Bug 1671074

Summary: [RFE] Disable anonymous ciphers for engine <-> VDSM communication
Product: [oVirt] ovirt-engine Reporter: Martin Perina <mperina>
Component: Backend.CoreAssignee: Martin Perina <mperina>
Status: CLOSED CURRENTRELEASE QA Contact: Petr Matyáš <pmatyas>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.3.0CC: bugs, emarcus, lleistne, mgoldboi, michal.skrivanek, mperina, rbarry
Target Milestone: ovirt-4.3.1Keywords: FutureFeature
Target Release: ---Flags: rule-engine: ovirt-4.3+
mgoldboi: planning_ack+
mperina: devel_ack+
lleistne: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-4.3.1.1 Doc Type: Enhancement
Doc Text:
In this release, the available SSL ciphers used in communication between the Red Hat Virtualization Manager and VDSM have been limited, and now exclude weak or anonymous ciphers.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-01 10:17:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1578057    

Description Martin Perina 2019-01-30 17:07:59 UTC 
Description of problem:

As a part of BZ1577594 we have started to enable ciphers with key length higher than 128 bits (see [1]) by using "ssl_ciphers=HIGH" in engine <-> VDSM communication for hosts in 4.2 clusters and above. Unfortunately this setting still allowed anonymous ciphers, which are not considered safe, so security sweep raised that as an issue:


  # nmap -sV --script ssl-enum-ciphers -p 54321 <HOSTNAME>
  | ssl-enum-ciphers: 
  |   TLSv1.2: 
  |     ciphers: 
  |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
  |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
  |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
  |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
  |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
  |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
  |       TLS_ECDH_anon_WITH_AES_128_CBC_SHA - F
  |       TLS_ECDH_anon_WITH_AES_256_CBC_SHA - F
  |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
  |       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
  |       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
  |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
  |       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
  |       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
  |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
  |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
  |     compressors: 
  |       NULL
  |     cipher preference: client
  |_  least strength: F


In order to raise ciphers strength we need to disable those anonymous ciphers by setting "ssl_ciphers=HIGH:!aNULL", which allows safest ciphers:

# nmap -sV --script ssl-enum-ciphers -p 54321 <HOSTNAME>
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|_  least strength: A


[1] https://www.openssl.org/docs/manmaster/man1/ciphers.html#CIPHER_LIST_FORMAT
Comment 1 Michal Skrivanek 2019-02-01 13:05:37 UTC 
relevant for other communication channels we have? e.g. consoles?
Comment 2 Martin Perina 2019-02-06 11:46:10 UTC 
(In reply to Michal Skrivanek from comment #1)
> relevant for other communication channels we have? e.g. consoles?

I've suggested the same for websocket-proxy in https://gerrit.ovirt.org/92775 I will try to take a look also at imageio_proxy
Comment 5 Petr Matyáš 2019-02-22 13:06:27 UTC 
Verified on ovirt-engine-4.3.1.1-0.1.el7.noarch
Comment 7 Sandro Bonazzola 2019-03-01 10:17:55 UTC 
This bugzilla is included in oVirt 4.3.1 release, published on February 28th 2019.

Since the problem described in this bug report should be
resolved in oVirt 4.3.1 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.