Bug 1829189
| Summary: | engine-setup httpd ssl configuration conflicts with Red Hat Insights | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Roman Hodain <rhodain> |
| Component: | ovirt-engine | Assignee: | Eli Mesika <emesika> |
| Status: | CLOSED ERRATA | QA Contact: | Petr Matyáš <pmatyas> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.3.9 | CC: | mperina, pelauter |
| Target Milestone: | ovirt-4.4.1 | ||
| Target Release: | 4.4.1 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ovirt-engine-4.4.1.5 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-08-04 13:22:48 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
$ git tag --contains 7591ed6153294ea3daa3df178f36431edf3b786a ovirt-engine-4.4.1.5 Verified on ovirt-engine-4.4.1.8-0.7.el8ev.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: RHV Manager (ovirt-engine) 4.4 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:3247 |
Description of problem: engine-setup configures the httpd ssl configuration (/etc/httpd/conf.d/ssl.conf) and enables all protocols except SSLv3 and TLSv1. SSLProtocol all -SSLv3 -TLSv1 The Red Hat insights suggest using only TLSv1.2. Teh following configuration s are suggested: SSLProtocol -all +TLSv1.2 or SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 Version-Release number of selected component (if applicable): rhv 4.3.9 How reproducible: 100% Steps to Reproduce: 1. grep SSLProtocol /etc/httpd/conf.d/ssl.conf 2. Modify the configuration of SSLProtocol 3. engine-setup 4. grep SSLProtocol /etc/httpd/conf.d/ssl.conf Actual results: The SSLProtocols are set to SSLProtocol all -SSLv3 -TLSv1 Expected results: The following is set SSLProtocol -all +TLSv1.2 or SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 Additional info: https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/ Insights rule: Decreased security: httpd using deprecated TLSv1.1 protocol