Bug 1973768

Summary: [4.7.z] 4.5 -> 4.6 upgrade failed with ovn pod error: SSL_connect: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
Product: OpenShift Container Platform Reporter: Jaime Caamaño Ruiz <jcaamano>
Component: NetworkingAssignee: Jaime Caamaño Ruiz <jcaamano>
Networking sub component: ovn-kubernetes QA Contact: Anurag saxena <anusaxen>
Status: CLOSED CURRENTRELEASE Docs Contact:
Severity: high    
Priority: low CC: aconstan, asood, astoycos, jluhrsen, kewang, mifiedle, wking, zzhao
Version: 4.6Keywords: Regression
Target Milestone: ---   
Target Release: 4.7.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: During 4.5 to 4.6 upgrade, stricter security requirements of openssl versions included in 4.6 ovn-kubernetes components prevented the upgrade to complete successfully. Specifically the use of 1024 bit based DH params was disallowed on those openssl versions. Consequence: Upgrade of ovn-kuberentes and thus the cluster-network -operator does not progress to complete status and upgrade is stuck. Fix: Soften the openssl security requirements to allow the use of 1024 bit based DH params in ovn-kuberenetes componenets. Result: The use of 1024 bits based DH params with openssl no longer prevents the 4.5 to 4.6 upgrade to complete.
 Story Points: ---
Clone Of: 1961528 Environment:
Last Closed: 2021-06-24 14:35:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1973763    
Bug Blocks: 1973770    

Comment 1 Jaime Caamaño Ruiz 2021-06-18 16:55:18 UTC 
This is a noop for 4.7 as the issue only affects upgrades from 4.5 to 4.6, the fix is only required in 4.6 and not needed in any other release.
Comment 4 Mike Fiedler 2021-06-24 12:33:16 UTC 
If there is nothing for QE to test, please move the bz directly to CLOSED.
Comment 5 W. Trevor King 2021-08-18 22:17:58 UTC 
Only one bug in the series needs UpgradeBlocker, so I'm removing it here.  If folks think this series deserves blocking edges, please follow up after [1].

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1961528#c28