Bug 1498967
| Summary: | Chardev TCP server does not reset when TLS handshake with client fails | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Daniel Berrangé <berrange> |
| Component: | qemu-kvm-rhev | Assignee: | pagupta |
| Status: | CLOSED ERRATA | QA Contact: | Qianqian Zhu <qizhu> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.4 | CC: | berrange, chayang, juzhang, knoel, mdeng, michen, mrezanin, virt-maint, xfu |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | qemu-kvm-rhev-2.12.0-1.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-11-01 11:01:10 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1466597 | ||
|
Description
Daniel Berrangé
2017-10-05 16:36:15 UTC
Merged in
commit 9cca7578b45ac5b10c4cdb3dd7e08bb28c766c6d
Author: Daniel P. Berrange <berrange>
Date: Thu Oct 5 16:50:57 2017 +0100
char: don't skip client cleanup if 'connected' flag is unset
which is part of the QEMU 2.11 release.
Reproduced on qemu-kvm-rhev-2.9.0-14.el7.x86_64: Steps: 1. Launch guest, cli: # /usr/libexec/qemu-kvm \ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \ -chardev socket,id=charserial1,host=dhcp-8-165.nay.redhat.com,port=9000,server,nowait,tls-creds=objcharserial1_tls0 \ -device isa-serial,chardev=charserial1,id=serial1 \ -m 2G \ -drive id=drive_image1,if=none,snapshot=off,aio=threads,cache=none,format=qcow2,file=/home/kvm_autotest_root/images/rhel75-64-virtio.qcow2 \ -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x7,drive=drive_image1,id=virtio-disk0,bootindex=1 \ -device virtio-net-pci,mac=9a:f8:f9:fa:fb:fc,id=idWyOFPn,vectors=4,netdev=idC4NXQZ,bus=pci.0,addr=0x5 \ -netdev tap,id=idC4NXQZ,vhost=on \ -vnc :1 \ -vga cirrus 2. Connect to the server with gnutls-cli, providing a CA cert, client cert and client key: # gnutls-cli --priority=NORMAL -p9000 --x509cafile=/etc/pki/qemu/ca-cert.pem dhcp-8-165.nay.redhat.com --x509certfile=/etc/pki/qemu/client-cert.pem --x509keyfile=/etc/pki/qemu/client-key.pem Output: Processed 1 CA certificate(s). Processed 1 client X.509 certificates... Resolving 'dhcp-8-165.nay.redhat.com'... Connecting to '10.66.8.165:9000'... (...) - Successfully sent 1 certificate(s) to server. (...) - Handshake was completed - Simple Client Mode: [ OK ] Started Enable periodic update of entitlement certificates.. [ OK ] Reached target Remote File Systems (Pre). [ OK ] Reached target Remote File Systems. (...) Red Hat Enterprise Linux Server 7.5 (Maipo) Kernel 3.10.0-862.el7.x86_64 on an x86_64 dhcp-9-48 login: 3. Ctrl+c cancel the gnutls-cli connection. 4. Connect to the server with gnutls-cli, without client cert and client key: # gnutls-cli --priority=NORMAL -p9000 --x509cafile=/etc/pki/qemu/ca-cert.pem Output: dhcp-8-165.nay.redhat.com Processed 1 CA certificate(s). Resolving 'dhcp-8-165.nay.redhat.com'... Connecting to '10.66.8.165:9000'... echo c *** Fatal error: The operation timed out *** Handshake has failed GnuTLS error: The operation timed out 5. Connect to the server with gnutls-cli, providing the CA cert, client cert and client key: # gnutls-cli --priority=NORMAL -p9000 --x509cafile=/etc/pki/qemu/ca-cert.pem dhcp-8-165.nay.redhat.com --x509certfile=/etc/pki/qemu/client-cert.pem --x509keyfile=/etc/pki/qemu/client-key.pem Result: After step 5, connection failed: Processed 1 CA certificate(s). Processed 1 client X.509 certificates... Resolving 'dhcp-8-165.nay.redhat.com'... Connecting to '10.66.8.165:9000'... *** Fatal error: The operation timed out *** Handshake has failed GnuTLS error: The operation timed out Verified on qemu-kvm-rhev-2.12.0-2.el7.x86_64|kernel-3.10.0-889.el7.x86_64: Steps same as above. Result: Step 4, The connection without client cert and client key is terminated immediately after established: # gnutls-cli --priority=NORMAL -p9000 --x509cafile=/etc/pki/qemu/ca-cert.pem - Status: The certificate is trusted. (...) - Handshake was completed - Simple Client Mode: *** Fatal error: The TLS connection was non-properly terminated. *** Server has terminated the connection abnormally. Step 5, by providing proper cert and key, the connection is established successfully after the handshake fail: # gnutls-cli --priority=NORMAL -p9000 --x509cafile=/etc/pki/qemu/ca-cert.pem dhcp-8-165.nay.redhat.com --x509certfile=/etc/pki/qemu/client-cert.pem --x509keyfile=/etc/pki/qemu/client-key.pem Output: - Options: safe renegotiation, - Handshake was completed - Simple Client Mode: Red Hat Enterprise Linux Server 7.5 (Maipo) Kernel 3.10.0-862.el7.x86_64 on an x86_64 dhcp-9-48 login: Successfully login to the guest and it works well. Hi Daniel, Would you help confirm if it is sufficient to verify the bz per the test result in comment 6? Thanks, Qianqian *** Bug 1466597 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3443 |