Bug 1563271

Summary: [RFE][engine] Need to add entries to allow customers to set TLS version and TLS-ciphers for Spice VMs.
Product: Red Hat Enterprise Virtualization Manager Reporter: Frank DeLorey <fdelorey>
Component: ovirt-engineAssignee: Tomasz BaraƄski <tbaransk>
Status: CLOSED ERRATA QA Contact: Liran Rotenberg <lrotenbe>
Severity: urgent Docs Contact:
Priority: high    
Version: 4.2.0CC: cfergeau, lsurette, mavital, michal.skrivanek, mkalinin, mtessun, Rhev-m-bugs, srevivo, trichard
Target Milestone: ovirt-4.3.0Keywords: FutureFeature
Target Release: ---Flags: mavital: testing_plan_complete-
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
An Ansible role, `ovirt-host-deploy-spice-encryption`, has been added to change the cypher string for SPICE consoles. The default cypher string satisfies FIPS requirements ('TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL'). The role can be customized with the Ansible variable `host_deploy_spice_cipher_string`.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-08 12:37:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Virt RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1562032, 1562212, 1562213, 1563499, 1563585    
Bug Blocks: 1520566    

Description Frank DeLorey 2018-04-03 13:35:07 UTC 
Description of problem:

Currently there is no way for customers to select/de-select which TLS versions and TLS-ciphers they wish to allow or disallow.


Version-Release number of selected component (if applicable):

RHV 4.2.X


Additional info:

This is related to work being down in the following BZs:

https://bugzilla.redhat.com/show_bug.cgi?id=1562212

https://bugzilla.redhat.com/show_bug.cgi?id=1562213

https://bugzilla.redhat.com/show_bug.cgi?id=1562214
Comment 7 Michal Skrivanek 2018-05-11 08:32:32 UTC 
May or may not require a host redeploy - pending design decision on libvirt side.
Since this setting make sense as a system-wide policy it's likely going to be a vdc_option
Comment 9 Yaniv Lavi 2018-07-16 11:40:51 UTC 
Should this be on a z stream milestone?
If not, can you remove the flag?
Comment 10 Michal Skrivanek 2018-08-08 11:41:20 UTC 
removing zstream request after review with mgoldboi
Comment 12 Michal Skrivanek 2018-08-28 09:35:12 UTC 
we plan to make "secure" the default, and supply ansible role to push other (weak) config if required for b/w compatibility e.g. with ancient Windows
Comment 13 Michal Skrivanek 2018-10-03 11:32:35 UTC 
we also provide ansible role to customize the ciphers list
Comment 14 Liran Rotenberg 2018-11-04 08:05:32 UTC 
Verified on:
ovirt-engine-4.3.0-0.0.master.20181026202125.git65125e2.el7.noarch

Steps:
1. Create a yaml file in /usr/share/ovirt-engine/playbooks.
- name: oVirt - setup weaker SPICE encription for old clients
  hosts: <HOST>
  vars:
    host_deploy_spice_cipher_string: 'DEFAULT:-RC4:-3DES:-DES'
  roles:
    - ovirt-host-deploy-spice-encryption

2. Set the host and ssh-key to use in /etc/ansible/hosts
[change_tls]
<HOST> ansible_ssh_private_key_file=<PATH_TO_SSH_KEY>

3. In the host, see the current (default) tls in /etc/pki/tls/spice.cnf
CipherString = kECDHE+FIPS:kDHE+FIPS:kRSA+FIPS:!eNULL:!aNULL

4. Run in the engine:
# ansible-playbook -l <HOST> <YAML_PATH>

5. Check again the tls in the host:
# less /etc/pki/tls/spice.cnf
CipherString = DEFAULT:-RC4:-3DES:-DES

And there is backup file for the old cipher - spice.cnf.<DATE>.
Comment 16 errata-xmlrpc 2019-05-08 12:37:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:1085