Bug 1661921
| Summary: | ovirt-provider-ovn TLS hardening (Default use of TLSv1.2 and HIGH ciphers only) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Sachin Raje <sraje> |
| Component: | ovirt-provider-ovn | Assignee: | Dominik Holler <dholler> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Michael Burman <mburman> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 4.2.7 | CC: | danken, dholler, mburman, mduarted, mkalinin, mtessun, rbarry, sborella |
| Target Milestone: | ovirt-4.3.0 | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ovirt-engine-4.3.0_rc2 | Doc Type: | Enhancement |
| Doc Text: |
The release ensures the Red Hat Virtualization internal OVN database connections and OpenStack REST APIs use TLS 1.2 and HIGH ciphers to address configurable OVN internal connections and the default Red Hat Enterprise Linux version 7 OpenSSL configuration allowing insecure ciphers.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-05-31 08:52:26 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Network | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Verified upstream on ovirt-engine-4.3.0-0.6.master.20190109150110.gitafe5251.el7.noarch and ovirt-provider-ovn-1.2.18-0.20190109085249.git50f4be5.el7.noarch QE verification bot: the bug was verified upstream |
Description of problem: By Default ovirt-provider-ovn (openvswitch) has enabled weaker tls protocols and ciphers. Version-Release number of selected component (if applicable): RHV 4.2.7.5-0.1 ovirt-provider-ovn-1.2.13-1.el7ev.noarch openvswitch-ovn-common-2.9.0-55.el7fdp.x86_64 novnc-0.5.1-2.el7.noarch openvswitch-ovn-central-2.9.0-55.el7fdp.x86_64 Following are Requirements : -------------------------- ovirt-provider-ovn should use following: - Accept only TLSv1.2 - Allow TLSv1.1 if needed for interoperability purposes - Use only strong ciphers Additional info: Below commands output shows that oVN can be connected using tls v1, tlsv1.1 and tlsv1.2. By default We should restrict it to use only stronger protocol i.e. tlsv1.2 and allow to enable tlsv1.1 if needed for legacy support. The tlsv1should be disabled permanently. ~~~ TLS v1 # openssl s_client -connect localhost:6642 -tls1 | grep -e Protocol -e Cipher depth=1 C = US, O = xxxx.redhat.com, CN = rhvm.redhat.com.50341 verify error:num=19:self signed certificate in certificate chain 140316639537040:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1493:SSL alert number 40 140316639537040:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659: New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA TLS v1.1 # openssl s_client -connect localhost:6642 -tls1_1 | grep -e Protocol -e Cipher depth=1 C = US, O = xxxx.redhat.com, CN = rhvm.redhat.com.50341 verify error:num=19:self signed certificate in certificate chain 139677712512912:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1493:SSL alert number 40 139677712512912:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659: New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Protocol : TLSv1.1 Cipher : DHE-RSA-AES256-SHA TLS v1.2 # openssl s_client -connect localhost:6642 -tls1_2 | grep -e Protocol -e Cipher depth=1 C = US, O = xxxx.redhat.com, CN = rhvm.redhat.com.50341 verify error:num=19:self signed certificate in certificate chain 140392053311376:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1493:SSL alert number 40 140392053311376:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659: New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Protocol : TLSv1.2 Cipher : DHE-RSA-AES256-GCM-SHA384 ~~~ At present, We can need to run below commands to set strong ciphers and enable tls 1.2 protocol only for 'OVN' and it persistent after rhvm reboot. # ovn-sbctl set-ssl /etc/pki/ovirt-engine/keys/ovn-sdb.key.nopass /etc/pki/ovirt-engine/certs/ovn-sdb.cer /etc/pki/ovirt-engine/ca.pem 'TLSv1.2' 'HIGH' # ovn-nbctl set-ssl /etc/pki/ovirt-engine/keys/ovn-ndb.key.nopass /etc/pki/ovirt-engine/certs/ovn-ndb.cer /etc/pki/ovirt-engine/ca.pem 'TLSv1.2' 'HIGH' # openssl s_client -connect localhost:6642 -tls1 | grep -e Protocol -e Cipher 139844354656144:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659: New, (NONE), Cipher is (NONE) Protocol : TLSv1 Cipher : 0000 # openssl s_client -connect localhost:6642 -tls1_1 | grep -e Protocol -e Cipher 140023069448080:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659: New, (NONE), Cipher is (NONE) Protocol : TLSv1.1 Cipher : 0000 # openssl s_client -connect localhost:6642 -tls1_2 | grep -e Protocol -e Cipher depth=1 C = US, O = xxxx.redhat.com, CN = rhvm.redhat.com.50341 verify error:num=19:self signed certificate in certificate chain 140628353427344:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1493:SSL alert number 40 140628353427344:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659: New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Protocol : TLSv1.2 Cipher : DHE-RSA-AES256-GCM-SHA384