Bug 1473344 - vdsm's ssl_excludes not working, can't connect to engine
Summary: vdsm's ssl_excludes not working, can't connect to engine
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: vdsm
Classification: oVirt
Component: General
Version: 4.19.23
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ovirt-4.1.5
: ---
Assignee: Piotr Kliczewski
QA Contact: Jiri Belka
URL:
Whiteboard:
Depends On:
Blocks: 1412552
TreeView+ depends on / blocked
 
Reported: 2017-07-20 14:37 UTC by Jiri Belka
Modified: 2017-08-23 08:03 UTC (History)
7 users (show)

Fixed In Version: v4.19.26
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-23 08:03:05 UTC
oVirt Team: Infra
rule-engine: ovirt-4.1+
rule-engine: blocker+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 79664 0 ovirt-4.1 MERGED m2c: uses different protocol constant names 2017-07-29 08:37:03 UTC
oVirt gerrit 80363 0 ovirt-4.1 MERGED m2cutils: support excluding OP_NO_TLSv1_2 2017-08-08 08:38:25 UTC
oVirt gerrit 80586 0 ovirt-4.1 MERGED m2cutils: fix a typo in SSL_OP_NO_TLSv1_1 constant 2017-08-14 13:01:24 UTC

Description Jiri Belka 2017-07-20 14:37:47 UTC
Description of problem:

ssl_exludes not working for m2crypto (could not test python/ssl implementation because of BZ1473295).

# grep ^ssl /etc/vdsm/vdsm.conf
ssl = true
ssl_protocol = sslv23
ssl_excludes = OP_NO_TLSv1, OP_NO_TLSv1_1

2017-07-20 16:27:56,292+0200 ERROR (MainThread) [vds] Exception raised (vdsm:154)
Traceback (most recent call last):
  File "/usr/share/vdsm/vdsm", line 152, in run
    serve_clients(log)
  File "/usr/share/vdsm/vdsm", line 101, in serve_clients
    cif = clientIF.getInstance(irs, log, scheduler)
  File "/usr/share/vdsm/clientIF.py", line 204, in getInstance
    cls._instance = clientIF(irs, log, scheduler)
  File "/usr/share/vdsm/clientIF.py", line 119, in __init__
    self._createAcceptor(host, port)
  File "/usr/share/vdsm/clientIF.py", line 208, in _createAcceptor
    sslctx = sslutils.create_ssl_context()
  File "/usr/lib/python2.7/site-packages/vdsm/m2cutils.py", line 321, in create_ssl_context
    excludes = protocol_name_to_int()
  File "/usr/lib/python2.7/site-packages/vdsm/m2cutils.py", line 335, in protocol_name_to_int
    excludes |= getattr(m2, no_protocol.strip())
AttributeError: 'module' object has no attribute 'OP_NO_TLSv1'


Version-Release number of selected component (if applicable):
redhat-release-server-7.4-18.el7.x86_64
m2crypto-0.21.1-17.el7.x86_64
python-2.7.5-58.el7.x86_64
vdsm-4.19.23-1.el7ev.x86_64

How reproducible:
100%

Steps to Reproduce:
1. define ssl_exludes and restart vdsmd
2.
3.

Actual results:
can't connect to engine

Expected results:
should work

Additional info:

Comment 2 Piotr Kliczewski 2017-07-21 09:33:49 UTC
It is possible to use SSL_OP_NO_TLSv1 for m2crypto but SSL_OP_NO_TLSv1_1 is not available for some of the versions so it was code change required.

Comment 3 Oved Ourfali 2017-07-21 10:12:05 UTC
Reducing severity as default configuration works.

Comment 4 Jiri Belka 2017-08-07 12:54:46 UTC
it seems it's unable to exluce tlsv1.2 on m2crypto:

# grep ^ssl /etc/vdsm/vdsm.conf
ssl = true
ssl_protocol = sslv23
ssl_excludes = OP_NO_TLSv1_2

2017-08-07 14:49:37,277+0200 ERROR (MainThread) [vds] Exception raised (vdsm:154)
Traceback (most recent call last):
  File "/usr/share/vdsm/vdsm", line 152, in run
    serve_clients(log)
  File "/usr/share/vdsm/vdsm", line 101, in serve_clients
    cif = clientIF.getInstance(irs, log, scheduler)
  File "/usr/share/vdsm/clientIF.py", line 205, in getInstance
    cls._instance = clientIF(irs, log, scheduler)
  File "/usr/share/vdsm/clientIF.py", line 120, in __init__
    self._createAcceptor(host, port)
  File "/usr/share/vdsm/clientIF.py", line 209, in _createAcceptor
    sslctx = sslutils.create_ssl_context()
  File "/usr/lib/python2.7/site-packages/vdsm/m2cutils.py", line 322, in create_ssl_context
    excludes = protocol_name_to_int()
  File "/usr/lib/python2.7/site-packages/vdsm/m2cutils.py", line 341, in protocol_name_to_int
    excludes |= getattr(m2, protocol)
AttributeError: 'module' object has no attribute 'SSL_OP_NO_TLSv1_2'

putting tlsv1 and tlsv1.2 into excludes makes vdsm start correctly.

