Bug 1999698

Summary: ssl.conf modifications of engine-setup do not conform to best practices (according to red hat insights)
Product: Red Hat Enterprise Virtualization Manager Reporter: Klaas Demter <klaas>
Component: ovirt-engineAssignee: Yedidyah Bar David <didi>
Status: CLOSED ERRATA QA Contact: Nikolai Sednev <nsednev>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.4.7CC: didi, lsurette, mavital, mperina
Target Milestone: ovirt-4.5.0Keywords: NeedsTestCase, TestCaseNeeded, Triaged, ZStream
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-4.5.0 Doc Type: Enhancement
Doc Text:
In previous versions, engine-setup configured apache httpd's SSLProtocol configuration option to be `-all +TLSv1.2`. In RHEL 8, this isn't needed, because this option is managed by crypto-policies. With this version, engine-setup does not set this option, and removes it if it's already set, letting it be managed by crypto-policies.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-26 16:23:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2069658    
Bug Blocks:    

Description Klaas Demter 2021-08-31 15:22:10 UTC 
Description of problem:
I've added my RHV Manager 4.4.7 to insights. Insights complains about rhv manager setting the ssl config manually instead of using system defaults:

Advisor message:
"
Detected issues
The system is using crypto-policies, but they are overridden in the configuration of the Apache HTTP server.

Steps to resolve
Red Hat recommends that you complete the following steps:
    change the options SSLProtocol, SSLCipherSuite and SSLProxyCipherSuite in /etc/httpd/conf.d/ssl.conf.
        Remove any SSLProtocol lines.
        Change the values of SSLCipherSuite or SSLProxyCipherSuite accordingly:

         SSLCipherSuite PROFILE=SYSTEM
         SSLProxyCipherSuite PROFILE=SYSTEM

    restart the httpd service:

      # systemctl restart httpd.service


"

It seems this is because engine setup adds
https://github.com/oVirt/ovirt-engine/blob/a65cf0eae8858ab2278c3f537dc427e3ff20eba7/packaging/setup/ovirt_engine_setup/engine_common/constants.py#L195
to ssl.conf (Line in config is "SSLProtocol -all +TLSv1.2")

I think this can be seen as a follow up to https://bugzilla.redhat.com/show_bug.cgi?id=1829189



Version-Release number of selected component (if applicable):
ovirt-engine-4.4.7.7-0.1.el8ev.noarch

How reproducible:
Install Manager and add system to insights


Steps to Reproduce:
1. Install Manager
2. Add to insights
3. Wait for insights to show advisor results

Actual results:
Deviation from best practices


Expected results:
No advisor recommendations
Comment 1 RHEL Program Management 2021-08-31 15:43:22 UTC 
The documentation text flag should only be set after 'doc text' field is provided. Please provide the documentation text and set the flag to '?' again.
Comment 3 Yedidyah Bar David 2021-09-01 09:15:47 UTC 
SSLProtocol was changed for bug 1388456. Martin - can we decide, going forward, to basically revert that, and rely on system defaults?

This probably means:
1. On new setups, do not add/change SSLProtocol anymore
2. On upgrades: If SSLProtocol has our current default value '-all +TLSv1.2': remove the line, else: not sure, perhaps prompt the user whether to remove it anyway (and default to True?), or just warn.
Comment 5 Martin Perina 2022-02-17 14:38:34 UTC 
BZ1388456 was created, because RHEL 7 didn't have support for crypto policies, so RHV itself needed to make the configuration as safe as possible. But RHV 4.4, which is based on RHEL 8 we have made a lot of effort to rely on crypto policies, this part was just missed. So I think we can remove offending line and rely on the crypto policies defaults.
Comment 6 Yedidyah Bar David 2022-03-03 07:01:54 UTC 
QE: Reproduction/verification flows:

1. New setup: ssl.conf should not include SSLProtocol.

2. Upgrade from a previous version (say, 4.4.10). ssl.conf should not include SSLProtocol uncommented - should include the previous value commented.
Comment 7 Klaas Demter 2022-03-03 07:32:35 UTC 
The link was wrong, it included https://github.com twice, I'm trying to fix it :)
Comment 8 Yedidyah Bar David 2022-03-03 08:10:30 UTC 
Thanks. Not sure what happened. I am still not very used to github (moved from gerrit recently) - perhaps I did something wrong.
Comment 12 Yedidyah Bar David 2022-04-05 06:04:57 UTC 
Sorry:

(In reply to Yedidyah Bar David from comment #6)
> QE: Reproduction/verification flows:
> 
> 1. New setup: ssl.conf should not include SSLProtocol.

I meant: "ssl.conf should not include SSLProtocol _uncommented_".

Its default content (prior to running engine-setup) is from the package mod_ssl, unrelated to oVirt/RHV. This might include it commented, which is ok, or might not include it at all, which is ok too. If it includes it uncommented, it should probably be considered a bug in mod_ssl.

When writing the above (comment 6) I somehow thought it did not include it at all, but was apparently wrong.

Either case, after 'engine-setup' it should not include it uncommented, regardless of the value it had before that. Please test this as well - e.g.:

1. Install mod_ssl
2. Edit the file to have e.g. (uncommented):
SSLProtocol all -SSLv3
3. Install and run engine-setup
Comment 13 Nikolai Sednev 2022-04-05 10:07:18 UTC 
Flow 1 is positively fixed and works as expected:
nsednev-he-6 ~]# cat /etc/httpd/conf.d/ssl.conf | grep SSLProtocol
#SSLProtocol all -SSLv3
Tested on ovirt-engine-setup-4.5.0.1-605.90f87fe14688.14.el8ev.noarch.
Comment 14 Nikolai Sednev 2022-04-06 13:31:38 UTC 
For the flow 2 I deployed ovirt-engine-setup-4.4.10.8-548.g6b5767a.2.el8ev.noarch and then upgraded it to ovirt-engine-setup-4.5.0.1-605.90f87fe14688.14.el8ev.noarch.
On 4.4.10 I see:
nsednev-he-7 ~]# cat /etc/httpd/conf.d/ssl.conf | grep SSLProtocol
#SSLProtocol all -SSLv3
SSLProtocol -all +TLSv1.2

On 4.5.0.1 I see:
nsednev-he-7 ~]# cat /etc/httpd/conf.d/ssl.conf | grep SSLProtocol
#SSLProtocol all -SSLv3
# SSLProtocol -all +TLSv1.2

Flow 2 is positively fixed and works as expected.

The whole flow was tested using HE infrastructure, which indeed has been upgraded too.

Moving to verified.

Components used in 4.4.10.8:
ovirt-engine-setup-4.4.10.8-548.g6b5767a.2.el8ev.noarch
ovirt-ansible-collection-2.0.0-0.4.BETA.el8ev.noarch
ansible-2.9.27-1.el8ae.noarch
ovirt-hosted-engine-ha-2.4.10-1.el8ev.noarch
ovirt-hosted-engine-setup-2.5.4-2.el8ev.noarch
Red Hat Enterprise Linux release 8.5 (Ootpa)
Linux 4.18.0-348.21.1.el8_5.x86_64 #1 SMP Tue Mar 22 10:35:22 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux


Components used in 4.5.0.1:
ovirt-ansible-collection-2.0.0-0.9.BETA.el8ev.noarch
ansible-core-2.12.2-3.1.el8.x86_64
ovirt-engine-setup-4.5.0.1-607.fad80f26da78.25.el8ev.noarch
ovirt-hosted-engine-setup-2.6.3-1.el8ev.noarch
ovirt-hosted-engine-ha-2.5.0-1.el8ev.noarch
Linux 4.18.0-372.5.1.el8.x86_64 #1 SMP Mon Mar 28 11:03:39 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux
Red Hat Enterprise Linux release 8.6 Beta (Ootpa)
Comment 19 errata-xmlrpc 2022-05-26 16:23:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.0] security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:4711
Comment 20 Red Hat Bugzilla 2023-09-15 01:35:50 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days