Bug 983630
Summary: | [vdsm] engine address does not appear in vdsm.log when SSL connection problem occurs | ||
---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Elad <ebenahar> |
Component: | vdsm | Assignee: | Juan Hernández <juan.hernandez> |
Status: | CLOSED ERRATA | QA Contact: | Artyom <alukiano> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 3.2.0 | CC: | acathrow, bazulay, danken, ebenahar, iheim, jkt, juan.hernandez, lpeer, pstehlik, yeylon |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | 3.3.0 | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | infra | ||
Fixed In Version: | is16 | Doc Type: | Bug Fix |
Doc Text: |
The client IP address used to be logged when SSL errors occurred, but this stopped working with the introduction of cached SSL sessions. This update modifies the SSLServerSocket class that was introduced to implement cached SSL sessions. Now when an SSL error is detected while attempting a connection, the IP address is added to the message of the exception and logged.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2014-01-21 16:27:58 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Elad
2013-07-11 15:05:45 UTC
Elad, can you tell me how are you generating that "sslv3 alert certificate unknown" message? I can't reproduce it. I can reproduce other SSL alerts, but not this one, and all the ones that I reproduce are caught later, after the accept method, and thus are processed correctly. Anyhow, I think that we may need to modify the accept method of SSLServerSocket to something like this: def accept(self): # First we need to call the accept method of the raw # socket and build a new SSL connection object with the # results: client, address = self.connection.socket.accept() client = SSL.Connection(self.context, client) client.addr = address # Now perform the SSL setup and log errors including the # address of the remote client: try: client.setup_ssl() client.set_accept_state() except: logging.error('client %s', address, exc_info=True) raise # Finally wrap the connection so that it mimics a # socket as the XMLRPC server expects: client = SSLSocket(client) return client, address (In reply to Juan Hernández from comment #1) > Elad, can you tell me how are you generating that "sslv3 alert certificate > unknown" message? I can't reproduce it. I can reproduce other SSL alerts, > but not this one, and all the ones that I reproduce are caught later, after > the accept method, and thus are processed correctly. > > Anyhow, I think that we may need to modify the accept method of > SSLServerSocket to something like this: > > def accept(self): > # First we need to call the accept method of the raw > # socket and build a new SSL connection object with the > # results: > client, address = self.connection.socket.accept() > client = SSL.Connection(self.context, client) > client.addr = address > > # Now perform the SSL setup and log errors including the > # address of the remote client: > try: > client.setup_ssl() > client.set_accept_state() > except: > logging.error('client %s', address, exc_info=True) > raise > > # Finally wrap the connection so that it mimics a > # socket as the XMLRPC server expects: > client = SSLSocket(client) > > return client, address It happens when we have 2 engines that are connected by ssl to the same host according to comment #2 this is not a bug Moving to CLOSE NOTABUG (In reply to Barak from comment #3) > according to comment #2 this is not a bug > Moving to CLOSE NOTABUG IMO, having the relevant engine address is necessary in that error. I'd like to solve this recent regression: if there's a DoS attack on a vdsm (malevolent or unintentional), we'd like to log the IP of the attacker. Verified on is18 In the end of error message appear message SSLError: sslv3 alert certificate unknown, client 10.35.161.82 This bug is currently attached to errata RHBA-2013:15291. If this change is not to be documented in the text for this errata please either remove it from the errata, set the requires_doc_text flag to minus (-), or leave a "Doc Text" value of "--no tech note required" if you do not have permission to alter the flag. Otherwise to aid in the development of relevant and accurate release documentation, please fill out the "Doc Text" field above with these four (4) pieces of information: * Cause: What actions or circumstances cause this bug to present. * Consequence: What happens when the bug presents. * Fix: What was done to fix the bug. * Result: What now happens when the actions or circumstances above occur. (NB: this is not the same as 'the bug doesn't present anymore') Once filled out, please set the "Doc Type" field to the appropriate value for the type of change made and submit your edits to the bug. For further details on the Cause, Consequence, Fix, Result format please refer to: https://bugzilla.redhat.com/page.cgi?id=fields.html#cf_release_notes Thanks in advance. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-0040.html |