Bug 990539
| Summary: | iLO2: Unable to login when password contains " | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Marek Grac <mgrac> |
| Component: | fence-agents | Assignee: | Marek Grac <mgrac> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Cluster QE <mspqa-list> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.0 | CC: | acathrow, cluster-maint, eedri, fdinitto, gogo.ray, jharriga, jruemker, lmiksik, mbanas, mgrac, mjuricek, obasan |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | fence-agents-4.0.2-16.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 990537 | Environment: | |
| Last Closed: | 2014-06-13 09:38:47 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 990537 | ||
| Bug Blocks: | 782468, 1067873 | ||
|
Description
Marek Grac
2013-07-31 12:18:57 UTC
*) Non-encryption is not a solution because there is (or was) telnet based interface for ilo2 but it did not work correctly. If I remeber it, problem was that we had to issue power off but ilo always sent it as attempt to graceful shutdown. @John Harrigan: *) There is no problem with ilo3/ilo4/... because they support IPMI and that is the only supported way from us. We can switch to gnutls-cli and remove nss_wrapper completely. With current version, there is no problem with communication with iLO2 (tested with RIBCL 1.22);
The required patch just change the executable and we will lose support for ilo2 & force ipv6 - what is not a problem as hw does not support it anyway.
diff --git a/fence/agents/lib/fencing.py.py b/fence/agents/lib/fencing.py.py
index fd21c69..d87618c 100644
--- a/fence/agents/lib/fencing.py.py
+++ b/fence/agents/lib/fencing.py.py
@@ -28,7 +28,7 @@ EC_INVALID_PRIVILEGES = 11
TELNET_PATH = "/usr/bin/telnet"
SSH_PATH = "/usr/bin/ssh"
-SSL_PATH = "@LIBEXECDIR@/fence_nss_wrapper"
+SSL_PATH = "/usr/bin/gnutls-cli"
SUDO_PATH = "/usr/bin/sudo"
all_opt = {
@@ -960,7 +960,7 @@ def fence_login(options, re_login_string = "(login\s*: )|(Login Name: )|(userna
re_pass = re.compile("(password)|(pass phrase)", re.IGNORECASE)
if options.has_key("--ssl"):
- command = '%s %s %s %s' % (SSL_PATH, force_ipvx, options["--ip"], options["--ipport"])
+ command = '%s --insecure --crlf -p %s %s' % (SSL_PATH, options["--ipport"], options["--ip"])
try:
conn = fspawn(options, command)
except pexpect.ExceptionPexpect, ex:
(In reply to Marek Grac from comment #14) > We can switch to gnutls-cli and remove nss_wrapper completely. With current > version, there is no problem with communication with iLO2 (tested with RIBCL > 1.22); > > The required patch just change the executable and we will lose support for > ilo2 & force ipv6 - what is not a problem as hw does not support it anyway. > > > > > diff --git a/fence/agents/lib/fencing.py.py b/fence/agents/lib/fencing.py.py > index fd21c69..d87618c 100644 > --- a/fence/agents/lib/fencing.py.py > +++ b/fence/agents/lib/fencing.py.py > @@ -28,7 +28,7 @@ EC_INVALID_PRIVILEGES = 11 > > TELNET_PATH = "/usr/bin/telnet" > SSH_PATH = "/usr/bin/ssh" > -SSL_PATH = "@LIBEXECDIR@/fence_nss_wrapper" > +SSL_PATH = "/usr/bin/gnutls-cli" Makes sense to me. Can we consider dropping fence_nss_wrapper completely in favour of gnutls-cli? @Fabio: yes, we can completely drop fence_nss_wrapper then btw: of course in final version the path won't be hard-coded :) Problem is fixed in upstream: https://git.fedorahosted.org/cgit/fence-agents.git/commit/?id=52ed50a1bd4b4bfe632bd560de27195fcea65802 nss-wrapper was completely removed in favor of gnutls-cli Unit test: fence_ilo -o status ... fence_ilo -o reboot ... Patch in upstream: https://git.fedorahosted.org/cgit/fence-agents.git/commit/?id=52ed50a1bd4b4bfe632bd560de27195fcea65802 *** Bug 875055 has been marked as a duplicate of this bug. *** Unit test result related to incorrect build:
[root@rhel7-node1 ~]# grep SSL_PATH /usr/share/fence/fencing.py |head -n1
SSL_PATH = "/usr/bin/gnutls-cli"
Unit test result related to the broken Requires:
[root@rhel7-node1 download]# rpm -U fence-agents-all-4.0.2-16.el7.x86_64.rpm fence-agents-ilo2-4.0.2-16.el7.x86_64.rpm
error: Failed dependencies:
gnutls-utils is needed by fence-agents-ilo2-4.0.2-16.el7.x86_64
[root@rhel7-node1 download]# yum install gnutls-utils
[root@rhel7-node1 download]# rpm -U fence-agents-all-4.0.2-16.el7.x86_64.rpm fence-agents-ilo2-4.0.2-16.el7.x86_64.rpm
[root@rhel7-node1 download]#
Unit test results related to the gnutls connection to the device. Please note that a new option is required.
