1412547 – Allow negotiation of highest available TLS version for engine <-> VDSM communication

Bug 1412547 - Allow negotiation of highest available TLS version for engine <-> VDSM communication

Summary: Allow negotiation of highest available TLS version for engine <-> VDSM commun...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	Backend.Core
Sub Component:
Version:	4.0.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	ovirt-4.1.1
Target Release:	4.1.1
Assignee:	Piotr Kliczewski
QA Contact:	Jiri Belka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	RHV_TLS_1_2_SUPPORT 1414696 1414923 1419540
TreeView+	depends on / blocked

Reported:	2017-01-12 09:25 UTC by Martin Perina
Modified:	2017-04-21 09:51 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	Previously, when the Manager attempted to connect to VDSM it tried to negotiate the highest available version of TLS but due to previous issues there was a limitation to try TLSv1.0 as the highest version and to not try any higher version. Now, the limit has been removed so that TLSv1.1 and TLSv1.2 can be negotiated if they are available on the VDSM side. Removing this limit will allow TLSv1.0 to be dropped from future versions of VDSM.
Clone Of:
Clones:	1419540 (view as bug list)
Environment:
Last Closed:	2017-04-21 09:51:08 UTC
oVirt Team:	Infra
Embargoed:
Dependent Products:
Flags:	rule-engine: ovirt-4.1+ rule-engine: planning_ack+ mperina: devel_ack+ pstehlik: testing_ack+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1414696	unspecified	CLOSED	The engine should wait for HostedEngineConfigFetcher to successfully complete before letting the user add an additonal h...	2021-02-22 00:41:40 UTC
oVirt gerrit	70038	master	MERGED	vdsbroker: Update ssl protocol version	2017-01-13 06:23:34 UTC
oVirt gerrit	70559	ovirt-engine-4.1	MERGED	vdsbroker: Update ssl protocol version	2017-02-02 14:43:05 UTC
oVirt gerrit	70918	master	MERGED	http: use protocol which is understood by http client	2017-01-24 22:52:08 UTC
oVirt gerrit	73255	ovirt-engine-4.1	MERGED	core: StorageHandlingCommandBase - getEntitiesFromStorageOvfDisk() loop	2017-03-01 14:51:42 UTC

Internal Links: 1414696

Description Martin Perina 2017-01-12 09:25:01 UTC

Description of problem:

At the moment we limit protocol negotiation to TLSv1.0, because issues with m2crypto in the past. We were not able to reproduce those issues in latest m2crypto on EL7, so we can remove this limit and allow engine to negotiate highest TLS version available on VDSM side.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Martin Perina 2017-01-13 06:08:12 UTC

Retargeting to 4.1.1 to allow more extensive testing of the feature

Comment 3 Jiri Belka 2017-03-06 14:22:14 UTC

ok, ovirt-engine-4.1.1.3-0.1.el7.noarch

1. VdsmSSLProtocol = TLSv1.2 vs ssl_protocol = tlsv1
   > client tls 1.2, agreed tls 1.0

2. VdsmSSLProtocol = TLSv1.2 vs ssl_protocol = sslv23
   > client tls 1.2, agreed tls 1.2

Note You need to log in before you can comment on or make changes to this bug.