Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1829189

Summary: engine-setup httpd ssl configuration conflicts with Red Hat Insights
Product: Red Hat Enterprise Virtualization Manager Reporter: Roman Hodain <rhodain>
Component: ovirt-engineAssignee: Eli Mesika <emesika>
Status: CLOSED ERRATA QA Contact: Petr Matyáš <pmatyas>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.3.9CC: mperina, pelauter
Target Milestone: ovirt-4.4.1   
Target Release: 4.4.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-4.4.1.5 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-04 13:22:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Roman Hodain 2020-04-29 07:50:14 UTC 
Description of problem:
engine-setup configures the httpd ssl configuration (/etc/httpd/conf.d/ssl.conf) and enables all protocols except SSLv3 and TLSv1.

    SSLProtocol all -SSLv3 -TLSv1

The Red Hat insights suggest using only TLSv1.2. Teh following configuration s are suggested:

    SSLProtocol -all +TLSv1.2
    or
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Version-Release number of selected component (if applicable):
rhv 4.3.9

How reproducible:
100%

Steps to Reproduce:
1. grep SSLProtocol /etc/httpd/conf.d/ssl.conf
2. Modify the configuration of SSLProtocol
3. engine-setup
4. grep SSLProtocol /etc/httpd/conf.d/ssl.conf

Actual results:
The SSLProtocols are set to 
    SSLProtocol all -SSLv3 -TLSv1

Expected results:
    The following is set
    SSLProtocol -all +TLSv1.2
    or
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Additional info:
    https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/
    Insights rule: Decreased security: httpd using deprecated TLSv1.1 protocol
Comment 1 Sandro Bonazzola 2020-07-02 12:07:09 UTC 
$ git tag --contains 7591ed6153294ea3daa3df178f36431edf3b786a
ovirt-engine-4.4.1.5
Comment 4 Petr Matyáš 2020-07-13 13:03:35 UTC 
Verified on ovirt-engine-4.4.1.8-0.7.el8ev.noarch
Comment 6 errata-xmlrpc 2020-08-04 13:22:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: RHV Manager (ovirt-engine) 4.4 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:3247