Description of problem: login doesn't work with TLS versions 1.1+ only (SSLProtocol +TLSv1.2 +TLSv1.1) Version-Release number of selected component (if applicable): rhevm-4.0.4.4-0.1.el7ev.noarch ovirt-engine-backend-4.0.4.4-0.1.el7ev.noarch How reproducible: always Steps to Reproduce: 1. change SSLProtocol directive in ssl.conf to: SSLProtocol +TLSv1.2 +TLSv1.1 2. log in 3. Actual results: error page: Remote host closed connection during handshake, log however shows that authentication finished correctly Expected results: When +TLSv1 is also added to ssl.conf (to support TLS 1.0-1.2 range), authentication starts working Additional info: This bug may have security implications as TLS 1.0 is not considered secure anymore and it's forcing ovirt engine to support it.
Please provided all logs (httpd + engine) so we can investigate the issue. Anyway this seems to me like an RFE to support only TLS1.1+
Created attachment 1213485 [details] login when httpd listens on TLS 1.0 (works)
Created attachment 1213486 [details] login attempt when httpd listens on TLS 1.1+ (not successful)
This is not an RFE. This bug prevents plugging security holes and Java 1.8 should support TLS > 1.0: https://www.ssllabs.com/ssltest/viewClient.html?name=Java&version=8u31&key=86 rpm -qf $(readlink -f /usr/bin/java) java-1.8.0-openjdk-headless-1.8.0.111-1.b15.el7_2.x86_64
Please create a custom config file 99-ssl.conf and add the SSL protocol to it, restart engine and everything should work fine. # cat /etc/ovirt-engine/engine.conf.d/99-ssl.conf ENGINE_SSO_SERVICE_SSL_PROTOCOL=TLSv1.1
this means we have essentially reintroduced CVE-2011-3389 and we should either fix it or document that we have done this.
(In reply to Ravi Nori from comment #5) > Please create a custom config file 99-ssl.conf and add the SSL protocol to > it, restart engine and everything should work fine. > > # cat /etc/ovirt-engine/engine.conf.d/99-ssl.conf > > ENGINE_SSO_SERVICE_SSL_PROTOCOL=TLSv1.1 Any reason we cannot make it (or 1.2) the Default in 4.1?
(In reply to Yaniv Kaul from comment #7) > (In reply to Ravi Nori from comment #5) > > Please create a custom config file 99-ssl.conf and add the SSL protocol to > > it, restart engine and everything should work fine. > > > > # cat /etc/ovirt-engine/engine.conf.d/99-ssl.conf > > > > ENGINE_SSO_SERVICE_SSL_PROTOCOL=TLSv1.1 > > Any reason we cannot make it (or 1.2) the Default in 4.1? No, problem to change that, updating bug title accordingly and targeting to 4.1. I've also created BZ1388456 to remove TLSv1.0 support from our Apache configuration.
