Bug 1842522
Summary: | Enable only TLSv1.2+ protocol for SPICE on EL7 hosts [RHV clone - 4.3.11] | ||
---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | RHV bug bot <rhv-bugzilla-bot> |
Component: | ovirt-engine | Assignee: | amashah |
Status: | CLOSED ERRATA | QA Contact: | Petr Kubica <pkubica> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 4.3.8 | CC: | amashah, dblechte, mkalinin, mperina, msobczyk, mtessun, pelauter, pkubica, rdlugyhe |
Target Milestone: | ovirt-4.3.11 | Keywords: | ZStream |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: |
With this enhancement, while deploying RHEL 7-based hosts, you can configure SPICE encryption so that:
- Only TLSv1.2 and newer protocols are enabled
- Available ciphers are limited as described in BZ1563271
To apply this enhancement to existing hosts, an administrator puts each host into Maintenance mode, performs a Reinstall, and activates each host. For details, search for "Reinstalling Hosts" in the documentation.
|
Story Points: | --- |
Clone Of: | 1821930 | Environment: | |
Last Closed: | 2020-09-30 10:07:13 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1821930 | ||
Bug Blocks: |
Description
RHV bug bot
2020-06-01 13:04:31 UTC
Submitting patch for review https://gerrit.ovirt.org/#/c/108295/ (Originally by Amar Shah) This RFE is only for EL7 hosts, where we need to set ciphers and limit SSL/TLS version. On EL8 we will completely rely on current crypto policy. (Originally by Martin Perina) Verified in 4.4.0-0.33.master.el8ev # openssl s_client -connect <host>:5902 -tls1_1 CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1587976407 Timeout : 7200 (sec) Verify return code: 0 (ok) --- (Originally by Petr Kubica) https://gerrit.ovirt.org/#/c/108295/ can be backported without any modification in RHV 4.3. This is where it was originally tested, with RHEL 7 hosts. The playbook already exists on RHV-M 4.3 to set Ciphers, this patch just adds ability to specify TLS/SSL Protocols also (for RHEL 7, as RHEL 8 hosts do not need this). RHEL 8 hosts can make use of the system-wide crypto policy and don't need to rely on spice.cnf to disable specific Protocols/Ciphers per application. On RHV-M 4.3 the playbook is located here: /usr/share/ovirt-engine/playbooks/roles/ovirt-host-deploy-spice-encryption/ One could just add these two lines to the files: # tail -n1 /usr/share/ovirt-engine/playbooks/roles/ovirt-host-deploy-spice-encryption/defaults/main.yml host_deploy_spice_protocol: 'ALL,-SSLv2,-SSLv3,-TLSv1,-TLSv1.1' # tail -n1 /usr/share/ovirt-engine/playbooks/roles/ovirt-host-deploy-spice-encryption/tasks/main.yml Protocol = {{ host_deploy_spice_protocol }} The playbook writes these configurations to /etc/pki/tls/spice.cnf on hosts, which tells spice not to use these Protocols (again, only needed for RHEL 7 hosts). (Originally by Amar Shah) tls1_1 is still enabled on HE VM, all other VMs have tls1_1 disabled # openssl s_client -connect host:5901 -tls1_1 CONNECTED(00000003) depth=1 C = US, O = domain.com, CN = common_name.53578 verify error:num=19:self signed certificate in certificate chain --- Certificate chain 0 s:/O=domain.com/CN=common_name.domain.com i:/C=US/O=domain.com/CN=engine.domain.com.53578 1 s:/C=US/O=domain.com/CN=engine.domain.com.53578 i:/C=US/O=domain.com/CN=engine.domain.com.53578 --- Server certificate -----BEGIN CERTIFICATE----- MIIFFTCCA/2gAwIBAgICEC0wDQYJKoZIhvcNAQELBQAwazELMAkGA1UEBhMCVVMx JDAiBgNVBAoMG3JoZXYubGFiLmVuZy5icnEucmVkaGF0LmNvbTE2MDQGA1UEAwwt ... output ommited .. (In reply to Petr Kubica from comment #12) > tls1_1 is still enabled on HE VM, all other VMs have tls1_1 disabled The changes won't take effect until VM is powered off and back on (this applies to any VM, HE included). For HE you could do (on host where HE is running): # hosted-engine --set-maintenance --mode=global # hosted-engine --vm-shutdown # hosted-engine --vm-status (just to check to confirm its down, or `virsh -r list`) # hosted-engine --vm-start Then TLS 1.1 should be disabled. Alternatively, migrating HE to another HE host and back should also do the trick. Hi, tried to reproduce to problem to verify your comment but it's no longer reproducible. Tried 4.3 and 4.4 again and in both version seems to be tls 1.1 disabled also on HE VMs If I hit this issue again, I will try to discover what I did differently and report another bug but now it seems to be working properly. Verified in 4.3.11.3-0.1.el7 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat Virtualization Engine security, bug fix 4.3.11), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4112 |