Description of problem: tl;dr but iiuc standard is 'CFB128-AES-128'[1] and this is what most agents, managers support. imo mentioning AES192 and AES256 can be counter-productive as it could cause an over-paranoid admin to define these values and then he could discover that remote snmpv3 compatible manager doesn't accept them. # The SNMPv3 privacy protocol. Supported values are AES128, AES 192 and AES256. # net-snmp only supports AES128 protocol. ##SNMP_PRIVACY_PROTOCOL= [1] https://tools.ietf.org/html/rfc3826#section-3 Version-Release number of selected component (if applicable): ovirt-engine-tools-4.0.2-0.2.rc1.el7ev.noarch How reproducible: 100% Steps to Reproduce: 1. check if AES192 and/or AES256 is mentioned in notifier.conf 2. 3. Actual results: AES192 and/or AES256 are mentioned in notifier.conf and this can cause confusion/misconfiguration Expected results: just have AES128, if anybody has special need, he could find out other AES modes on his own (or ovirt support channels) Additional info:
Discovered while checking what kind of AES does OpenBSD snmpd (manager) uses (yes, this is not industry favourite snmp daemon implementation...): $ grep -IRi aes ../cvs/openbsd-src/usr.sbin/snmpd/*.{c,h,y} ../cvs/openbsd-src/usr.sbin/snmpd/usm.c: case PRIV_AES: ../cvs/openbsd-src/usr.sbin/snmpd/usm.c: return EVP_aes_128_cfb128(); ../cvs/openbsd-src/usr.sbin/snmpd/usm.c: case PRIV_AES: ../cvs/openbsd-src/usr.sbin/snmpd/usm.c: priv = "CFB128-AES-128"; ../cvs/openbsd-src/usr.sbin/snmpd/usm.c: case PRIV_AES: ../cvs/openbsd-src/usr.sbin/snmpd/snmpd.h: PRIV_AES /* CFB128-AES-128, RFC3826 */ ../cvs/openbsd-src/usr.sbin/snmpd/parse.y: else if (strcasecmp($1, "aes") == 0 || ../cvs/openbsd-src/usr.sbin/snmpd/parse.y: strcasecmp($1, "cfb128-aes-128") == 0) ../cvs/openbsd-src/usr.sbin/snmpd/parse.y: $$ = PRIV_AES;
I'd prefer to mention all of them as available options, but let's redefine the description like this: # The SNMPv3 privacy protocol. Supported values are AES128, AES192 and AES256. # Be aware that AES192 and AES256 are not defined in RFC3826, so please verify # that your SNMP server supports those protocols before enabling them I just briefly checked that all major SNMP vendors like Cisco, HP and IBM supports those higher encryption protocols.
(In reply to Martin Perina from comment #2) > I'd prefer to mention all of them as available options, but let's redefine > the description like this: > > # The SNMPv3 privacy protocol. Supported values are AES128, AES192 and > AES256. > # Be aware that AES192 and AES256 are not defined in RFC3826, so please > verify > # that your SNMP server supports those protocols before enabling them > > > I just briefly checked that all major SNMP vendors like Cisco, HP and IBM > supports those higher encryption protocols. I'm fine with this.
This is documentation only fix for SNMPv3 feature which is new in 4.0, so it makes sense to have it included in 4.0.2
ok rpm2cpio ovirt-engine-tools-4.0.3-0.0.master.20160724203215.git5682254.el7.centos.noarch.rpm | cpio -i --to-stdout './usr/share/ovirt-engine/services/ovirt-engine-notifier/ovirt-engine-notifier.conf' 2>/dev/null | sed -n '/SNMPv3 privacy protocol/,+3p' # The SNMPv3 privacy protocol. Supported values are AES128, AES192 and AES256. # Be aware that AES192 and AES256 are not defined in RFC3826, so please verify # that your SNMP server supports those protocols before enabling them. SNMP_PRIVACY_PROTOCOL=