Bug 1264479 - [vmconsole] ovirt-vmconsole-list.py does not create secure ssl session
[vmconsole] ovirt-vmconsole-list.py does not create secure ssl session
Status: CLOSED CURRENTRELEASE
Product: ovirt-engine
Classification: oVirt
Component: VMConsole (Show other bugs)
---
Unspecified Unspecified
low Severity low (vote)
: ovirt-3.6.2
: 3.6.2
Assigned To: Francesco Romani
Nikolai Sednev
: Triaged
Depends On:
Blocks: 1223671
  Show dependency treegraph
 
Reported: 2015-09-18 10:47 EDT by Alon Bar-Lev
Modified: 2016-02-18 06:04 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-18 06:04:15 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Virt
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
ylavi: ovirt‑3.6.z?
ylavi: planning_ack?
tjelinek: devel_ack+
rule-engine: testing_ack+


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 46373 master MERGED setup: sercon: validate certs connecting to engine Never
oVirt gerrit 48835 ovirt-engine-3.6 MERGED setup: sercon: validate certs connecting to engine 2015-12-17 07:54 EST

  None (edit)
Description Alon Bar-Lev 2015-09-18 10:47:07 EDT
When communicating with engine we need to specify CA certificate we trust.

Currently script is using insecure method.

Also, if the server name is localhost we need to disable host name validation.

An example of how to perform url get is available here[1], in any implementation you choose the CA must be checked.

Configuration of script should add the following additional two parameters:

ENGINE_CA=$PKIDIR/apache-ca.pem
ENGINE_VERIFY_HOST=false if engine_host == 'localhost' else true

[1] https://gerrit.ovirt.org/#/c/45270/12/src/ovirt_hosted_engine_setup/util.py
Comment 1 Alon Bar-Lev 2015-09-18 10:58:00 EDT
If you like you can also add:

ENGINE_VERIFY_CERTIFICATE=true/false

To enable/disable verification of certificate, default and settings should be true of course.
Comment 2 Sandro Bonazzola 2015-09-29 06:06:21 EDT
3.6.0 RC is out, please mark this as blocker for 3.6.0 GA or postpone to a later release
Comment 3 Michal Skrivanek 2015-09-29 07:04:33 EDT
in 3.6 we only support deployment on engine host hence securing the connection is not critical.
We do plan to support deployment on other host in the future
Comment 4 Francesco Romani 2015-09-29 08:33:31 EDT
aligning target release to target milestone as per https://bugzilla.redhat.com/show_bug.cgi?id=1264479#c3
Comment 5 Red Hat Bugzilla Rules Engine 2015-10-19 06:51:00 EDT
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
Comment 6 Yaniv Lavi (Dary) 2015-10-29 08:35:06 EDT
In oVirt testing is done on single release by default. Therefore I'm removing the 4.0 flag. If you think this bug must be tested in 4.0 as well, please re-add the flag. Please note we might not have testing resources to handle the 4.0 clone.
Comment 7 Nikolai Sednev 2015-11-23 10:27:35 EST
Hi Francesco,
Can you provide the exact reproduction steps for the QA please?
Comment 8 Francesco Romani 2015-11-25 05:15:22 EST
From the user's perspective this fix should be transparent, so to verify we could check that the helper is using SSL ports, and that it loads the right certificate. I think this has to be checked using system tools (e.g. strace, netstat...) can't think of a simpler way.
Comment 9 Sandro Bonazzola 2015-12-23 08:41:47 EST
oVirt 3.6.2 RC1 has been released for testing, moving to ON_QA

Note You need to log in before you can comment on or make changes to this bug.