Bug 1576037

Summary: Avocent KVM viewer doesn't work with IcedTea plugin
Product: [Fedora] Fedora Reporter: bpk678
Component: icedtea-webAssignee: jiri vanek <jvanek>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: dbhole, jvanek, omajid, remasch
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-14 13:26:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Java console output none

Description bpk678 2018-05-08 16:03:38 UTC 
Created attachment 1433290 [details]
Java console output

Description of problem:
Avocent KVM viewer does not work with IcedTea plugin on F28.  Connection Failed message is received.


Version-Release number of selected component (if applicable):
java-1.8.0-openjdk-1.8.0.171-4.b10.fc28.x86_64
icedtea-web-1.7.1-5.fc28.noarch
java-1.8.0-openjdk-headless-1.8.0.171-4.b10.fc28.x86_64

How reproducible:
all the time


Steps to Reproduce:
1. log into KVM
2. attempt to launch KVM viewer
3. receive connection failed message

Actual results:
no KVM functionality works


Expected results:
KVM console window would appear and give console access to device


Additional info:
see attached output
Comment 1 Afox 2018-05-08 21:15:10 UTC 
I can confirm this.
Comment 2 Afox 2018-05-16 11:11:38 UTC 
for me the problem exists when trying to run the idrac 6 virtual console.
Comment 3 bpk678 2018-05-17 00:36:01 UTC 
i am using HP IMPI remote access cards for the Microserver N54L.  i just updated the firmware to latest version, 1.4 (from 1.3) and the issue still occurs.
Comment 4 Afox 2018-05-18 13:17:58 UTC 
I just checked on Fedora 27 and it is working there with Icedtea-web 1.7.1-5.fc27.
Comment 5 jiri vanek 2018-05-18 13:50:29 UTC 
Wait. You are saying it is working in f27 and not in f28?

Seeing:
connecting http://vpn-ipmi.bpk2.com:80/software/avctKVMIOLinux.jar
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
     at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:710)
     at sun.security.ssl.InputRecord.read(InputRecord.java:527)

And notifying f27x28 few nits:

was jdk used in f27 also u171?
were the system crypto policies  same? (update-crypto-policies --show)
Maybe used  crypto policies changed between f27 and f28?
try update-crypto-policies --set LEGACY for check.
Maybe ITW have issue swith enforcing of https - try to put deployment.https.noenforce=true  into  ~/.config/icedtea-web/deployment.properties


Sorry for little ehelp., this is quite hard to reproduce as both idrac and  impi and avocado are proprietary and you need something to observe (btw, clue how to debug this locally will be appreciated). Also I recall dell (idrac)  have ITW in supported platforms.
Comment 6 Afox 2018-05-18 14:21:01 UTC 
For me setting the crypto-policies to LEGACY worked :-)
Comment 7 bpk678 2018-05-18 22:28:33 UTC 
i was using F24 or F26 previously and performed an inplace upgrade via dnf system-upgrade to F28.  after the upgrade to F28 it stopped working.

i have a practice of keeping very up-to-date while using a "supported" version of fedora (run dnf upgrade every few days), so i likely used most of the available versions of java/icedtea while on F24 or F26.

[brendan@desktop ~]$ update-crypto-policies --show
DEFAULT

setting update-crypto-policies to LEGACY "fixes" the problem.

i am willing to attend a teamviewer or hangout session and share my screen for diagnostics.
Comment 8 jiri vanek 2018-05-22 15:19:58 UTC 
Unluckily not much diagnostic needed.
Unless somebody in this thread disagree,  I', for closing this bug as "not a bug"

Your servers are using some cryptographic settings
Your client is using some cryptographic settings

Until now, there was intersection, so they could communicate.
F28 removed insecure and legacy algorithms, so now the intersection is empty.

By update-crypto-policies -- set LEGACY you enable this intersection again.

The correct fix would be to adjust the servers to current century and newest security.