Bug 1585008 - Add option to configure cipher list available for encrypted connections
Summary: Add option to configure cipher list available for encrypted connections
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: vdsm
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ovirt-4.3.0
: ---
Assignee: Piotr Kliczewski
QA Contact: Petr Matyáš
URL:
Whiteboard:
Depends On:
Blocks: 1585022 1640357 1641455
TreeView+ depends on / blocked
 
Reported: 2018-06-01 06:41 UTC by Martin Perina
Modified: 2020-05-28 13:27 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
The current release adds a new 'ssl_ciphers' option to VDSM, which enables you to configure available ciphers for encrypted connections (for example, between the Manager and VDSM, or between VDSM and VDSM). The values this option uses conform to the OpenSSL standard. For more information, see https://access.redhat.com/articles/4056301
Clone Of:
: 1585022 1641455 (view as bug list)
Environment:
Last Closed: 2019-05-08 12:36:02 UTC
oVirt Team: Infra
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:1077 0 None None None 2019-05-08 12:36:24 UTC
oVirt gerrit 91474 0 'None' MERGED ssl: configurable ciphers 2020-05-28 13:26:32 UTC
oVirt gerrit 91627 0 'None' MERGED ssl: configurable ciphers 2020-05-28 13:26:32 UTC

Description Martin Perina 2018-06-01 06:41:09 UTC
Description of problem:

Add ssl_ciphers option to be able to configure available ciphers for encrypted connections. Values of this options conforms to OpenSSL standards: https://www.openssl.org/docs/man1.0.2/apps/ciphers.html

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Petr Matyáš 2019-01-17 09:42:08 UTC
Verified on vdsm-4.30.4-1.el7ev.x86_64

Only ciphers with key lengths larger than 128 bits work now by default, can be changed in vdsm.conf

Comment 3 Eli Marcus 2019-02-12 17:05:53 UTC
Copied approved Doc_text from cloned downstream - https://bugzilla.redhat.com/show_bug.cgi?id=1585022

"This release adds a new 'ssl_ciphers' option to VDSM, which allows you to configure available ciphers for encrypted connections (for example, the Manager to VDSM, or VDSM to VDSM). The values of this option conform to OpenSSL standard.
To set this option:

1. Move the host to Maintenance in the Manager.

2. Create a new /etc/vdsm/vdsm.conf.d/99-custom-ciphers.conf file with the following content:

[vars]
ssl_ciphers = <VALUE>

where <VALUE> is one of the values described in the CIPHERS STRINGD section in https://www.openssl.org/docs/man1.0.2/apps/ciphers.html.

3. Restart VDSM.

4. Activate the host in the Manager."

Comment 5 errata-xmlrpc 2019-05-08 12:36:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:1077


Note You need to log in before you can comment on or make changes to this bug.