Bug 1821930 - Enable only TLSv1.2+ protocol for SPICE on EL7 hosts
Summary: Enable only TLSv1.2+ protocol for SPICE on EL7 hosts
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 4.3.8
Hardware: Unspecified
OS: Unspecified
Target Milestone: ovirt-4.4.0
: ---
Assignee: amashah
QA Contact: Petr Kubica
Depends On:
Blocks: 1842522
TreeView+ depends on / blocked
Reported: 2020-04-07 20:51 UTC by amashah
Modified: 2020-08-04 13:22 UTC (History)
7 users (show)

Fixed In Version: ovirt-engine-4.4.0_beta4
Doc Type: Enhancement
Doc Text:
With this enhancement, RHEL 7-based hosts have SPICE encryption enabled during host deployment. Only TLSv1.2 and newer protocols are enabled. Available ciphers are limited as described in BZ1563271 RHEL 8-based hosts do not have SPICE encryption enabled. Instead, they rely on defined RHEL crypto policies (similar to VDSM BZ1179273).
Clone Of:
: 1842522 (view as bug list)
Last Closed: 2020-08-04 13:22:22 UTC
oVirt Team: Infra
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3247 0 None None None 2020-08-04 13:22:43 UTC
oVirt gerrit 108295 0 master MERGED core: Allow only TLSv1.2+ for SPICE encryption 2020-08-05 09:27:44 UTC
oVirt gerrit 108371 0 master MERGED core: Configure SPICE encryption only for EL7 based hosts 2020-08-05 09:27:44 UTC

Description amashah 2020-04-07 20:51:51 UTC
Description of problem:

This relates to https://bugzilla.redhat.com/show_bug.cgi?id=1563271

In the BZ above, the request was for allowing to chose TLS versions and TLS ciphers, an ansible playbook was created to customize the ciphers, however the playbook does not allow for customizing the TLS version (protocol) [1]

This BZ is to add the functionality of the protocol as some institutions are calling for TLS 1.1 to be disabled, which currently is still enabled. This would allow customers to also configure TLS protocol via the playbook. 

Version-Release number of selected component (if applicable):

Actual results:
Set the TLS protocol via the 'ovirt-host-deploy-spice-encryption' role.

Expected results:
Unable to set TLS protocol

Additional info:

Comment 1 amashah 2020-04-07 21:09:35 UTC
Submitting patch for review https://gerrit.ovirt.org/#/c/108295/

Comment 2 Martin Perina 2020-04-14 09:22:42 UTC
This RFE is only for EL7 hosts, where we need to set ciphers and limit SSL/TLS version. On EL8 we will completely rely on current crypto policy.

Comment 3 Petr Kubica 2020-04-27 08:35:45 UTC
Verified in 4.4.0-0.33.master.el8ev

# openssl s_client -connect <host>:5902 -tls1_1
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 0 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.1
    Cipher    : 0000
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1587976407
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

Comment 7 amashah 2020-05-29 21:06:15 UTC
https://gerrit.ovirt.org/#/c/108295/ can be backported without any modification in RHV 4.3. This is where it was originally tested, with RHEL 7 hosts.

The playbook already exists on RHV-M 4.3 to set Ciphers, this patch just adds ability to specify TLS/SSL Protocols also (for RHEL 7, as RHEL 8 hosts do not need this).

RHEL 8 hosts can make use of the system-wide crypto policy and don't need to rely on spice.cnf to disable specific Protocols/Ciphers per application.

On RHV-M 4.3 the playbook is located here: /usr/share/ovirt-engine/playbooks/roles/ovirt-host-deploy-spice-encryption/

One could just add these two lines to the files:

# tail -n1 /usr/share/ovirt-engine/playbooks/roles/ovirt-host-deploy-spice-encryption/defaults/main.yml
host_deploy_spice_protocol: 'ALL,-SSLv2,-SSLv3,-TLSv1,-TLSv1.1'

# tail -n1 /usr/share/ovirt-engine/playbooks/roles/ovirt-host-deploy-spice-encryption/tasks/main.yml
      Protocol = {{ host_deploy_spice_protocol }}

The playbook writes these configurations to /etc/pki/tls/spice.cnf on hosts, which tells spice not to use these Protocols (again, only needed for RHEL 7 hosts).

Comment 9 Martin Perina 2020-06-01 13:24:17 UTC
This bug covers allowing setting of spice TLSv1.2 protocol for EL7 and EL8 hosts only from RHV Manager 4.4. So I've cloned this bug into BZ1842522 to also enable setting of TLSv1.2 for EL7 hosts from RHV Manager 4.3

Comment 15 errata-xmlrpc 2020-08-04 13:22:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: RHV Manager (ovirt-engine) 4.4 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.