1973768 – [4.7.z] 4.5 -> 4.6 upgrade failed with ovn pod error: SSL_connect: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

Bug 1973768 - [4.7.z] 4.5 -> 4.6 upgrade failed with ovn pod error: SSL_connect: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

Summary: [4.7.z] 4.5 -> 4.6 upgrade failed with ovn pod error: SSL_connect: error:141A...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	high
Target Milestone:	---
Target Release:	4.7.z
Assignee:	Jaime Caamaño Ruiz
QA Contact:	Anurag saxena
Docs Contact:
URL:
Whiteboard:
Depends On:	1973763
Blocks:	1973770
TreeView+	depends on / blocked

Reported:	2021-06-18 16:38 UTC by Jaime Caamaño Ruiz
Modified:	2021-10-07 17:17 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: During 4.5 to 4.6 upgrade, stricter security requirements of openssl versions included in 4.6 ovn-kubernetes components prevented the upgrade to complete successfully. Specifically the use of 1024 bit based DH params was disallowed on those openssl versions. Consequence: Upgrade of ovn-kuberentes and thus the cluster-network -operator does not progress to complete status and upgrade is stuck. Fix: Soften the openssl security requirements to allow the use of 1024 bit based DH params in ovn-kuberenetes componenets. Result: The use of 1024 bits based DH params with openssl no longer prevents the 4.5 to 4.6 upgrade to complete.
Clone Of:	1961528
Environment:
Last Closed:	2021-06-24 14:35:13 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Comment 1 Jaime Caamaño Ruiz 2021-06-18 16:55:18 UTC

This is a noop for 4.7 as the issue only affects upgrades from 4.5 to 4.6, the fix is only required in 4.6 and not needed in any other release.

Comment 4 Mike Fiedler 2021-06-24 12:33:16 UTC

If there is nothing for QE to test, please move the bz directly to CLOSED.

Comment 5 W. Trevor King 2021-08-18 22:17:58 UTC

Only one bug in the series needs UpgradeBlocker, so I'm removing it here.  If folks think this series deserves blocking edges, please follow up after [1].

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1961528#c28

Note You need to log in before you can comment on or make changes to this bug.