Bug 1740516

Summary: [OSP17] NO VNC proxy allows weak encryption protocols and ciphers (SSL V3, TLS<1.2, CBC, RC4, 3DES)
Product: Red Hat OpenStack Reporter: Francois Duthilleul <fduthill>
Component: openstack-novaAssignee: melanie witt <mwitt>
Status: CLOSED ERRATA QA Contact: James Parker <jparker>
Severity: high Docs Contact:
Priority: medium    
Version: 13.0 (Queens)CC: alifshit, cylopez, dasmith, dcaspin, dmendiza, egallen, eglynn, fduthill, ggrasza, hrybacki, igallagh, jhakimra, jparker, kchamart, lbragsta, lyarwood, mariel, mschuppe, mwitt, nkinder, sbauza, scohen, sgordon, stephenfin, vromanso
Target Milestone: AlphaKeywords: FutureFeature, Triaged
Target Release: 17.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-nova-20.1.0-0.20200312134520.e20e731.el8ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1805070 1897698 (view as bug list) Environment:
Last Closed: 2022-09-21 12:07:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version: Ussuri
Embargoed:
Bug Depends On:    
Bug Blocks: 1806704, 1897698    

Comment 2 Nathan Kinder 2019-08-30 17:47:32 UTC 
*** Bug 1740520 has been marked as a duplicate of this bug. ***
Comment 3 Nathan Kinder 2019-08-30 17:50:42 UTC 
*** Bug 1740523 has been marked as a duplicate of this bug. ***
Comment 4 Nathan Kinder 2019-08-30 17:51:16 UTC 
*** Bug 1740527 has been marked as a duplicate of this bug. ***
Comment 10 melanie witt 2019-09-06 16:31:08 UTC 
Note that the nova patch cannot be backported upstream in its current form because of the hard dependency on websockify 0.9.0. I've noted on the patch an option for a potential backport, but it's a bit wonky and I'm not sure whether this bug would be considered severe enough to warrant doing it. If anyone could weigh in, I would appreciate it.
Comment 11 Nathan Kinder 2019-09-06 18:19:11 UTC 
I have added an initial WIP patch for the T-H-T portion of this issue here:

  https://review.opendev.org/680752
Comment 20 Cyril Lopez 2020-01-13 08:48:03 UTC 
Hello Melanie,

It looks there is a -1 on the patch.

Could you have a look please ?

Thanks,
Cyril
Comment 23 Artom Lifshitz 2020-02-19 16:31:02 UTC 
As this has not merged in upstream train, re-targetting to 17 to reflect the fact that it will (hopefully) land in upstream ussuri.
Comment 24 melanie witt 2020-02-24 19:29:54 UTC 
The nova patch has merged: https://review.opendev.org/679502

I moved the puppet-nova and openstack-tripleo-heat-templates gerrit links to their respective rhbzs:

https://bugzilla.redhat.com/show_bug.cgi?id=1806704

https://bugzilla.redhat.com/show_bug.cgi?id=1805070
Comment 44 errata-xmlrpc 2022-09-21 12:07:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543