1473344 – vdsm's ssl_excludes not working, can't connect to engine

Bug 1473344 - vdsm's ssl_excludes not working, can't connect to engine

Summary: vdsm's ssl_excludes not working, can't connect to engine

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	vdsm
Classification:	oVirt
Component:	General
Sub Component:
Version:	4.19.23
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	ovirt-4.1.5
Target Release:	---
Assignee:	Piotr Kliczewski
QA Contact:	Jiri Belka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1412552
TreeView+	depends on / blocked

Reported:	2017-07-20 14:37 UTC by Jiri Belka
Modified:	2017-08-23 08:03 UTC (History)
CC List:	7 users (show)
Fixed In Version:	v4.19.26
Clone Of:
Environment:
Last Closed:	2017-08-23 08:03:05 UTC
oVirt Team:	Infra
Embargoed:
Dependent Products:
Flags:	rule-engine: ovirt-4.1+ rule-engine: blocker+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
oVirt gerrit	79664	ovirt-4.1	MERGED	m2c: uses different protocol constant names	2017-07-29 08:37:03 UTC
oVirt gerrit	80363	ovirt-4.1	MERGED	m2cutils: support excluding OP_NO_TLSv1_2	2017-08-08 08:38:25 UTC
oVirt gerrit	80586	ovirt-4.1	MERGED	m2cutils: fix a typo in SSL_OP_NO_TLSv1_1 constant	2017-08-14 13:01:24 UTC

Description Jiri Belka 2017-07-20 14:37:47 UTC

Description of problem:

ssl_exludes not working for m2crypto (could not test python/ssl implementation because of BZ1473295).

# grep ^ssl /etc/vdsm/vdsm.conf
ssl = true
ssl_protocol = sslv23
ssl_excludes = OP_NO_TLSv1, OP_NO_TLSv1_1

2017-07-20 16:27:56,292+0200 ERROR (MainThread) [vds] Exception raised (vdsm:154)
Traceback (most recent call last):
  File "/usr/share/vdsm/vdsm", line 152, in run
    serve_clients(log)
  File "/usr/share/vdsm/vdsm", line 101, in serve_clients
    cif = clientIF.getInstance(irs, log, scheduler)
  File "/usr/share/vdsm/clientIF.py", line 204, in getInstance
    cls._instance = clientIF(irs, log, scheduler)
  File "/usr/share/vdsm/clientIF.py", line 119, in __init__
    self._createAcceptor(host, port)
  File "/usr/share/vdsm/clientIF.py", line 208, in _createAcceptor
    sslctx = sslutils.create_ssl_context()
  File "/usr/lib/python2.7/site-packages/vdsm/m2cutils.py", line 321, in create_ssl_context
    excludes = protocol_name_to_int()
  File "/usr/lib/python2.7/site-packages/vdsm/m2cutils.py", line 335, in protocol_name_to_int
    excludes |= getattr(m2, no_protocol.strip())
AttributeError: 'module' object has no attribute 'OP_NO_TLSv1'


Version-Release number of selected component (if applicable):
redhat-release-server-7.4-18.el7.x86_64
m2crypto-0.21.1-17.el7.x86_64
python-2.7.5-58.el7.x86_64
vdsm-4.19.23-1.el7ev.x86_64

How reproducible:
100%

Steps to Reproduce:
1. define ssl_exludes and restart vdsmd
2.
3.

Actual results:
can't connect to engine

Expected results:
should work

Additional info:

Comment 2 Piotr Kliczewski 2017-07-21 09:33:49 UTC

It is possible to use SSL_OP_NO_TLSv1 for m2crypto but SSL_OP_NO_TLSv1_1 is not available for some of the versions so it was code change required.

Comment 3 Oved Ourfali 2017-07-21 10:12:05 UTC

Reducing severity as default configuration works.

Comment 4 Jiri Belka 2017-08-07 12:54:46 UTC

it seems it's unable to exluce tlsv1.2 on m2crypto:

# grep ^ssl /etc/vdsm/vdsm.conf
ssl = true
ssl_protocol = sslv23
ssl_excludes = OP_NO_TLSv1_2

2017-08-07 14:49:37,277+0200 ERROR (MainThread) [vds] Exception raised (vdsm:154)
Traceback (most recent call last):
  File "/usr/share/vdsm/vdsm", line 152, in run
    serve_clients(log)
  File "/usr/share/vdsm/vdsm", line 101, in serve_clients
    cif = clientIF.getInstance(irs, log, scheduler)
  File "/usr/share/vdsm/clientIF.py", line 205, in getInstance
    cls._instance = clientIF(irs, log, scheduler)
  File "/usr/share/vdsm/clientIF.py", line 120, in __init__
    self._createAcceptor(host, port)
  File "/usr/share/vdsm/clientIF.py", line 209, in _createAcceptor
    sslctx = sslutils.create_ssl_context()
  File "/usr/lib/python2.7/site-packages/vdsm/m2cutils.py", line 322, in create_ssl_context
    excludes = protocol_name_to_int()
  File "/usr/lib/python2.7/site-packages/vdsm/m2cutils.py", line 341, in protocol_name_to_int
    excludes |= getattr(m2, protocol)
AttributeError: 'module' object has no attribute 'SSL_OP_NO_TLSv1_2'

putting tlsv1 and tlsv1.2 into excludes makes vdsm start correctly.

