Bug 1154536 - [3.0.z] OpenJDK update that disables SSLv3 breaks RHSC functionality to manage storage nodes
Summary: [3.0.z] OpenJDK update that disables SSLv3 breaks RHSC functionality to manag...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat Storage
Component: rhsc
Version: rhgs-3.0
Hardware: All
OS: Linux
high
urgent
Target Milestone: ---
: RHGS 3.0.3
Assignee: Shubhendu Tripathi
QA Contact: Shruti Sampat
URL:
Whiteboard: Infra
Depends On: 1154184
Blocks: 1185617
TreeView+ depends on / blocked
 
Reported: 2014-10-20 06:30 UTC by RamaKasturi
Modified: 2019-10-10 09:26 UTC (History)
22 users (show)

Fixed In Version: rhsc-3.0.3-1.21.el6rhs.src.rpm
Doc Type: Bug Fix
Doc Text:
Previously, the Red Hat Storage Console displayed the status of the Red Hat Storage nodes as non-operational as the console was not able to communicate with the nodes. This happened because the SSLv3 protocol is not supported by the latest JDK version java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el6_6.x86_64. With this fix, the Red Hat Storage Console uses the TLSv1 protocol to communicate with the Red Hat Storage nodes.
Clone Of: 1154184
: 1154578 1185617 (view as bug list)
Environment:
Last Closed: 2015-02-12 10:17:08 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0168 0 normal SHIPPED_LIVE Red Hat Storage Console 3.0 bug fix async update 2015-02-12 15:16:20 UTC

Description RamaKasturi 2014-10-20 06:30:25 UTC 
+++ This bug was initially created as a clone of Bug #1154184 +++

RHEV should not use SSLv3 encryption. It should use TLS instead.
SSL is an old encryption type and TLS is much newer.

Also, ssl is vulnerable, as per CVE-2014-3566:
https://access.redhat.com/articles/1232123
Comment 6 RamaKasturi 2015-01-24 08:42:26 UTC 
Further investigation has shown that it is an openJDK update that disables SSL 3.0 by default which breaks Console
Comment 11 Shalaka 2015-02-02 08:11:41 UTC 
Added doc text as discussed. Could you confirm if this is fine?
Comment 12 Shubhendu Tripathi 2015-02-02 08:13:57 UTC 
doc-text looks fine
Comment 13 Shalaka 2015-02-02 09:02:45 UTC 
Hi Kasturi,

Could you confirm if the jdk package name mentioned in the doc text is correct?
Comment 14 RamaKasturi 2015-02-02 09:06:41 UTC 
yes. The open jdk version mentioned in the doc text is correct.
Comment 15 Shruti Sampat 2015-02-02 12:29:43 UTC 
Verified as fixed in rhsc-3.0.3-1.21.el6rhs.

OpenJDK version installed - java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el6_6.x86_64

Tested by upgrading RHSC from rhsc-3.0.3-1.20.el6rhs to rhsc-3.0.3-1.21.el6rhs. Nodes that were non-responsive are now UP. Added a new host to the engine, and imported existing cluster. Found to be working without any issues. 

Option 'VdsmSSLProtocol' in engine database is set to TLSv1 -

engine=# select option_name,option_value from vdc_options where option_name = 'VdsmSSLProtocol';
   option_name   | option_value 
-----------------+--------------
 VdsmSSLProtocol | TLSv1
(1 row)
Comment 18 errata-xmlrpc 2015-02-12 10:17:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0168.html
Note You need to log in before you can comment on or make changes to this bug.