Bug 1585008

Summary: Add option to configure cipher list available for encrypted connections
Product: Red Hat Enterprise Virtualization Manager Reporter: Martin Perina <mperina>
Component: vdsmAssignee: Piotr Kliczewski <pkliczew>
Status: CLOSED ERRATA QA Contact: Petr Matyáš <pmatyas>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.2.0CC: dfodor, emarcus, lsurette, lsvaty, mgoldboi, mperina, pstehlik, rdlugyhe, srevivo, ycui
Target Milestone: ovirt-4.3.0Keywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
The current release adds a new 'ssl_ciphers' option to VDSM, which enables you to configure available ciphers for encrypted connections (for example, between the Manager and VDSM, or between VDSM and VDSM). The values this option uses conform to the OpenSSL standard. For more information, see https://access.redhat.com/articles/4056301
 Story Points: ---
Clone Of:
: 1585022 1641455 (view as bug list) Environment:
Last Closed: 2019-05-08 12:36:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1585022, 1640357, 1641455    

Description Martin Perina 2018-06-01 06:41:09 UTC 
Description of problem:

Add ssl_ciphers option to be able to configure available ciphers for encrypted connections. Values of this options conforms to OpenSSL standards: https://www.openssl.org/docs/man1.0.2/apps/ciphers.html

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Petr Matyáš 2019-01-17 09:42:08 UTC 
Verified on vdsm-4.30.4-1.el7ev.x86_64

Only ciphers with key lengths larger than 128 bits work now by default, can be changed in vdsm.conf
Comment 3 Eli Marcus 2019-02-12 17:05:53 UTC 
Copied approved Doc_text from cloned downstream - https://bugzilla.redhat.com/show_bug.cgi?id=1585022

"This release adds a new 'ssl_ciphers' option to VDSM, which allows you to configure available ciphers for encrypted connections (for example, the Manager to VDSM, or VDSM to VDSM). The values of this option conform to OpenSSL standard.
To set this option:

1. Move the host to Maintenance in the Manager.

2. Create a new /etc/vdsm/vdsm.conf.d/99-custom-ciphers.conf file with the following content:

[vars]
ssl_ciphers = <VALUE>

where <VALUE> is one of the values described in the CIPHERS STRINGD section in https://www.openssl.org/docs/man1.0.2/apps/ciphers.html.

3. Restart VDSM.

4. Activate the host in the Manager."
Comment 5 errata-xmlrpc 2019-05-08 12:36:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:1077