Comment 5 Red Hat Bugzilla Rules Engine 2017-08-07 12:54:51 UTC

Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.

Comment 6 Jiri Belka 2017-08-11 07:11:48 UTC

I discovered this:

ssl_protocol = sslv23
ssl_excludes = OP_NO_TLSv1_1,OP_NO_TLSv1_2

and this causes to be TLSv1.1 while communicating with engine. Thus it seems it is not OK as it should be TLSv1, shouldn't it?

Comment 7 Jiri Belka 2017-08-11 07:23:06 UTC

I also tried this:

4.1 vdsm EL 7.4 (sslv23) -> engine (VdsmSSLProtocol=TLSv1.1) 
 + ssl_excludes = OP_NO_TLSv1_1 causes to be TLSv1.1

Isn't is typo in this diff (comment inline)?

~~~
--- a/lib/vdsm/m2cutils.py
+++ b/lib/vdsm/m2cutils.py
@@ -38,11 +38,15 @@ except ImportError as e:
     raise compat.Unsupported(str(e))
 
 CLIENT_PROTOCOL = "sslv23"
-SSL_OP_NO_TLSv1_1 = 268435456
                     ^^^^^^^^^

 DEFAULT_ACCEPT_TIMEOUT = 5
 SOCKET_DEFAULT_TIMEOUT = socket._GLOBAL_DEFAULT_TIMEOUT
 
+missing_protocols = {
+    'SSL_OP_NO_TLSv1_1': 0x1000000,
                          ^^^^^^^^^ = 16777216
+    'SSL_OP_NO_TLSv1_2': 0x8000000
+}
+
 # M2Crypto.threading needs initialization.
 # See https://bugzilla.redhat.com/482420
 threading.init()
@@ -334,9 +338,9 @@ def protocol_name_to_int():
     for no_protocol in config.get('vars', 'ssl_excludes').split(','):
         if no_protocol != '':
             protocol = 'SSL_' + no_protocol.strip()
-            if protocol == 'SSL_OP_NO_TLSv1_1':
+            if protocol in missing_protocols:
                 # missing from m2crypto
-                excludes |= SSL_OP_NO_TLSv1_1
+                excludes |= missing_protocols[protocol]
             else:
                 excludes |= getattr(m2, protocol)
~~~

Comment 8 Red Hat Bugzilla Rules Engine 2017-08-11 07:23:10 UTC

Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.

Comment 9 Irit Goihman 2017-08-14 08:07:12 UTC

You're correct Jiri, a zero is indeed missing in 'SSL_OP_NO_TLSv1_1'.

Comment 10 Jiri Belka 2017-08-16 09:39:27 UTC

ok, vdsm-4.19.28-1.el7ev.x86_64

4.1 vdsm (sslv23/m2c) -> engine => TLSv1.2

- ssl_excludes = OP_NO_TLSv1_1 / engine (VdsmSSLProtocol=TLSv1.1) => TLSv1.0
- ssl_excludes = OP_NO_TLSv1_1 / engine (default) => TLSv1.2
- ssl_excludes = OP_NO_TLSv1_2 => TLSv1.1
- ssl_excludes = OP_NO_TLSv1 => TLSv1.2
- ssl_excludes = OP_NO_TLSv1,OP_NO_TLSv1_2 => TLSv1.1
- ssl_excludes = OP_NO_TLSv1_1,OP_NO_TLSv1_2 => TLSv1.0

4.1 vdsm (sslv23/ssl) -> engine => TLSv1.2

- ssl_excludes = OP_NO_TLSv1_1 / engine (VdsmSSLProtocol=TLSv.1.1) => TLSv1.0
- ssl_excludes = OP_NO_TLSv1_1 / engine (default) => TLSv1.2
- ssl_excludes = OP_NO_TLSv1_2 => TLSv1.1
- ssl_excludes = OP_NO_TLSv1 => TLSv1.2
- ssl_excludes = OP_NO_TLSv1,OP_NO_TLSv1_2 => TLSv1.1
- ssl_excludes = OP_NO_TLSv1_1,OP_NO_TLSv1_2 => TLSv1.0

Note You need to log in before you can comment on or make changes to this bug.