Bug 1563271 - [RFE][engine] Need to add entries to allow customers to set TLS version and TLS-ciphers for Spice VMs.
Summary: [RFE][engine] Need to add entries to allow customers to set TLS version and T...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
high
urgent
Target Milestone: ovirt-4.3.0
: ---
Assignee: Tomasz Barański
QA Contact: Liran Rotenberg
URL:
Whiteboard:
Depends On: 1562032 1562212 1562213 1563499 1563585
Blocks: 1520566
TreeView+ depends on / blocked
 
Reported: 2018-04-03 13:35 UTC by Frank DeLorey
Modified: 2019-05-08 12:37 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
An Ansible role, `ovirt-host-deploy-spice-encryption`, has been added to change the cypher string for SPICE consoles. The default cypher string satisfies FIPS requirements ('TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL'). The role can be customized with the Ansible variable `host_deploy_spice_cipher_string`.
Clone Of:
Environment:
Last Closed: 2019-05-08 12:37:22 UTC
oVirt Team: Virt
Target Upstream Version:
Embargoed:
mavital: testing_plan_complete-


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2019:1085 0 None None None 2019-05-08 12:37:42 UTC
oVirt gerrit 93998 0 None MERGED ansible: Add role to setup SPICE encryption. 2020-12-31 09:21:30 UTC

Description Frank DeLorey 2018-04-03 13:35:07 UTC
Description of problem:

Currently there is no way for customers to select/de-select which TLS versions and TLS-ciphers they wish to allow or disallow.


Version-Release number of selected component (if applicable):

RHV 4.2.X


Additional info:

This is related to work being down in the following BZs:

https://bugzilla.redhat.com/show_bug.cgi?id=1562212

https://bugzilla.redhat.com/show_bug.cgi?id=1562213

https://bugzilla.redhat.com/show_bug.cgi?id=1562214

Comment 7 Michal Skrivanek 2018-05-11 08:32:32 UTC
May or may not require a host redeploy - pending design decision on libvirt side.
Since this setting make sense as a system-wide policy it's likely going to be a vdc_option

Comment 9 Yaniv Lavi 2018-07-16 11:40:51 UTC
Should this be on a z stream milestone?
If not, can you remove the flag?

Comment 10 Michal Skrivanek 2018-08-08 11:41:20 UTC
removing zstream request after review with mgoldboi

Comment 12 Michal Skrivanek 2018-08-28 09:35:12 UTC
we plan to make "secure" the default, and supply ansible role to push other (weak) config if required for b/w compatibility e.g. with ancient Windows

Comment 13 Michal Skrivanek 2018-10-03 11:32:35 UTC
we also provide ansible role to customize the ciphers list

Comment 14 Liran Rotenberg 2018-11-04 08:05:32 UTC
Verified on:
ovirt-engine-4.3.0-0.0.master.20181026202125.git65125e2.el7.noarch

Steps:
1. Create a yaml file in /usr/share/ovirt-engine/playbooks.
- name: oVirt - setup weaker SPICE encription for old clients
  hosts: <HOST>
  vars:
    host_deploy_spice_cipher_string: 'DEFAULT:-RC4:-3DES:-DES'
  roles:
    - ovirt-host-deploy-spice-encryption

2. Set the host and ssh-key to use in /etc/ansible/hosts
[change_tls]
<HOST> ansible_ssh_private_key_file=<PATH_TO_SSH_KEY>

3. In the host, see the current (default) tls in /etc/pki/tls/spice.cnf
CipherString = kECDHE+FIPS:kDHE+FIPS:kRSA+FIPS:!eNULL:!aNULL

4. Run in the engine:
# ansible-playbook -l <HOST> <YAML_PATH>

5. Check again the tls in the host:
# less /etc/pki/tls/spice.cnf
CipherString = DEFAULT:-RC4:-3DES:-DES

And there is backup file for the old cipher - spice.cnf.<DATE>.

Comment 16 errata-xmlrpc 2019-05-08 12:37:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:1085


Note You need to log in before you can comment on or make changes to this bug.