1842522 – Enable only TLSv1.2+ protocol for SPICE on EL7 hosts [RHV clone - 4.3.11]

Bug 1842522 - Enable only TLSv1.2+ protocol for SPICE on EL7 hosts [RHV clone - 4.3.11]

Summary: Enable only TLSv1.2+ protocol for SPICE on EL7 hosts [RHV clone - 4.3.11]

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine
Sub Component:
Version:	4.3.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	ovirt-4.3.11
Target Release:	---
Assignee:	amashah
QA Contact:	Petr Kubica
Docs Contact:
URL:
Whiteboard:
Depends On:	1821930
Blocks:
TreeView+	depends on / blocked

Reported:	2020-06-01 13:04 UTC by RHV bug bot
Modified:	2020-09-30 10:08 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	With this enhancement, while deploying RHEL 7-based hosts, you can configure SPICE encryption so that: - Only TLSv1.2 and newer protocols are enabled - Available ciphers are limited as described in BZ1563271 To apply this enhancement to existing hosts, an administrator puts each host into Maintenance mode, performs a Reinstall, and activates each host. For details, search for "Reinstalling Hosts" in the documentation.
Clone Of:	1821930
Environment:
Last Closed:	2020-09-30 10:07:13 UTC
oVirt Team:	Infra
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:4112	None	None	None	2020-09-30 10:08:13 UTC
oVirt gerrit	108295	master	MERGED	core: Allow only TLSv1.2+ for SPICE encryption	2020-09-08 16:35:52 UTC
oVirt gerrit	108371	master	MERGED	core: Configure SPICE encryption only for EL7 based hosts	2020-09-08 16:35:52 UTC
oVirt gerrit	109372	ovirt-engine-4.3	MERGED	core: Allow only TLSv1.2+ for SPICE encryption	2020-09-08 16:35:52 UTC

Description RHV bug bot 2020-06-01 13:04:31 UTC

+++ This bug is a downstream clone. The original bug is: +++
+++   bug 1821930 +++
======================================================================

Description of problem:

This relates to https://bugzilla.redhat.com/show_bug.cgi?id=1563271

In the BZ above, the request was for allowing to chose TLS versions and TLS ciphers, an ansible playbook was created to customize the ciphers, however the playbook does not allow for customizing the TLS version (protocol) [1]

This BZ is to add the functionality of the protocol as some institutions are calling for TLS 1.1 to be disabled, which currently is still enabled. This would allow customers to also configure TLS protocol via the playbook. 

Version-Release number of selected component (if applicable):
4.3.8


Actual results:
Set the TLS protocol via the 'ovirt-host-deploy-spice-encryption' role.

Expected results:
Unable to set TLS protocol

Additional info:

(Originally by Amar Shah)

Comment 1 RHV bug bot 2020-06-01 13:04:33 UTC

Submitting patch for review https://gerrit.ovirt.org/#/c/108295/

(Originally by Amar Shah)

Comment 2 RHV bug bot 2020-06-01 13:04:35 UTC

This RFE is only for EL7 hosts, where we need to set ciphers and limit SSL/TLS version. On EL8 we will completely rely on current crypto policy.

(Originally by Martin Perina)

Comment 3 RHV bug bot 2020-06-01 13:04:37 UTC

Verified in 4.4.0-0.33.master.el8ev

# openssl s_client -connect <host>:5902 -tls1_1
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1587976407
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

(Originally by Petr Kubica)

Comment 7 RHV bug bot 2020-06-01 13:04:45 UTC

https://gerrit.ovirt.org/#/c/108295/ can be backported without any modification in RHV 4.3. This is where it was originally tested, with RHEL 7 hosts.

The playbook already exists on RHV-M 4.3 to set Ciphers, this patch just adds ability to specify TLS/SSL Protocols also (for RHEL 7, as RHEL 8 hosts do not need this).

RHEL 8 hosts can make use of the system-wide crypto policy and don't need to rely on spice.cnf to disable specific Protocols/Ciphers per application.

On RHV-M 4.3 the playbook is located here: /usr/share/ovirt-engine/playbooks/roles/ovirt-host-deploy-spice-encryption/

One could just add these two lines to the files:

# tail -n1 /usr/share/ovirt-engine/playbooks/roles/ovirt-host-deploy-spice-encryption/defaults/main.yml
host_deploy_spice_protocol: 'ALL,-SSLv2,-SSLv3,-TLSv1,-TLSv1.1'

# tail -n1 /usr/share/ovirt-engine/playbooks/roles/ovirt-host-deploy-spice-encryption/tasks/main.yml
      Protocol = {{ host_deploy_spice_protocol }}

The playbook writes these configurations to /etc/pki/tls/spice.cnf on hosts, which tells spice not to use these Protocols (again, only needed for RHEL 7 hosts).

(Originally by Amar Shah)

Comment 12 Petr Kubica 2020-07-27 08:07:02 UTC

tls1_1 is still enabled on HE VM, all other VMs have tls1_1 disabled

# openssl s_client -connect host:5901 -tls1_1
CONNECTED(00000003)
depth=1 C = US, O = domain.com, CN = common_name.53578
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/O=domain.com/CN=common_name.domain.com
   i:/C=US/O=domain.com/CN=engine.domain.com.53578
 1 s:/C=US/O=domain.com/CN=engine.domain.com.53578
   i:/C=US/O=domain.com/CN=engine.domain.com.53578
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFFTCCA/2gAwIBAgICEC0wDQYJKoZIhvcNAQELBQAwazELMAkGA1UEBhMCVVMx
JDAiBgNVBAoMG3JoZXYubGFiLmVuZy5icnEucmVkaGF0LmNvbTE2MDQGA1UEAwwt
... output ommited ..

Comment 13 amashah 2020-08-03 13:37:11 UTC

(In reply to Petr Kubica from comment #12)
> tls1_1 is still enabled on HE VM, all other VMs have tls1_1 disabled

The changes won't take effect until VM is powered off and back on (this applies to any VM, HE included). For HE you could do (on host where HE is running):

# hosted-engine --set-maintenance --mode=global
# hosted-engine --vm-shutdown
# hosted-engine --vm-status (just to check to confirm its down, or `virsh -r list`)
# hosted-engine --vm-start


Then TLS 1.1 should be disabled. 

Alternatively, migrating HE to another HE host and back should also do the trick.

Comment 14 Petr Kubica 2020-08-05 09:36:01 UTC

Hi, 
tried to reproduce to problem to verify your comment but it's no longer reproducible.
Tried 4.3 and 4.4 again and in both version seems to be tls 1.1 disabled also on HE VMs

If I hit this issue again, I will try to discover what I did differently and report another bug but now it seems to be working properly.

Verified in
4.3.11.3-0.1.el7

Comment 19 errata-xmlrpc 2020-09-30 10:07:13 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Virtualization Engine security, bug fix 4.3.11), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4112

Note You need to log in before you can comment on or make changes to this bug.