Bug 1412547 - Allow negotiation of highest available TLS version for engine <-> VDSM communication
Summary: Allow negotiation of highest available TLS version for engine <-> VDSM commun...
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: Backend.Core
Version: 4.0.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ovirt-4.1.1
: 4.1.1
Assignee: Piotr Kliczewski
QA Contact: Jiri Belka
Depends On:
Blocks: RHV_TLS_1_2_SUPPORT 1414696 1414923 1419540
TreeView+ depends on / blocked
Reported: 2017-01-12 09:25 UTC by Martin Perina
Modified: 2017-04-21 09:51 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Previously, when the Manager attempted to connect to VDSM it tried to negotiate the highest available version of TLS but due to previous issues there was a limitation to try TLSv1.0 as the highest version and to not try any higher version. Now, the limit has been removed so that TLSv1.1 and TLSv1.2 can be negotiated if they are available on the VDSM side. Removing this limit will allow TLSv1.0 to be dropped from future versions of VDSM.
Clone Of:
: 1419540 (view as bug list)
Last Closed: 2017-04-21 09:51:08 UTC
oVirt Team: Infra
rule-engine: ovirt-4.1+
rule-engine: planning_ack+
mperina: devel_ack+
pstehlik: testing_ack+

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1414696 0 unspecified CLOSED The engine should wait for HostedEngineConfigFetcher to successfully complete before letting the user add an additonal h... 2021-02-22 00:41:40 UTC
oVirt gerrit 70038 0 master MERGED vdsbroker: Update ssl protocol version 2017-01-13 06:23:34 UTC
oVirt gerrit 70559 0 ovirt-engine-4.1 MERGED vdsbroker: Update ssl protocol version 2017-02-02 14:43:05 UTC
oVirt gerrit 70918 0 master MERGED http: use protocol which is understood by http client 2017-01-24 22:52:08 UTC
oVirt gerrit 73255 0 ovirt-engine-4.1 MERGED core: StorageHandlingCommandBase - getEntitiesFromStorageOvfDisk() loop 2017-03-01 14:51:42 UTC

Internal Links: 1414696

Description Martin Perina 2017-01-12 09:25:01 UTC
Description of problem:

At the moment we limit protocol negotiation to TLSv1.0, because issues with m2crypto in the past. We were not able to reproduce those issues in latest m2crypto on EL7, so we can remove this limit and allow engine to negotiate highest TLS version available on VDSM side.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

Comment 1 Martin Perina 2017-01-13 06:08:12 UTC
Retargeting to 4.1.1 to allow more extensive testing of the feature

Comment 3 Jiri Belka 2017-03-06 14:22:14 UTC
ok, ovirt-engine-

1. VdsmSSLProtocol = TLSv1.2 vs ssl_protocol = tlsv1
   > client tls 1.2, agreed tls 1.0

2. VdsmSSLProtocol = TLSv1.2 vs ssl_protocol = sslv23
   > client tls 1.2, agreed tls 1.2

Note You need to log in before you can comment on or make changes to this bug.