1427790 – [RFE] Remove VdsmSSLProtocol from engine-config options

Bug 1427790 - [RFE] Remove VdsmSSLProtocol from engine-config options

Summary: [RFE] Remove VdsmSSLProtocol from engine-config options

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	Tools.Config
Sub Component:
Version:	---
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	ovirt-4.1.2
Target Release:	4.1.2
Assignee:	Martin Perina
QA Contact:	Jiri Belka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-03-01 08:52 UTC by Jiri Belka
Modified:	2017-06-26 08:29 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	Previously, it was possible to limit the highest SSL/TLS protocol version that was negotiated when establishing a connection between the Manager and VDSM. This was required for older clients. In this release, this option has been removed from engine-config as it was verified that it is no longer required for VDSM 3.6 and later. VDSM 3.6 can successfully negotiate the highest available version.
Clone Of:
Environment:
Last Closed:	2017-05-23 08:13:54 UTC
oVirt Team:	Infra
Embargoed:
Dependent Products:
Flags:	rule-engine: ovirt-4.1+ rule-engine: ovirt-4.2+ mgoldboi: planning_ack+ mperina: devel_ack+ lsvaty: testing_ack+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	74603	0	master	MERGED	tools: Remove VdsmSSLProtocol from engine-config options	2017-03-24 11:03:40 UTC
oVirt gerrit	74605	0	ovirt-engine-4.1	MERGED	tools: Remove VdsmSSLProtocol from engine-config options	2017-03-24 13:00:11 UTC

Description Jiri Belka 2017-03-01 08:52:51 UTC

Description of problem:

[root@jbelka-vm2 ~]# engine-config -s VdsmSSLProtocol="Blablav1.9"
[root@jbelka-vm2 ~]# engine-config -g VdsmSSLProtocol
VdsmSSLProtocol: Blablav1.9 version: general

engine=# select * from vdc_options where option_name ilike '%vdsmsslprotocol%';
 option_id |   option_name   | option_value | version 
-----------+-----------------+--------------+---------
       255 | VdsmSSLProtocol | Blablav1.9   | general
(1 row)

rhevm-4.0.7.1-0.1.el7ev.noarch

engine-config should be strict enough to check most important inputs. we obviously do not have coded allowable values for some, just value type string :/

Version-Release number of selected component (if applicable):
rhevm-4.0.7.1-0.1.el7ev.noarch

How reproducible:
100%

Steps to Reproduce:
1. try to put whatever string into a option which accepts just known values
2. check what was saved
3.

Actual results:
we can put whatever into DB

Expected results:
be more strict, at least for most important values

Additional info:

Comment 2 Martin Perina 2017-03-02 13:43:59 UTC

This option is no longer relevant to users, because in both 4.1 and 4.0.7 it's set to TLSv1.2 by default, which means we will always try to negotiate highest available TLS version provided by VDSM on the host. I don't see any reason why users want to limit negotiation to TLSv1.1 (or even TLSv1 which is no longer considered secure).

So we would like to remove VdsmSSLProtocol from public engine-config properties, because it's only relevant to QA/developers and they could change that directly in the db

Comment 3 Jiri Belka 2017-05-09 08:21:20 UTC

[root@jbelka-vm1 ~]# engine-config -g VdsmSSLProtocol; rpm -q rhevm
Error fetching VdsmSSLProtocol value: no such entry. Please verify key name and property file support.
rhevm-4.1.2.1-0.1.el7.noarch

Note You need to log in before you can comment on or make changes to this bug.