log, scheduler)
File "/usr/share/vdsm/clientIF.py", line 120, in __init__
self._createAcceptor(host, port)
File "/usr/share/vdsm/clientIF.py", line 209, in _createAcceptor
sslctx = sslutils.create_ssl_context()
File "/usr/lib/python2.7/site-packages/vdsm/m2cutils.py", line 322, in create_ssl_context
excludes = protocol_name_to_int()
File "/usr/lib/python2.7/site-packages/vdsm/m2cutils.py", line 341, in protocol_name_to_int
excludes |= getattr(m2, protocol)
AttributeError: 'module' object has no attribute 'SSL_OP_NO_TLSv1_2'
putting tlsv1 and tlsv1.2 into excludes makes vdsm start correctly.
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release. I discovered this: ssl_protocol = sslv23 ssl_excludes = OP_NO_TLSv1_1,OP_NO_TLSv1_2 and this causes to be TLSv1.1 while communicating with engine. Thus it seems it is not OK as it should be TLSv1, shouldn't it? I also tried this:
4.1 vdsm EL 7.4 (sslv23) -> engine (VdsmSSLProtocol=TLSv1.1)
+ ssl_excludes = OP_NO_TLSv1_1 causes to be TLSv1.1
Isn't is typo in this diff (comment inline)?
~~~
--- a/lib/vdsm/m2cutils.py
+++ b/lib/vdsm/m2cutils.py
@@ -38,11 +38,15 @@ except ImportError as e:
raise compat.Unsupported(str(e))
CLIENT_PROTOCOL = "sslv23"
-SSL_OP_NO_TLSv1_1 = 268435456
^^^^^^^^^
DEFAULT_ACCEPT_TIMEOUT = 5
SOCKET_DEFAULT_TIMEOUT = socket._GLOBAL_DEFAULT_TIMEOUT
+missing_protocols = {
+ 'SSL_OP_NO_TLSv1_1': 0x1000000,
^^^^^^^^^ = 16777216
+ 'SSL_OP_NO_TLSv1_2': 0x8000000
+}
+
# M2Crypto.threading needs initialization.
# See https://bugzilla.redhat.com/482420
threading.init()
@@ -334,9 +338,9 @@ def protocol_name_to_int():
for no_protocol in config.get('vars', 'ssl_excludes').split(','):
if no_protocol != '':
protocol = 'SSL_' + no_protocol.strip()
- if protocol == 'SSL_OP_NO_TLSv1_1':
+ if protocol in missing_protocols:
# missing from m2crypto
- excludes |= SSL_OP_NO_TLSv1_1
+ excludes |= missing_protocols[protocol]
else:
excludes |= getattr(m2, protocol)
~~~
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release. You're correct Jiri, a zero is indeed missing in 'SSL_OP_NO_TLSv1_1'. ok, vdsm-4.19.28-1.el7ev.x86_64 4.1 vdsm (sslv23/m2c) -> engine => TLSv1.2 - ssl_excludes = OP_NO_TLSv1_1 / engine (VdsmSSLProtocol=TLSv1.1) => TLSv1.0 - ssl_excludes = OP_NO_TLSv1_1 / engine (default) => TLSv1.2 - ssl_excludes = OP_NO_TLSv1_2 => TLSv1.1 - ssl_excludes = OP_NO_TLSv1 => TLSv1.2 - ssl_excludes = OP_NO_TLSv1,OP_NO_TLSv1_2 => TLSv1.1 - ssl_excludes = OP_NO_TLSv1_1,OP_NO_TLSv1_2 => TLSv1.0 4.1 vdsm (sslv23/ssl) -> engine => TLSv1.2 - ssl_excludes = OP_NO_TLSv1_1 / engine (VdsmSSLProtocol=TLSv.1.1) => TLSv1.0 - ssl_excludes = OP_NO_TLSv1_1 / engine (default) => TLSv1.2 - ssl_excludes = OP_NO_TLSv1_2 => TLSv1.1 - ssl_excludes = OP_NO_TLSv1 => TLSv1.2 - ssl_excludes = OP_NO_TLSv1,OP_NO_TLSv1_2 => TLSv1.1 - ssl_excludes = OP_NO_TLSv1_1,OP_NO_TLSv1_2 => TLSv1.0 |