Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1427790 - [RFE] Remove VdsmSSLProtocol from engine-config options
[RFE] Remove VdsmSSLProtocol from engine-config options
Status: CLOSED CURRENTRELEASE
Product: ovirt-engine
Classification: oVirt
Component: Tools.Config (Show other bugs)
---
Unspecified Unspecified
medium Severity medium (vote)
: ovirt-4.1.2
: 4.1.2
Assigned To: Martin Perina
Jiri Belka
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-01 03:52 EST by Jiri Belka
Modified: 2017-06-26 04:29 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Previously, it was possible to limit the highest SSL/TLS protocol version that was negotiated when establishing a connection between the Manager and VDSM. This was required for older clients. In this release, this option has been removed from engine-config as it was verified that it is no longer required for VDSM 3.6 and later. VDSM 3.6 can successfully negotiate the highest available version.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-05-23 04:13:54 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
rule-engine: ovirt‑4.1+
rule-engine: ovirt‑4.2+
mgoldboi: planning_ack+
mperina: devel_ack+
lsvaty: testing_ack+

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 74603 master MERGED tools: Remove VdsmSSLProtocol from engine-config options 2017-03-24 07:03 EDT
oVirt gerrit 74605 ovirt-engine-4.1 MERGED tools: Remove VdsmSSLProtocol from engine-config options 2017-03-24 09:00 EDT

  None (edit)
Description Jiri Belka 2017-03-01 03:52:51 EST 
Description of problem:

[root@jbelka-vm2 ~]# engine-config -s VdsmSSLProtocol="Blablav1.9"
[root@jbelka-vm2 ~]# engine-config -g VdsmSSLProtocol
VdsmSSLProtocol: Blablav1.9 version: general

engine=# select * from vdc_options where option_name ilike '%vdsmsslprotocol%';
 option_id |   option_name   | option_value | version 
-----------+-----------------+--------------+---------
       255 | VdsmSSLProtocol | Blablav1.9   | general
(1 row)

rhevm-4.0.7.1-0.1.el7ev.noarch

engine-config should be strict enough to check most important inputs. we obviously do not have coded allowable values for some, just value type string :/

Version-Release number of selected component (if applicable):
rhevm-4.0.7.1-0.1.el7ev.noarch

How reproducible:
100%

Steps to Reproduce:
1. try to put whatever string into a option which accepts just known values
2. check what was saved
3.

Actual results:
we can put whatever into DB

Expected results:
be more strict, at least for most important values

Additional info:
Comment 2 Martin Perina 2017-03-02 08:43:59 EST 
This option is no longer relevant to users, because in both 4.1 and 4.0.7 it's set to TLSv1.2 by default, which means we will always try to negotiate highest available TLS version provided by VDSM on the host. I don't see any reason why users want to limit negotiation to TLSv1.1 (or even TLSv1 which is no longer considered secure).

So we would like to remove VdsmSSLProtocol from public engine-config properties, because it's only relevant to QA/developers and they could change that directly in the db
Comment 3 Jiri Belka 2017-05-09 04:21:20 EDT 
[root@jbelka-vm1 ~]# engine-config -g VdsmSSLProtocol; rpm -q rhevm
Error fetching VdsmSSLProtocol value: no such entry. Please verify key name and property file support.
rhevm-4.1.2.1-0.1.el7.noarch
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.