1829189 – engine-setup httpd ssl configuration conflicts with Red Hat Insights

Bug 1829189 - engine-setup httpd ssl configuration conflicts with Red Hat Insights

Summary: engine-setup httpd ssl configuration conflicts with Red Hat Insights

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine
Sub Component:
Version:	4.3.9
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	ovirt-4.4.1
Target Release:	4.4.1
Assignee:	Eli Mesika
QA Contact:	Petr Matyáš
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-04-29 07:50 UTC by Roman Hodain
Modified:	2020-08-04 13:23 UTC (History)
CC List:	2 users (show)
Fixed In Version:	ovirt-engine-4.4.1.5
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-08-04 13:22:48 UTC
oVirt Team:	Infra
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:3247	0	None	None	None	2020-08-04 13:23:02 UTC
oVirt gerrit	109752	0	master	MERGED	Align httpd ssl conf with RedHat Insights	2020-11-23 10:46:37 UTC

Internal Links: 1999698

Description Roman Hodain 2020-04-29 07:50:14 UTC

Description of problem:
engine-setup configures the httpd ssl configuration (/etc/httpd/conf.d/ssl.conf) and enables all protocols except SSLv3 and TLSv1.

    SSLProtocol all -SSLv3 -TLSv1

The Red Hat insights suggest using only TLSv1.2. Teh following configuration s are suggested:

    SSLProtocol -all +TLSv1.2
    or
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Version-Release number of selected component (if applicable):
rhv 4.3.9

How reproducible:
100%

Steps to Reproduce:
1. grep SSLProtocol /etc/httpd/conf.d/ssl.conf
2. Modify the configuration of SSLProtocol
3. engine-setup
4. grep SSLProtocol /etc/httpd/conf.d/ssl.conf

Actual results:
The SSLProtocols are set to 
    SSLProtocol all -SSLv3 -TLSv1

Expected results:
    The following is set
    SSLProtocol -all +TLSv1.2
    or
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Additional info:
    https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/
    Insights rule: Decreased security: httpd using deprecated TLSv1.1 protocol

Comment 1 Sandro Bonazzola 2020-07-02 12:07:09 UTC

$ git tag --contains 7591ed6153294ea3daa3df178f36431edf3b786a
ovirt-engine-4.4.1.5

Comment 4 Petr Matyáš 2020-07-13 13:03:35 UTC

Verified on ovirt-engine-4.4.1.8-0.7.el8ev.noarch

Comment 6 errata-xmlrpc 2020-08-04 13:22:48 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: RHV Manager (ovirt-engine) 4.4 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:3247

Note You need to log in before you can comment on or make changes to this bug.