Bug 1582527 - Enable only strong ciphers from engine to VDSM communication for hosts in cluster level >= 4.2
Summary: Enable only strong ciphers from engine to VDSM communication for hosts in clu...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: Host-Deploy
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ovirt-4.2.4
: ---
Assignee: Martin Perina
QA Contact: Jiri Belka
URL:
Whiteboard:
Depends On: 1584669
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-25 13:42 UTC by Martin Perina
Modified: 2018-06-26 08:35 UTC (History)
3 users (show)

Fixed In Version: ovirt-engine-4.2.4.2
Doc Type: Release Note
Doc Text:
This change enables only string ciphers for communication between engine and hosts for clusters with cluster level >= 4.2. Following steps need to performed to apply the change: 1. Newly added hosts - The change is applied automatically when host is added to engine to clusters with cluster level >= 4.2 - When adding new host to cluster with cluster level 3.6, 4.0 or 4.1 the change is not applied and hosts support all ciphers enabled by underlying libraries 2. Existing hosts - to apply the change to existing hosts in cluster level 4.2 please follow steps described in [How to apply change] section 3. Moving hosts between clusters - when host is moved to 4.2 cluster the change is not applied automatically. To apply please follow steps described in [How to apply change] section How to apply change To enable only strong ciphers for a host in cluster with cluster levels >= 4.2 following steps need to be applied: 1. Move host to Maintenance using option Maintenance in Management menu inside Hosts view 2. Reinstall the host using option Reinstall in Installation menu inside Hosts view 3. Activate the host after successful reinstallation using Activate option in Management menu inside Hosts view
Clone Of:
Environment:
Last Closed: 2018-06-26 08:35:29 UTC
oVirt Team: Infra
rule-engine: ovirt-4.2+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 91474 0 'None' MERGED ssl: configurable ciphers 2021-01-25 17:12:57 UTC
oVirt gerrit 91627 0 'None' MERGED ssl: configurable ciphers 2021-01-25 17:12:57 UTC
oVirt gerrit 91630 0 'None' MERGED core: Enable only strong ciphers for 4.2 hosts 2021-01-25 17:12:57 UTC
oVirt gerrit 91638 0 'None' MERGED core: Enable only strong ciphers for 4.2 hosts 2021-01-25 17:12:57 UTC
oVirt gerrit 91741 0 'None' MERGED revert: core: Enable only strong ciphers for 4.2 hosts 2021-01-25 17:13:39 UTC
oVirt gerrit 91744 0 'None' MERGED revert: core: Enable only strong ciphers for 4.2 hosts 2021-01-25 17:12:57 UTC
oVirt gerrit 91844 0 'None' MERGED core: Enable only strong ciphers for 4.2 hosts 2021-01-25 17:12:58 UTC
oVirt gerrit 91975 0 'None' MERGED core: Enable only strong ciphers for 4.2 hosts 2021-01-25 17:12:58 UTC

Description Martin Perina 2018-05-25 13:42:57 UTC 
When adding or reinstalling host to a cluster >= 4.2, set

  ssl_ciphers=HIGH

in vdsm to enable only strong encryption ciphers for engine to VDSM communication.
Comment 1 Jiri Belka 2018-06-11 14:29:00 UTC 
ok, vdsm-4.20.30-1.el7ev.x86_64

ovirt-engine-4.2.4.2-0.1.el7_3.noarch
ovirt-host-deploy-1.7.4-1.el7ev.noarch

install, host-deploy:

under 4.2/4.1 cluster:

# cat /etc/vdsm/vdsm.conf
[vars]
ssl_excludes = OP_NO_TLSv1,OP_NO_TLSv1_1
ssl = true
ssl_ciphers = HIGH

[addresses]
management_port = 54321
Comment 2 Sandro Bonazzola 2018-06-26 08:35:29 UTC 
This bugzilla is included in oVirt 4.2.4 release, published on June 26th 2018.

Since the problem described in this bug report should be
resolved in oVirt 4.2.4 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.
Note You need to log in before you can comment on or make changes to this bug.