RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1562212 - [RFE][libvirt] Need to add command line argument for TLS version selection.
Summary: [RFE][libvirt] Need to add command line argument for TLS version selection.
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.6
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Ján Tomko
QA Contact: Fangge Jin
URL:
Whiteboard:
Depends On: 1563585
Blocks: 1477664 1558125 1563271 1563496
TreeView+ depends on / blocked
 
Reported: 2018-03-29 19:16 UTC by Frank DeLorey
Modified: 2018-06-26 14:02 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-26 14:02:29 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1562032 0 high CLOSED [libvirt]Introduce a new option for specifying cipher string for TLS in spice 2021-02-22 00:41:40 UTC

Internal Links: 1562032

Description Frank DeLorey 2018-03-29 19:16:00 UTC 
Description of problem:

Currently spice cannot set which tls versions it support via the command line as this option is not available in libvirt.


Version-Release number of selected component (if applicable):

RHEL 7.6

Actual results:

Currently customers cannot set which version of tls they want to accept connections from.


Expected results:

Add the ability to allow customers to choose which TLS version they want.
Additional info:
Comment 3 Frank DeLorey 2018-03-29 19:22:26 UTC 
Related to BZ 1562213
Comment 4 Martin Tessun 2018-04-04 08:48:44 UTC 
This is not only about the TLS version, but also about the ciphers being used. Currently the SPICE ciphers can only be added as a qemu cmdline argument.

@Jarda: Do you need a separate BZ for this?
Comment 5 Daniel Berrangé 2018-04-04 08:53:34 UTC 
There is already  bug 1562032 for TLS ciphers.

This TLS version bug is actually more problematic though - the QEMU -spice arg has a tls-ciphers=XXX arg, but nothing for setting TLS versions. So I'm not seeing any way to support this request in libvirt right now.
Comment 6 Christophe Fergeau 2018-04-04 09:17:58 UTC 
(In reply to Daniel Berrange from comment #5)
> This TLS version bug is actually more problematic though - the QEMU -spice
> arg has a tls-ciphers=XXX arg, but nothing for setting TLS versions. So I'm
> not seeing any way to support this request in libvirt right now.

Current plan is to add -spice tls-min-version to spice/qemu, once that is upstream, we can move forward with this bug.
Comment 7 Ademar Reis 2018-06-22 14:44:46 UTC 
(In reply to Christophe Fergeau from comment #6)
> (In reply to Daniel Berrange from comment #5)
> > This TLS version bug is actually more problematic though - the QEMU -spice
> > arg has a tls-ciphers=XXX arg, but nothing for setting TLS versions. So I'm
> > not seeing any way to support this request in libvirt right now.
> 
> Current plan is to add -spice tls-min-version to spice/qemu, once that is
> upstream, we can move forward with this bug.

Quoting Gerd on bug 1563585 when he was quoting bug 1562213:

"""
In RHEL-land, we'll only get crypto policies in RHEL8, not in RHEL7. And customers want this now as indicated by several bugs ;) So rather than having downstream QEMU/libvirt/... patches, I decided to go with a simple patch to spice-server adding a simple spice.cnf file using openssl.cnf syntax. This file can be parsed using openssl api, and allows to configure ciphers and protocols. This should do the trick for rhel7.

So spice-server using a config file implies we don't have to do anything in qemu (and higher up the management stack).
"""

So I'm closing this BZ as NOTABUG, just as it was done in Bug 1563585. I'm also reviewing what needs to be done in RHEL8, I couldn't find the BZs yet.
Comment 8 Ademar Reis 2018-06-26 14:02:29 UTC 
(In reply to Ademar Reis from comment #7)
> So I'm closing this BZ as NOTABUG, just as it was done in Bug 1563585. I'm
> also reviewing what needs to be done in RHEL8, I couldn't find the BZs yet.

For real this time. :-)
Note You need to log in before you can comment on or make changes to this bug.