The problem:
gnutls > 3.x sets default negotiation protocol to TLS1.x
the device used for testing, while it claims TLS support, only works with SSL3.0
This can be verified either using RHEL6 gnutls-2.x or downgrading RHEL7 gnutls to 2.12.21-2.el7.x86_64.rpm (it will require some mocking around for libtasm.1.so.3 missing)
Default connection using gnutls-2.x on RHEL7:
[root@rhel7-node1 ~]# gnutls-cli --insecure hp-dl585g2-01-ilo.rhts.eng.bos.redhat.com
Resolving 'hp-dl585g2-01-ilo.rhts.eng.bos.redhat.com'...
Connecting to '10.16.64.205:443'...
- Ephemeral Diffie-Hellman parameters
- Using prime: 1024 bits
- Secret key: 1022 bits
- Peer's public key: 1023 bits
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `C=US,ST=Texas,L=Houston,O=Hewlett-Packard Company,OU=ISS,CN=hp-dl585g2-01-ilo', issuer `C=US,ST=Texas,L=Houston,O=Hewlett-Packard Company,OU=ISS,CN=hp-dl585g2-01-ilo', RSA key 1024 bits, signed using RSA-MD5 (broken!), activated `2002-12-05 20:25:26 UTC', expires `2022-12-05 20:25:26 UTC', SHA-1 fingerprint `73bb4663808c363c08ea088a9e04845b40655d6d'
- The hostname in the certificate does NOT match 'hp-dl585g2-01-ilo.rhts.eng.bos.redhat.com'
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: SSL3.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
- Simple Client Mode:
Default connection using gnutls-3.x on RHEL7:
[root@rhel7-node1 ~]# gnutls-cli --insecure hp-dl585g2-01-ilo.rhts.eng.bos.redhat.com
Processed 149 CA certificate(s).
Resolving 'hp-dl585g2-01-ilo.rhts.eng.bos.redhat.com'...
Connecting to '10.16.64.205:443'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `C=US,ST=Texas,L=Houston,O=Hewlett-Packard Company,OU=ISS,CN=hp-dl585g2-01-ilo', issuer `C=US,ST=Texas,L=Houston,O=Hewlett-Packard Company,OU=ISS,CN=hp-dl585g2-01-ilo', RSA key 1024 bits, signed using RSA-MD5 (broken!), activated `2002-12-05 20:25:26 UTC', expires `2022-12-05 20:25:26 UTC', SHA-1 fingerprint `73bb4663808c363c08ea088a9e04845b40655d6d'
Public Key Id:
7ee167b84da6cf478dc2a2860a83bc647652bdd5
Public key's random art:
+--[ RSA 1024]----+
| |
| |
| |
| . . |
| . . .SE.. o |
|... o. ..oo o .|
|.*o. . ...+.=o |
|+ +o . o. X . |
| . .. . o.+. |
+-----------------+
- Status: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected.
*** Verifying server certificate failed...
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [20]: Bad record MAC
*** Handshake has failed
GnuTLS error: A TLS fatal alert has been received.
Forcing SSL3.0 connection on gnutls-3.x on RHEL7:
[root@rhel7-node1 ~]# gnutls-cli --priority "NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:-VERS-TLS1.0:+VERS-SSL3.0" --insecure hp-dl585g2-01-ilo.rhts.eng.bos.redhat.com
Processed 149 CA certificate(s).
Resolving 'hp-dl585g2-01-ilo.rhts.eng.bos.redhat.com'...
Connecting to '10.16.64.205:443'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `C=US,ST=Texas,L=Houston,O=Hewlett-Packard Company,OU=ISS,CN=hp-dl585g2-01-ilo', issuer `C=US,ST=Texas,L=Houston,O=Hewlett-Packard Company,OU=ISS,CN=hp-dl585g2-01-ilo', RSA key 1024 bits, signed using RSA-MD5 (broken!), activated `2002-12-05 20:25:26 UTC', expires `2022-12-05 20:25:26 UTC', SHA-1 fingerprint `73bb4663808c363c08ea088a9e04845b40655d6d'
Public Key Id:
7ee167b84da6cf478dc2a2860a83bc647652bdd5
Public key's random art:
+--[ RSA 1024]----+
| |
| |
| |
| . . |
| . . .SE.. o |
|... o. ..oo o .|
|.*o. . ...+.=o |
|+ +o . o. X . |
| . .. . o.+. |
+-----------------+
- Status: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected.
*** Verifying server certificate failed...
- Description: (SSL3.0-PKIX)-(RSA)-(AES-128-CBC)-(SHA1)
- Session ID: D1:23:75:82:B0:93:E4:5B:A5:18:8E:90:CA:4E:D3:1A:34:69:5A:17:97:8C:72:E6:8A:86:0C:BB:8B:E1:E4:13
- Version: SSL3.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
- Simple Client Mode:
======================
Since TLS should always be preferred by default, we add a new config option
specific to those agents that support --ssl (cisco_ucs, ilo, ilo2, rhevm, vmware_soap) "--notls" or "-t".
Pre-patch:
[root@rhel7-node1 ~]# fence_ilo -a hp-dl585g2-01-ilo.rhts.eng.bos.redhat.com -l tester -p testtest -o status
Unable to connect/login to fencing device
Post patch:
[root@rhel7-node1 ~]# fence_ilo -a hp-dl585g2-01-ilo.rhts.eng.bos.redhat.com -l tester -p testtest -o status -t
Status: ON
Since the device does not belong to us, I am currently unable to verify actions other than status or if the original problem with password containing " will work.
*** Bug 1067855 has been marked as a duplicate of this bug. *** *** Bug 1068940 has been marked as a duplicate of this bug. *** This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |