Bug 893979

Summary: Add support for SSLv3 when Apache is not used as proxy
Product: Red Hat Enterprise Virtualization Manager Reporter: Juan Hernández <juan.hernandez>
Component: ovirt-engine-setupAssignee: Juan Hernández <juan.hernandez>
Status: CLOSED CURRENTRELEASE QA Contact: Pavel Stehlik <pstehlik>
Severity: unspecified Docs Contact:
Priority: high    
Version: 3.1.0CC: bazulay, dyasny, iheim, italkohe, jlabocki, mgoldboi, pablo.iranzo, Rhev-m-bugs, sgrinber, vvaldez, ykaul
Target Milestone: ---Keywords: ZStream
Target Release: 3.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: integration
Fixed In Version: si-4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 907532 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 907532    

Description Juan Hernández 2013-01-10 12:49:17 UTC 
Description of problem:

When we run without Apache as proxy we don't support SSLv3, only TLSv1.


Version-Release number of selected component (if applicable):

ovirt-engine-3.2

How reproducible:

Always.

Steps to Reproduce:

1. Perform the installation and select not to override the Apache configuration when asked. This will enable the HTTPS connector in the application server (by default in port 8701) and will configure it to use TLSv1 only.

2. Try to connect to the application server using SSLv3:

# openssl s_client -ssl3 -connect f17.example.com:8701
CONNECTED(00000003)
139937368467296:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:

Actual results:

The connection fails because the server doesn't support the requested SSLv3 protocol.

Expected results:

The connection should succeed:

Additional info:

To workaround this issue the /usr/share/ovirt-engine/service/engine-service.xml.in file can be modified replacing the value of the "protocols" attribute inside the "ssl" tag with "SSLv3,TLSv1" (its current value is "TLSv1") and then restarting the engine.
Comment 1 james labocki 2013-01-11 15:31:36 UTC 
For reference.

Before:

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
          <ssl name="ssl" password="mypass" certificate-key-file="/etc/pki/ovirt-engine/.keystore" key-alias="engine" protocol="TLSv1" verify-client="false"/>
</connector>

After:

        <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
          <ssl name="ssl" password="mypass" certificate-key-file="/etc/pki/ovirt-engine/.keystore" key-alias="engine" protocol="SSLv3,TLSv1" verify-client="false"/>
        </connector>
Comment 6 Itamar Heim 2013-01-27 12:28:16 UTC 
the fix here is for 3.1.z/3.2.0 to not break until we move to 3.3.
Comment 11 Vinny Valdez 2013-03-26 19:35:20 UTC 
In addition to the change noted, after a RHEV 3.0 to 3.1 upgrade the following process must be followed: https://access.redhat.com/knowledge/solutions/291993

Otherwise autodiscovery and SmartState Analysis from ManageIQ EVM will fail against RHEV VMs.
Comment 13 Itamar Heim 2013-06-11 08:29:29 UTC 
3.2 has been released
Comment 14 Itamar Heim 2013-06-11 08:29:32 UTC 
3.2 has been released
Comment 15 Itamar Heim 2013-06-11 08:32:04 UTC 
3.2 has been released