Bug 1577594 - [Tracker] use tls ciphers=HIGH
Summary: [Tracker] use tls ciphers=HIGH
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-release
Classification: oVirt
Component: General
Version: ---
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ovirt-4.2.4-1
: ---
Assignee: Martin Perina
QA Contact: Pavol Brilla
URL:
Whiteboard:
Depends On: 1577593 1578412 1584545 1585022
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-13 11:27 UTC by Dan Kenigsberg
Modified: 2018-12-14 18:19 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: let user configure vdsm's ssl_ciphers Reason: By default, vdsm uses Python's default ciphers. Some users need to use a stricter or a looser set of ciphers. Result: administrator can drop a vdsm config file with [vars]ssl_ciphers=SOMETHING where acceptable SOMETHING is defined by ciphers(1)
Clone Of:
: 1578412 (view as bug list)
Environment:
Last Closed: 2018-07-05 10:49:29 UTC
oVirt Team: Infra
rule-engine: ovirt-4.2+
ykaul: blocker+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3757311 0 None None None 2018-12-14 18:19:36 UTC

Description Dan Kenigsberg 2018-05-13 11:27:51 UTC
Vdsm should not accept connections that use non-strong ciphers. No client besides Engine or another Vdsm should contact Vdsm, and these two support HIGH ciphers.

Comment 1 Martin Tessun 2018-05-16 07:26:52 UTC
Hi Dan,

not sure SPICE display connections going through vdsm (I personally doubt it), but for SPICE we probably need configurable ciphers.

Current idea is to add the cipher string to the qemu process (-spice tls-ciphers ...) which should become a libvirt configurable as well.

Same will be true for the protocols (still in work upstream).
Default should be TLS v1.2 and only HIGH ciphers with the option to configure this in engine via some engine-config parameter.

This is mainly needed as there are still (thin) clients out there, only supporting older/outdated ciphers. So as we do not want to provide weak ciphers by default, we need an option to enable them if needed (just for SPICE connections)

Thanks!
Martin

Comment 2 Frank DeLorey 2018-05-19 10:25:40 UTC
We now have multiple customer complaining that vdsm port 54321 is failing their security sweeps and allowing RC4 and 3DES ciphers. I will attach both cases to this BZ. We need to make this fix a priority as these customers have a very short compliance windows.

Comment 3 Yaniv Kaul 2018-05-21 14:02:46 UTC
Dan, what about Apache on the Engine? I assume it's just a configuration change?

Comment 5 Marina Kalinin 2018-05-22 13:16:31 UTC
(In reply to Yaniv Kaul from comment #3)
> Dan, what about Apache on the Engine? I assume it's just a configuration
> change?

Seems like:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/configuring-tls

Comment 6 Yaniv Kaul 2018-05-23 10:44:44 UTC
(In reply to Marina from comment #5)
> (In reply to Yaniv Kaul from comment #3)
> > Dan, what about Apache on the Engine? I assume it's just a configuration
> > change?
> 
> Seems like:
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/
> html/linux_domain_identity_authentication_and_policy_guide/configuring-tls

We know what to do, but we probably need to:
1. Test with it.
2. On new installations, use it as default.

Comment 8 Dan Kenigsberg 2018-05-29 08:39:10 UTC
(In reply to Yaniv Kaul from comment #3)
> Dan, what about Apache on the Engine? I assume it's just a configuration
> change?

I don't really know. Let us ask Piotr.

Comment 9 Piotr Kliczewski 2018-05-29 09:04:45 UTC
It looks like it is a config change [1]. We need to make sure that it works correctly.

[1] https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html

Comment 10 Martin Perina 2018-05-29 11:53:10 UTC
(In reply to Piotr Kliczewski from comment #9)
> It looks like it is a config change [1]. We need to make sure that it works
> correctly.
> 
> [1] https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html

Just please be aware that Apache's ssl.conf is overwritten on each engine-setup invocation, because we already adapt it as a part of engine installation/upgrade. 

According to [2] we should be able to set "SSLCipherSuite HIGH", but we should open a bug to do that within engine-setup (Sandro CCed on the bug). So do we want to do that performed automatically by engine-setup?


[2] https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite

Comment 13 Dan Kenigsberg 2018-06-18 07:33:24 UTC
dependent 4.2.4 bugs are ON_QA, tracker can follow suit.

Comment 14 Pavol Brilla 2018-06-20 13:00:17 UTC
All dependent 4.2.4 bugs are verified

Comment 15 Sandro Bonazzola 2018-06-26 08:36:28 UTC
This bugzilla is included in oVirt 4.2.4 release, published on June 26th 2018.

Since the problem described in this bug report should be
resolved in oVirt 4.2.4 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.