Bug 1419540 – [downstream clone - 4.0.7] Allow negotiation of highest available TLS version for engine <-> VDSM communication

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1419540 - [downstream clone - 4.0.7] Allow negotiation of highest available TLS version for engine <-> VDSM communication

Summary:	[downstream clone - 4.0.7] Allow negotiation of highest available TLS version...

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	Unspecified Unspecified

Priority	unspecified Severity high
Target Milestone:	ovirt-4.0.7
Target Release:	---
Assigned To:	Ondra Machacek
QA Contact:	Jiri Belka
Docs Contact:

URL:
Whiteboard:
Keywords:	ZStream

Depends On:	1412547
Blocks:
	Show dependency tree / graph

Reported:	2017-02-06 08:13 EST by rhev-integ
Modified:	2017-03-16 11:33 EDT (History)
CC List:	12 users (show)

See Also:
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	Previously, the Manager tried to negotiate the highest available version of TLS when connecting to VDSM. However, due to certain limitations the Manager tried to negotiate TLSv1.0 as the highest version. Now, the limitations have been removed and the Manager is able to negotiate TLSv1.1 and TLSv1.2 when they are available on VDSM. Removing these limitations also enables providing only newer TLS versions in future VDSM versions.
Story Points:	---
Clone Of:	1412547
Environment:
Last Closed:	2017-03-16 11:33:05 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
oVirt gerrit	70038	master	MERGED	vdsbroker: Update ssl protocol version	2017-02-06 08:14 EST
oVirt gerrit	70559	ovirt-engine-4.1	MERGED	vdsbroker: Update ssl protocol version	2017-02-06 08:14 EST
oVirt gerrit	70918	master	MERGED	http: use protocol which is understood by http client	2017-02-06 08:14 EST
oVirt gerrit	71722	None	None	None	2017-02-07 04:20 EST
Red Hat Product Errata	RHBA-2017:0542	normal	SHIPPED_LIVE	Red Hat Virtualization Manager 4.0.7	2017-03-16 15:25:04 EDT

Groups: None (edit)

Description rhev-integ 2017-02-06 08:13:57 EST

+++ This bug is an upstream to downstream clone. The original bug is: +++
+++   bug 1412547 +++
======================================================================

Description of problem:

At the moment we limit protocol negotiation to TLSv1.0, because issues with m2crypto in the past. We were not able to reproduce those issues in latest m2crypto on EL7, so we can remove this limit and allow engine to negotiate highest TLS version available on VDSM side.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

(Originally by Martin Perina)

Comment 1 rhev-integ 2017-02-06 08:14:05 EST

Retargeting to 4.1.1 to allow more extensive testing of the feature

(Originally by Martin Perina)

Comment 4 Jiri Belka 2017-03-01 06:47:54 EST

ok, ovirt-engine-4.0.7.1-0.1.el7ev.noarch

originally on 4.0 - rhevm-4.0.6.3-0.1.el7ev.noarch

engine=# select * from vdc_options where option_name ilike '%vdsmsslprotocol%';
 option_id |   option_name   | option_value | version 
-----------+-----------------+--------------+---------
       255 | VdsmSSLProtocol | TLSv1        | general
(1 row)

after upgrade to version used for verification

engine=# select * from vdc_options where option_name ilike '%vdsmsslprotocol%';
 option_id |   option_name   | option_value | version 
-----------+-----------------+--------------+---------
       255 | VdsmSSLProtocol | TLSv1.2      | general
(1 row)

engine=# \q
-bash-4.2$ rpm -q rhevm
rhevm-4.0.7.1-0.1.el7ev.noarch

tests, checked with wireshark[1]:

1. VdsmSSLProtocol = TLSv1.2 vs ssl_protocol = tlsv1
   > client tls 1.2, agreed tls 1.0
2. VdsmSSLProtocol = TLSv1.1 vs ssl_protocol = tlsv1
   > client tls 1.1, agreed tls 1.0
3. VdsmSSLProtocol = TLSv1.1 vs ssl_protocol = tlsv1
   > client tls 1.0, agreed tls 1.0
4. VdsmSSLProtocol = TLSv1.2 vs ssl_protocol = sslv23
   > client tls 1.2, agreed tls 1.2
4. VdsmSSLProtocol = TLSv1.1 vs ssl_protocol = sslv23
   > client tls 1.1, agreed tls 1.1
4. VdsmSSLProtocol = SSLv3 vs ssl_protocol = sslv23
   > client tls 1.1, agreed tls 1.1

[1] http://security.stackexchange.com/questions/100029/how-do-we-determine-the-ssl-tls-version-of-an-http-request

Comment 6 errata-xmlrpc 2017-03-16 11:33:05 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0542.html

Note You need to log in before you can comment on or make changes to this bug.