Bug 1821930
Summary: | Enable only TLSv1.2+ protocol for SPICE on EL7 hosts | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | amashah | |
Component: | ovirt-engine | Assignee: | amashah | |
Status: | CLOSED ERRATA | QA Contact: | Petr Kubica <pkubica> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 4.3.8 | CC: | dblechte, mkalinin, mperina, msobczyk, mtessun, pelauter, rdlugyhe | |
Target Milestone: | ovirt-4.4.0 | Keywords: | ZStream | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | ovirt-engine-4.4.0_beta4 | Doc Type: | Enhancement | |
Doc Text: |
With this enhancement, RHEL 7-based hosts have SPICE encryption enabled during host deployment. Only TLSv1.2 and newer protocols are enabled. Available ciphers are limited as described in BZ1563271
RHEL 8-based hosts do not have SPICE encryption enabled. Instead, they rely on defined RHEL crypto policies (similar to VDSM BZ1179273).
|
Story Points: | --- | |
Clone Of: | ||||
: | 1842522 (view as bug list) | Environment: | ||
Last Closed: | 2020-08-04 13:22:22 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1842522 |
Description
amashah
2020-04-07 20:51:51 UTC
Submitting patch for review https://gerrit.ovirt.org/#/c/108295/ This RFE is only for EL7 hosts, where we need to set ciphers and limit SSL/TLS version. On EL8 we will completely rely on current crypto policy. Verified in 4.4.0-0.33.master.el8ev # openssl s_client -connect <host>:5902 -tls1_1 CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1587976407 Timeout : 7200 (sec) Verify return code: 0 (ok) --- https://gerrit.ovirt.org/#/c/108295/ can be backported without any modification in RHV 4.3. This is where it was originally tested, with RHEL 7 hosts. The playbook already exists on RHV-M 4.3 to set Ciphers, this patch just adds ability to specify TLS/SSL Protocols also (for RHEL 7, as RHEL 8 hosts do not need this). RHEL 8 hosts can make use of the system-wide crypto policy and don't need to rely on spice.cnf to disable specific Protocols/Ciphers per application. On RHV-M 4.3 the playbook is located here: /usr/share/ovirt-engine/playbooks/roles/ovirt-host-deploy-spice-encryption/ One could just add these two lines to the files: # tail -n1 /usr/share/ovirt-engine/playbooks/roles/ovirt-host-deploy-spice-encryption/defaults/main.yml host_deploy_spice_protocol: 'ALL,-SSLv2,-SSLv3,-TLSv1,-TLSv1.1' # tail -n1 /usr/share/ovirt-engine/playbooks/roles/ovirt-host-deploy-spice-encryption/tasks/main.yml Protocol = {{ host_deploy_spice_protocol }} The playbook writes these configurations to /etc/pki/tls/spice.cnf on hosts, which tells spice not to use these Protocols (again, only needed for RHEL 7 hosts). This bug covers allowing setting of spice TLSv1.2 protocol for EL7 and EL8 hosts only from RHV Manager 4.4. So I've cloned this bug into BZ1842522 to also enable setting of TLSv1.2 for EL7 hosts from RHV Manager 4.3 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: RHV Manager (ovirt-engine) 4.4 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:3247 |