+++ This bug is a downstream clone. The original bug is: +++ +++ bug 1821930 +++ ====================================================================== Description of problem: This relates to https://bugzilla.redhat.com/show_bug.cgi?id=1563271 In the BZ above, the request was for allowing to chose TLS versions and TLS ciphers, an ansible playbook was created to customize the ciphers, however the playbook does not allow for customizing the TLS version (protocol) [1] This BZ is to add the functionality of the protocol as some institutions are calling for TLS 1.1 to be disabled, which currently is still enabled. This would allow customers to also configure TLS protocol via the playbook. Version-Release number of selected component (if applicable): 4.3.8 Actual results: Set the TLS protocol via the 'ovirt-host-deploy-spice-encryption' role. Expected results: Unable to set TLS protocol Additional info: (Originally by Amar Shah)
Submitting patch for review https://gerrit.ovirt.org/#/c/108295/ (Originally by Amar Shah)
This RFE is only for EL7 hosts, where we need to set ciphers and limit SSL/TLS version. On EL8 we will completely rely on current crypto policy. (Originally by Martin Perina)
Verified in 4.4.0-0.33.master.el8ev # openssl s_client -connect <host>:5902 -tls1_1 CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1587976407 Timeout : 7200 (sec) Verify return code: 0 (ok) --- (Originally by Petr Kubica)
https://gerrit.ovirt.org/#/c/108295/ can be backported without any modification in RHV 4.3. This is where it was originally tested, with RHEL 7 hosts. The playbook already exists on RHV-M 4.3 to set Ciphers, this patch just adds ability to specify TLS/SSL Protocols also (for RHEL 7, as RHEL 8 hosts do not need this). RHEL 8 hosts can make use of the system-wide crypto policy and don't need to rely on spice.cnf to disable specific Protocols/Ciphers per application. On RHV-M 4.3 the playbook is located here: /usr/share/ovirt-engine/playbooks/roles/ovirt-host-deploy-spice-encryption/ One could just add these two lines to the files: # tail -n1 /usr/share/ovirt-engine/playbooks/roles/ovirt-host-deploy-spice-encryption/defaults/main.yml host_deploy_spice_protocol: 'ALL,-SSLv2,-SSLv3,-TLSv1,-TLSv1.1' # tail -n1 /usr/share/ovirt-engine/playbooks/roles/ovirt-host-deploy-spice-encryption/tasks/main.yml Protocol = {{ host_deploy_spice_protocol }} The playbook writes these configurations to /etc/pki/tls/spice.cnf on hosts, which tells spice not to use these Protocols (again, only needed for RHEL 7 hosts). (Originally by Amar Shah)
tls1_1 is still enabled on HE VM, all other VMs have tls1_1 disabled # openssl s_client -connect host:5901 -tls1_1 CONNECTED(00000003) depth=1 C = US, O = domain.com, CN = common_name.53578 verify error:num=19:self signed certificate in certificate chain --- Certificate chain 0 s:/O=domain.com/CN=common_name.domain.com i:/C=US/O=domain.com/CN=engine.domain.com.53578 1 s:/C=US/O=domain.com/CN=engine.domain.com.53578 i:/C=US/O=domain.com/CN=engine.domain.com.53578 --- Server certificate -----BEGIN CERTIFICATE----- MIIFFTCCA/2gAwIBAgICEC0wDQYJKoZIhvcNAQELBQAwazELMAkGA1UEBhMCVVMx JDAiBgNVBAoMG3JoZXYubGFiLmVuZy5icnEucmVkaGF0LmNvbTE2MDQGA1UEAwwt ... output ommited ..
(In reply to Petr Kubica from comment #12) > tls1_1 is still enabled on HE VM, all other VMs have tls1_1 disabled The changes won't take effect until VM is powered off and back on (this applies to any VM, HE included). For HE you could do (on host where HE is running): # hosted-engine --set-maintenance --mode=global # hosted-engine --vm-shutdown # hosted-engine --vm-status (just to check to confirm its down, or `virsh -r list`) # hosted-engine --vm-start Then TLS 1.1 should be disabled. Alternatively, migrating HE to another HE host and back should also do the trick.
Hi, tried to reproduce to problem to verify your comment but it's no longer reproducible. Tried 4.3 and 4.4 again and in both version seems to be tls 1.1 disabled also on HE VMs If I hit this issue again, I will try to discover what I did differently and report another bug but now it seems to be working properly. Verified in 4.3.11.3-0.1.el7
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat Virtualization Engine security, bug fix 4.3.11), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4112