Bug 1582527

Summary: Enable only strong ciphers from engine to VDSM communication for hosts in cluster level >= 4.2
Product: [oVirt] ovirt-engine Reporter: Martin Perina <mperina>
Component: Host-DeployAssignee: Martin Perina <mperina>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Belka <jbelka>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 4.2.0CC: bugs, lsvaty, lveyde
Target Milestone: ovirt-4.2.4Flags: rule-engine: ovirt-4.2+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-4.2.4.2 Doc Type: Release Note
Doc Text:
This change enables only string ciphers for communication between engine and hosts for clusters with cluster level >= 4.2. Following steps need to performed to apply the change: 1. Newly added hosts - The change is applied automatically when host is added to engine to clusters with cluster level >= 4.2 - When adding new host to cluster with cluster level 3.6, 4.0 or 4.1 the change is not applied and hosts support all ciphers enabled by underlying libraries 2. Existing hosts - to apply the change to existing hosts in cluster level 4.2 please follow steps described in [How to apply change] section 3. Moving hosts between clusters - when host is moved to 4.2 cluster the change is not applied automatically. To apply please follow steps described in [How to apply change] section How to apply change To enable only strong ciphers for a host in cluster with cluster levels >= 4.2 following steps need to be applied: 1. Move host to Maintenance using option Maintenance in Management menu inside Hosts view 2. Reinstall the host using option Reinstall in Installation menu inside Hosts view 3. Activate the host after successful reinstallation using Activate option in Management menu inside Hosts view
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-26 08:35:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1584669    
Bug Blocks:    

Description Martin Perina 2018-05-25 13:42:57 UTC 
When adding or reinstalling host to a cluster >= 4.2, set

  ssl_ciphers=HIGH

in vdsm to enable only strong encryption ciphers for engine to VDSM communication.
Comment 1 Jiri Belka 2018-06-11 14:29:00 UTC 
ok, vdsm-4.20.30-1.el7ev.x86_64

ovirt-engine-4.2.4.2-0.1.el7_3.noarch
ovirt-host-deploy-1.7.4-1.el7ev.noarch

install, host-deploy:

under 4.2/4.1 cluster:

# cat /etc/vdsm/vdsm.conf
[vars]
ssl_excludes = OP_NO_TLSv1,OP_NO_TLSv1_1
ssl = true
ssl_ciphers = HIGH

[addresses]
management_port = 54321
Comment 2 Sandro Bonazzola 2018-06-26 08:35:29 UTC 
This bugzilla is included in oVirt 4.2.4 release, published on June 26th 2018.

Since the problem described in this bug report should be
resolved in oVirt 4.2.4 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.