Description of problem: I've added my RHV Manager 4.4.7 to insights. Insights complains about rhv manager setting the ssl config manually instead of using system defaults: Advisor message: " Detected issues The system is using crypto-policies, but they are overridden in the configuration of the Apache HTTP server. Steps to resolve Red Hat recommends that you complete the following steps: change the options SSLProtocol, SSLCipherSuite and SSLProxyCipherSuite in /etc/httpd/conf.d/ssl.conf. Remove any SSLProtocol lines. Change the values of SSLCipherSuite or SSLProxyCipherSuite accordingly: SSLCipherSuite PROFILE=SYSTEM SSLProxyCipherSuite PROFILE=SYSTEM restart the httpd service: # systemctl restart httpd.service " It seems this is because engine setup adds https://github.com/oVirt/ovirt-engine/blob/a65cf0eae8858ab2278c3f537dc427e3ff20eba7/packaging/setup/ovirt_engine_setup/engine_common/constants.py#L195 to ssl.conf (Line in config is "SSLProtocol -all +TLSv1.2") I think this can be seen as a follow up to https://bugzilla.redhat.com/show_bug.cgi?id=1829189 Version-Release number of selected component (if applicable): ovirt-engine-4.4.7.7-0.1.el8ev.noarch How reproducible: Install Manager and add system to insights Steps to Reproduce: 1. Install Manager 2. Add to insights 3. Wait for insights to show advisor results Actual results: Deviation from best practices Expected results: No advisor recommendations
The documentation text flag should only be set after 'doc text' field is provided. Please provide the documentation text and set the flag to '?' again.
SSLProtocol was changed for bug 1388456. Martin - can we decide, going forward, to basically revert that, and rely on system defaults? This probably means: 1. On new setups, do not add/change SSLProtocol anymore 2. On upgrades: If SSLProtocol has our current default value '-all +TLSv1.2': remove the line, else: not sure, perhaps prompt the user whether to remove it anyway (and default to True?), or just warn.
BZ1388456 was created, because RHEL 7 didn't have support for crypto policies, so RHV itself needed to make the configuration as safe as possible. But RHV 4.4, which is based on RHEL 8 we have made a lot of effort to rely on crypto policies, this part was just missed. So I think we can remove offending line and rely on the crypto policies defaults.
QE: Reproduction/verification flows: 1. New setup: ssl.conf should not include SSLProtocol. 2. Upgrade from a previous version (say, 4.4.10). ssl.conf should not include SSLProtocol uncommented - should include the previous value commented.
The link was wrong, it included https://github.com twice, I'm trying to fix it :)
Thanks. Not sure what happened. I am still not very used to github (moved from gerrit recently) - perhaps I did something wrong.
Sorry: (In reply to Yedidyah Bar David from comment #6) > QE: Reproduction/verification flows: > > 1. New setup: ssl.conf should not include SSLProtocol. I meant: "ssl.conf should not include SSLProtocol _uncommented_". Its default content (prior to running engine-setup) is from the package mod_ssl, unrelated to oVirt/RHV. This might include it commented, which is ok, or might not include it at all, which is ok too. If it includes it uncommented, it should probably be considered a bug in mod_ssl. When writing the above (comment 6) I somehow thought it did not include it at all, but was apparently wrong. Either case, after 'engine-setup' it should not include it uncommented, regardless of the value it had before that. Please test this as well - e.g.: 1. Install mod_ssl 2. Edit the file to have e.g. (uncommented): SSLProtocol all -SSLv3 3. Install and run engine-setup
Flow 1 is positively fixed and works as expected: nsednev-he-6 ~]# cat /etc/httpd/conf.d/ssl.conf | grep SSLProtocol #SSLProtocol all -SSLv3 Tested on ovirt-engine-setup-4.5.0.1-605.90f87fe14688.14.el8ev.noarch.
For the flow 2 I deployed ovirt-engine-setup-4.4.10.8-548.g6b5767a.2.el8ev.noarch and then upgraded it to ovirt-engine-setup-4.5.0.1-605.90f87fe14688.14.el8ev.noarch. On 4.4.10 I see: nsednev-he-7 ~]# cat /etc/httpd/conf.d/ssl.conf | grep SSLProtocol #SSLProtocol all -SSLv3 SSLProtocol -all +TLSv1.2 On 4.5.0.1 I see: nsednev-he-7 ~]# cat /etc/httpd/conf.d/ssl.conf | grep SSLProtocol #SSLProtocol all -SSLv3 # SSLProtocol -all +TLSv1.2 Flow 2 is positively fixed and works as expected. The whole flow was tested using HE infrastructure, which indeed has been upgraded too. Moving to verified. Components used in 4.4.10.8: ovirt-engine-setup-4.4.10.8-548.g6b5767a.2.el8ev.noarch ovirt-ansible-collection-2.0.0-0.4.BETA.el8ev.noarch ansible-2.9.27-1.el8ae.noarch ovirt-hosted-engine-ha-2.4.10-1.el8ev.noarch ovirt-hosted-engine-setup-2.5.4-2.el8ev.noarch Red Hat Enterprise Linux release 8.5 (Ootpa) Linux 4.18.0-348.21.1.el8_5.x86_64 #1 SMP Tue Mar 22 10:35:22 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux Components used in 4.5.0.1: ovirt-ansible-collection-2.0.0-0.9.BETA.el8ev.noarch ansible-core-2.12.2-3.1.el8.x86_64 ovirt-engine-setup-4.5.0.1-607.fad80f26da78.25.el8ev.noarch ovirt-hosted-engine-setup-2.6.3-1.el8ev.noarch ovirt-hosted-engine-ha-2.5.0-1.el8ev.noarch Linux 4.18.0-372.5.1.el8.x86_64 #1 SMP Mon Mar 28 11:03:39 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux Red Hat Enterprise Linux release 8.6 Beta (Ootpa)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.0] security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:4711
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days