Comment 5 Red Hat Bugzilla Rules Engine 2017-08-07 12:54:51 UTC
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.

Comment 6 Jiri Belka 2017-08-11 07:11:48 UTC
I discovered this:

ssl_protocol = sslv23
ssl_excludes = OP_NO_TLSv1_1,OP_NO_TLSv1_2

and this causes to be TLSv1.1 while communicating with engine. Thus it seems it is not OK as it should be TLSv1, shouldn't it?

Comment 7 Jiri Belka 2017-08-11 07:23:06 UTC
I also tried this:

4.1 vdsm EL 7.4 (sslv23) -> engine (VdsmSSLProtocol=TLSv1.1) 
 + ssl_excludes = OP_NO_TLSv1_1 causes to be TLSv1.1

Isn't is typo in this diff (comment inline)?

~~~
--- a/lib/vdsm/m2cutils.py
+++ b/lib/vdsm/m2cutils.py
@@ -38,11 +38,15 @@ except ImportError as e:
     raise compat.Unsupported(str(e))
 
 CLIENT_PROTOCOL = "sslv23"
-SSL_OP_NO_TLSv1_1 = 268435456
                     ^^^^^^^^^

 DEFAULT_ACCEPT_TIMEOUT = 5
 SOCKET_DEFAULT_TIMEOUT = socket._GLOBAL_DEFAULT_TIMEOUT
 
+missing_protocols = {
+    'SSL_OP_NO_TLSv1_1': 0x1000000,
                          ^^^^^^^^^ = 16777216
+    'SSL_OP_NO_TLSv1_2': 0x8000000
+}
+
 # M2Crypto.threading needs initialization.
 # See https://bugzilla.redhat.com/482420
 threading.init()
@@ -334,9 +338,9 @@ def protocol_name_to_int():
     for no_protocol in config.get('vars', 'ssl_excludes').split(','):
         if no_protocol != '':
             protocol = 'SSL_' + no_protocol.strip()
-            if protocol == 'SSL_OP_NO_TLSv1_1':
+            if protocol in missing_protocols:
                 # missing from m2crypto
-                excludes |= SSL_OP_NO_TLSv1_1
+                excludes |= missing_protocols[protocol]
             else:
                 excludes |= getattr(m2, protocol)
~~~

Comment 8 Red Hat Bugzilla Rules Engine 2017-08-11 07:23:10 UTC
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.

Comment 9 Irit Goihman 2017-08-14 08:07:12 UTC
You're correct Jiri, a zero is indeed missing in 'SSL_OP_NO_TLSv1_1'.

Comment 10 Jiri Belka 2017-08-16 09:39:27 UTC
ok, vdsm-4.19.28-1.el7ev.x86_64

4.1 vdsm (sslv23/m2c) -> engine => TLSv1.2

- ssl_excludes = OP_NO_TLSv1_1 / engine (VdsmSSLProtocol=TLSv1.1) => TLSv1.0
- ssl_excludes = OP_NO_TLSv1_1 / engine (default) => TLSv1.2
- ssl_excludes = OP_NO_TLSv1_2 => TLSv1.1
- ssl_excludes = OP_NO_TLSv1 => TLSv1.2
- ssl_excludes = OP_NO_TLSv1,OP_NO_TLSv1_2 => TLSv1.1
- ssl_excludes = OP_NO_TLSv1_1,OP_NO_TLSv1_2 => TLSv1.0

4.1 vdsm (sslv23/ssl) -> engine => TLSv1.2

- ssl_excludes = OP_NO_TLSv1_1 / engine (VdsmSSLProtocol=TLSv.1.1) => TLSv1.0
- ssl_excludes = OP_NO_TLSv1_1 / engine (default) => TLSv1.2
- ssl_excludes = OP_NO_TLSv1_2 => TLSv1.1
- ssl_excludes = OP_NO_TLSv1 => TLSv1.2
- ssl_excludes = OP_NO_TLSv1,OP_NO_TLSv1_2 => TLSv1.1
- ssl_excludes = OP_NO_TLSv1_1,OP_NO_TLSv1_2 => TLSv1.0


Note You need to log in before you can comment on or make changes to this bug.