1562032 – [libvirt]Introduce a new option for specifying cipher string for TLS in spice

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1562032 - [libvirt]Introduce a new option for specifying cipher string for TLS in spice

Summary: [libvirt]Introduce a new option for specifying cipher string for TLS in spice

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Ján Tomko
QA Contact:	Fangge Jin
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1558125 1563271
TreeView+	depends on / blocked

Reported:	2018-03-29 12:11 UTC by Jaroslav Suchanek
Modified:	2018-11-02 16:00 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-06-26 14:48:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
qemu: Add support for specifying SPICE TLS ciphers (3.10 KB, patch) 2018-04-03 13:31 UTC, Christophe Fergeau	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1029226	1	medium	CLOSED	[RFE] Allow only strong ciphers for spice. (depends on platform crypto policy implementation)	2023-09-14 23:57:21 UTC
Red Hat Bugzilla	1562212	0	high	CLOSED	[RFE][libvirt] Need to add command line argument for TLS version selection.	2021-02-22 00:41:40 UTC

Internal Links: 1029226 1562212

Description Jaroslav Suchanek 2018-03-29 12:11:31 UTC

Introduce a new option for specifying cipher string for TLS in spice.

SPICE  uses the default cipher list from openssl, When a client connect to the hypervisor using SPICE, a cipher is chosen among that list (client sends the list of ciphers it supports, server picks one in that list).That default list contains some strong ciphers first, and then some medium strength one. 

Its been seen many time client sends medium strength list to spice server and server chose those medium strength ciphers for spice. Unfortunately libvirt does not provide no way to configure what ciphers to be used by SPICE.

Many organization nowadays becoming strict about cipher strength. Security compliance restrict to use strong cipher for greater security. e.g Government organizations.

This bug should cover rhel-7. It is desired to use system wide crypto policy.

Comment 1 Christophe Fergeau 2018-03-29 12:35:22 UTC

Couple of comments from the SPICE side:
- this imo would be similar to tls_priority in libvirtd.conf, except that spice-server uses openssl, so this string is in the format expected by SSL_CTX_set_cipher_list(), which is what is described in 'man ciphers'
- the QEMU options is -spice tls-ciphers=xxx
- in RHEL8, this will indeed be configurable directly through crypto policies in /etc/crypto-policies/back-ends/openssl.config

They tried using <qemu:commandline> for that, but unfortunately, this does not allow to append 'tls-ciphers' to an existing -spice entry, this only allows to add "-spice tls-ciphers=xxx" to the end of the commandline. This extra -spice entry is ignored.

Comment 2 Frank DeLorey 2018-03-29 13:31:28 UTC

Would this be a good place to also request the ability to set the TLS versions allowed or should I open another RFE requesting this? We should be able to set both the TLS versions and the ciphers.

Thanks,

Frank

Comment 3 Dan Kenigsberg 2018-03-29 15:15:24 UTC

(In reply to Frank DeLorey from comment #2)
> Would this be a good place to also request the ability to set the TLS
> versions allowed or should I open another RFE requesting this? We should be
> able to set both the TLS versions and the ciphers.

I think that you need two new RFEs: one for spice and another for libvirt.

Comment 4 Christophe Fergeau 2018-04-03 13:31:25 UTC

Created attachment 1416750 [details]
qemu: Add support for specifying SPICE TLS ciphers

This patch addresses configuration of SPICE ciphers in qemu.conf. Not clear whether this should be sent upstream or not as this qemu.conf option will not be needed (and might even be unwanted) with RHEL8 crypto policies.

I'm also wondering whether this would be better (from an upstream point of view) addressed by an improved <qemu:commandline> which would be able to append options to the end of an existing -spice argument (or whatever topelevel qemu commandline option) instead of adding an additional one to QEMU commandline. No idea if this would be workable or not :)

Comment 5 Ján Tomko 2018-04-03 15:26:14 UTC

I've polished and sent the patch to the upstream list:
https://www.redhat.com/archives/libvir-list/2018-April/msg00142.html

Comment 6 Martin Tessun 2018-04-06 11:52:19 UTC

Hi Frank,

(In reply to Frank DeLorey from comment #2)
> Would this be a good place to also request the ability to set the TLS
> versions allowed or should I open another RFE requesting this? We should be
> able to set both the TLS versions and the ciphers.
> 

there is BZ 1562212 for this already.

Comment 8 Ademar Reis 2018-06-26 14:05:05 UTC

Given the most recent changes in spice and the decision to use a configuration file instead of a command line option, what's the plan for this BZ?

See https://bugzilla.redhat.com/show_bug.cgi?id=1562212#c7 for details.

Comment 9 Ján Tomko 2018-06-26 14:48:19 UTC

The configuration file can be also used to specify the ciphers as well as TLS protocol versions, so there is no need for this option in libvirt.

Comment 10 Dan Kenigsberg 2018-11-02 13:37:56 UTC

Jan, I did not notice the closure of this bug. Would you point me to the config file you refer to? How should I configure spice to use HIGH-only ciphers?

Comment 11 Ján Tomko 2018-11-02 16:00:08 UTC

The sample spice.cnf file should be installed by spice in /usr/share/doc
and contain the necessary instructions. See:
https://bugzilla.redhat.com/show_bug.cgi?id=1562213#c3

Note You need to log in before you can comment on or make changes to this bug.