(In reply to Ravi Nori from comment #5) > ... > ENGINE_SSO_SERVICE_SSL_PROTOCOL=TLSv1.1 Works. But... Setting a specific TLS version across whole code base is prone to repeated bugs like this whenever protocols get obsolete. A good approach would be to tell openssl to handle versions automatically, translating to openssl's language, to use TLS_method()/SSLv23_method() instead of (SSLv3|TLSv1|TLSv1_1|TLSv1_2)_method(), optionally with blacklisting obsolete versions using either SSL_CTX_set_min_proto_version() in openssl >= 1.1 or SSL_OP_NO_* options for openssl < 1.1. FTR, git grep for 'SSLv[23]\|TLSv1' yields: > $ git grep -n 'SSLv[23]\|TLSv1' > backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java:154: return new HttpURLConnectionBuilder(url).setHttpsProtocol("TLSv1") > backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/ConfigValues.java:325: @DefaultValueAttribute("TLSv1") > backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/ConfigValues.java:328: @DefaultValueAttribute("TLSv1") > backend/manager/modules/uutils/src/main/java/org/ovirt/engine/core/uutils/net/HttpURLConnectionBuilder.java:26: private String httpsProtocol = "TLSv1"; > backend/manager/modules/uutils/src/main/java/org/ovirt/engine/core/uutils/servlet/ProxyServletBase.java:127: httpsProtocol = "TLSv1"; > backend/manager/modules/vdsbroker/src/test/java/org/ovirt/engine/core/vdsbroker/jsonrpc/JsonRpcIntegrationTest.java:38: "TLSv1", > packaging/dbscripts/sso_clients_sp.sql:12: v_notification_callback_protocol VARCHAR(32) DEFAULT 'TLSv1', > packaging/dbscripts/upgrade/pre_upgrade/0000_config.sql:442:select fn_db_add_config_value('VdsmSSLProtocol','TLSv1','general'); > packaging/dbscripts/upgrade/pre_upgrade/0000_config.sql:443:select fn_db_add_config_value('ExternalCommunicationProtocol','TLSv1','general'); > packaging/dbscripts/upgrade/pre_upgrade/0000_config.sql:800:-- Override existing configuration to TLSv1 if it is SSLv3 > packaging/dbscripts/upgrade/pre_upgrade/0000_config.sql:801:select fn_db_update_default_config_value('VdsmSSLProtocol','SSLv3','TLSv1','general', false); > packaging/dbscripts/upgrade/pre_upgrade/0000_config.sql:802:select fn_db_update_default_config_value('ExternalCommunicationProtocol','SSLv3','TLSv1','general', false); > packaging/services/ovirt-engine/ovirt-engine.conf.in:171:# SSLv3 > packaging/services/ovirt-engine/ovirt-engine.conf.in:172:# TLSv1 > packaging/services/ovirt-engine/ovirt-engine.conf.in:173:# TLSv1.1 > packaging/services/ovirt-engine/ovirt-engine.conf.in:174:# TLSv1.2 > packaging/services/ovirt-engine/ovirt-engine.conf.in:176:ENGINE_HTTPS_PROTOCOLS=SSLv3,TLSv1,TLSv1.1,TLSv1.2 > packaging/services/ovirt-engine/ovirt-engine.conf.in:301:ENGINE_SSO_SERVICE_SSL_PROTOCOL=TLSv1 > packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/config/sso.py:166: notification_callback_host_protocol='TLSv1', leaving quite some room for breakages and/or use of obsolete TLS versions... All of these should be fixed to something more robust.
Just adding a note on 1.2. TLSv1.2 uses higher levels of encryption and also supports software for handling the encryption instead of using hardware acceleration. So we need extensive testing on different platforms before we can set TLSv1.2 as default, we can definitely set TLSv1.1 as default with out any performance impact. Will look into enabling a set of protocols in the code base.
Since SSO and Engine are always on the same host (don't have to, but in practice always), they should just use plain communication. See discussion on https://gerrit.ovirt.org/#/c/67294/
Let's use TLS negotiation for engine <-> sso communication to select highest available TLS version instead of setting concrete version in ENGINE_SSO_SERVICE_SSL_PROTOCOL option
See also: https://bugzilla.redhat.com/show_bug.cgi?id=1408847
(In reply to Marina from comment #13) > See also: > https://bugzilla.redhat.com/show_bug.cgi?id=1408847 Not relevant, this bug only changes encryption protocol between engine and SSO module, it does not touch engine <-> VDSM encryption support.
ok ovirt-engine-4.1.0.2-0.2.el7.noarch httpd-2.4.6-45.el7.x86_64 tested with: 1. ENGINE_SSO_SERVICE_SSL_PROTOCOL=TLS & SSLProtocol +TLSv1.1 = TLSv1.1 in web browser, login to Admin Portal successful 2. ENGINE_SSO_SERVICE_SSL_PROTOCOL=TLS & SSLProtocol +TLSv1.2 = TLSv1.2 in web browser, login to Admin Portal successful