Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1412547 - Allow negotiation of highest available TLS version for engine <-> VDSM communication
Allow negotiation of highest available TLS version for engine <-> VDSM commun...
Status: CLOSED CURRENTRELEASE
Product: ovirt-engine
Classification: oVirt
Component: Backend.Core (Show other bugs)
4.0.0
Unspecified Unspecified
unspecified Severity high (vote)
: ovirt-4.1.1
: 4.1.1
Assigned To: Piotr Kliczewski
Jiri Belka
: ZStream
Depends On:
Blocks: RHV_TLS_1_2_SUPPORT 1414696 1414923 1419540
  Show dependency treegraph
 
Reported: 2017-01-12 04:25 EST by Martin Perina
Modified: 2017-04-21 05:51 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Previously, when the Manager attempted to connect to VDSM it tried to negotiate the highest available version of TLS but due to previous issues there was a limitation to try TLSv1.0 as the highest version and to not try any higher version. Now, the limit has been removed so that TLSv1.1 and TLSv1.2 can be negotiated if they are available on the VDSM side. Removing this limit will allow TLSv1.0 to be dropped from future versions of VDSM.
Story Points: ---
Clone Of:
: 1419540 (view as bug list)
Environment:
Last Closed: 2017-04-21 05:51:08 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
rule-engine: ovirt‑4.1+
rule-engine: planning_ack+
mperina: devel_ack+
pstehlik: testing_ack+

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 70038 master MERGED vdsbroker: Update ssl protocol version 2017-01-13 01:23 EST
oVirt gerrit 70559 ovirt-engine-4.1 MERGED vdsbroker: Update ssl protocol version 2017-02-02 09:43 EST
oVirt gerrit 70918 master MERGED http: use protocol which is understood by http client 2017-01-24 17:52 EST
oVirt gerrit 73255 ovirt-engine-4.1 MERGED core: StorageHandlingCommandBase - getEntitiesFromStorageOvfDisk() loop 2017-03-01 09:51 EST

  None (edit)
Description Martin Perina 2017-01-12 04:25:01 EST 
Description of problem:

At the moment we limit protocol negotiation to TLSv1.0, because issues with m2crypto in the past. We were not able to reproduce those issues in latest m2crypto on EL7, so we can remove this limit and allow engine to negotiate highest TLS version available on VDSM side.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Martin Perina 2017-01-13 01:08:12 EST 
Retargeting to 4.1.1 to allow more extensive testing of the feature
Comment 3 Jiri Belka 2017-03-06 09:22:14 EST 
ok, ovirt-engine-4.1.1.3-0.1.el7.noarch

1. VdsmSSLProtocol = TLSv1.2 vs ssl_protocol = tlsv1
   > client tls 1.2, agreed tls 1.0

2. VdsmSSLProtocol = TLSv1.2 vs ssl_protocol = sslv23
   > client tls 1.2, agreed tls 1.2
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.