+++ This bug is an upstream to downstream clone. The original bug is: +++ +++ bug 1412547 +++ ====================================================================== Description of problem: At the moment we limit protocol negotiation to TLSv1.0, because issues with m2crypto in the past. We were not able to reproduce those issues in latest m2crypto on EL7, so we can remove this limit and allow engine to negotiate highest TLS version available on VDSM side. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: (Originally by Martin Perina)
Retargeting to 4.1.1 to allow more extensive testing of the feature (Originally by Martin Perina)
ok, ovirt-engine-4.0.7.1-0.1.el7ev.noarch originally on 4.0 - rhevm-4.0.6.3-0.1.el7ev.noarch engine=# select * from vdc_options where option_name ilike '%vdsmsslprotocol%'; option_id | option_name | option_value | version -----------+-----------------+--------------+--------- 255 | VdsmSSLProtocol | TLSv1 | general (1 row) after upgrade to version used for verification engine=# select * from vdc_options where option_name ilike '%vdsmsslprotocol%'; option_id | option_name | option_value | version -----------+-----------------+--------------+--------- 255 | VdsmSSLProtocol | TLSv1.2 | general (1 row) engine=# \q -bash-4.2$ rpm -q rhevm rhevm-4.0.7.1-0.1.el7ev.noarch tests, checked with wireshark[1]: 1. VdsmSSLProtocol = TLSv1.2 vs ssl_protocol = tlsv1 > client tls 1.2, agreed tls 1.0 2. VdsmSSLProtocol = TLSv1.1 vs ssl_protocol = tlsv1 > client tls 1.1, agreed tls 1.0 3. VdsmSSLProtocol = TLSv1.1 vs ssl_protocol = tlsv1 > client tls 1.0, agreed tls 1.0 4. VdsmSSLProtocol = TLSv1.2 vs ssl_protocol = sslv23 > client tls 1.2, agreed tls 1.2 4. VdsmSSLProtocol = TLSv1.1 vs ssl_protocol = sslv23 > client tls 1.1, agreed tls 1.1 4. VdsmSSLProtocol = SSLv3 vs ssl_protocol = sslv23 > client tls 1.1, agreed tls 1.1 [1] http://security.stackexchange.com/questions/100029/how-do-we-determine-the-ssl-tls-version-of-an-http-request
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0542.html