Bug 1659155

Summary: NoVNC with E2E encryption fails with Unsupported security types: 19
Product: [oVirt] ovirt-engine Reporter: Liran Rotenberg <lrotenbe>
Component: WebSocket ProxyAssignee: Tomasz Barański <tbaransk>
WebSocket Proxy sub component: General QA Contact: Liran Rotenberg <lrotenbe>
Status: CLOSED CURRENTRELEASE Docs Contact:
Severity: urgent    
Priority: high CC: gshereme, lrotenbe, michal.skrivanek, nicolas, rbarry, tjelinek
Version: 4.3.0Flags: rule-engine: ovirt-4.3+
Target Milestone: ovirt-4.3.0   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-13 07:43:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Virt RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Liran Rotenberg 2018-12-13 17:23:42 UTC
Description of problem:
When end to end encryption is enabled for VNC. Triggering NoVNC console results with: "Unsupported security types: 19".

Version-Release number of selected component (if applicable):
ovirt-engine-4.3.0-0.4.master.20181207184726.git7928cae.el7.noarch
novnc-0.5.1-2.el7.noarch

How reproducible:
100%

Steps to Reproduce:
Note: Steps 1-2 are if the VNC encryption isn't set)
1. Set the cluster with VNC encryption(Cluster->Enable VNC Encryption)
2. Reinstall the host to apply the changes
3. Verify the host with VNC encryption:
# cat /etc/libvirt/qemu.conf | grep "vnc_tls = 1"
Watch that it's not commented.
4. Run VM with VNC console
5. Check the VM is with VNC encryption:
# ps -ef | grep qemu
You should see:
tls,x509 in it.
6. Start NoVNC console to the VM.

Actual results:
Console isn't open, Got the error: "Unsupported security types: 19".

Expected results:
Console open as usual.

Additional info:
This is regression caused by BZ: 1597085

Comment 1 Michal Skrivanek 2018-12-14 06:31:36 UTC
python-websockify version?

Comment 2 Tomasz Barański 2018-12-14 08:11:37 UTC
Initial investigation points to the engine rather than Python-based proxy.

Comment 3 Liran Rotenberg 2018-12-14 16:18:27 UTC
(In reply to Michal Skrivanek from comment #1)
> python-websockify version?

python-websockify-0.8.0-3.el7.noarch

Comment 4 Liran Rotenberg 2019-01-22 11:42:41 UTC
Verified on:
ovirt-engine-4.3.0-0.8.master.20190120162615.git5926f20.el7.noarch
novnc-0.5.1-2.el7.noarch
python-websockify-0.8.0-3.el7.noarch
Firefox 59.0.2 (64-bit)

Steps:
Note: Steps 1-2 are if the VNC encryption isn't set)
1. Set the cluster with VNC encryption(Cluster->Enable VNC Encryption)
2. Reinstall the host to apply the changes
3. Verify the host with VNC encryption:
# cat /etc/libvirt/qemu.conf | grep "vnc_tls = 1"
Watch that it's not commented.
4. Run VM with VNC console
5. Check the VM is with VNC encryption:
# ps -ef | grep qemu
You should see:
tls,x509 in it.
6. Start NoVNC console to the VM.

Result:
Checked with firefox, NoVNC console is working.
Tested by changed configuration in about:config, security.tls.version.min and security.tls.version.max, only TLS 1.0 didn't work.
SSL 3.0, TLS 1.1, TLS 1.2 worked as expected in NoVNC.

Comment 5 Sandro Bonazzola 2019-02-13 07:43:01 UTC
This bugzilla is included in oVirt 4.3.0 release, published on February 4th 2019.

Since the problem described in this bug report should be
resolved in oVirt 4.3.0 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.