Description of problem: This relates to https://bugzilla.redhat.com/show_bug.cgi?id=1563271 In the BZ above, the request was for allowing to chose TLS versions and TLS ciphers, an ansible playbook was created to customize the ciphers, however the playbook does not allow for customizing the TLS version (protocol) [1] This BZ is to add the functionality of the protocol as some institutions are calling for TLS 1.1 to be disabled, which currently is still enabled. This would allow customers to also configure TLS protocol via the playbook. Version-Release number of selected component (if applicable): 4.3.8 Actual results: Set the TLS protocol via the 'ovirt-host-deploy-spice-encryption' role. Expected results: Unable to set TLS protocol Additional info:
Submitting patch for review https://gerrit.ovirt.org/#/c/108295/
This RFE is only for EL7 hosts, where we need to set ciphers and limit SSL/TLS version. On EL8 we will completely rely on current crypto policy.
Verified in 4.4.0-0.33.master.el8ev # openssl s_client -connect <host>:5902 -tls1_1 CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1587976407 Timeout : 7200 (sec) Verify return code: 0 (ok) ---
https://gerrit.ovirt.org/#/c/108295/ can be backported without any modification in RHV 4.3. This is where it was originally tested, with RHEL 7 hosts. The playbook already exists on RHV-M 4.3 to set Ciphers, this patch just adds ability to specify TLS/SSL Protocols also (for RHEL 7, as RHEL 8 hosts do not need this). RHEL 8 hosts can make use of the system-wide crypto policy and don't need to rely on spice.cnf to disable specific Protocols/Ciphers per application. On RHV-M 4.3 the playbook is located here: /usr/share/ovirt-engine/playbooks/roles/ovirt-host-deploy-spice-encryption/ One could just add these two lines to the files: # tail -n1 /usr/share/ovirt-engine/playbooks/roles/ovirt-host-deploy-spice-encryption/defaults/main.yml host_deploy_spice_protocol: 'ALL,-SSLv2,-SSLv3,-TLSv1,-TLSv1.1' # tail -n1 /usr/share/ovirt-engine/playbooks/roles/ovirt-host-deploy-spice-encryption/tasks/main.yml Protocol = {{ host_deploy_spice_protocol }} The playbook writes these configurations to /etc/pki/tls/spice.cnf on hosts, which tells spice not to use these Protocols (again, only needed for RHEL 7 hosts).
This bug covers allowing setting of spice TLSv1.2 protocol for EL7 and EL8 hosts only from RHV Manager 4.4. So I've cloned this bug into BZ1842522 to also enable setting of TLSv1.2 for EL7 hosts from RHV Manager 4.3
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: RHV Manager (ovirt-engine) 4.4 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:3247