Bug 893979 - Add support for SSLv3 when Apache is not used as proxy
Summary: Add support for SSLv3 when Apache is not used as proxy
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-setup
Version: 3.1.0
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: ---
: 3.2.0
Assignee: Juan Hernández
QA Contact: Pavel Stehlik
URL:
Whiteboard: integration
Depends On:
Blocks: 907532
TreeView+ depends on / blocked
 
Reported: 2013-01-10 12:49 UTC by Juan Hernández
Modified: 2013-06-11 08:32 UTC (History)
11 users (show)

Fixed In Version: si-4
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 907532 (view as bug list)
Environment:
Last Closed:
oVirt Team: ---
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
oVirt gerrit 10858 None None None Never

Description Juan Hernández 2013-01-10 12:49:17 UTC
Description of problem:

When we run without Apache as proxy we don't support SSLv3, only TLSv1.


Version-Release number of selected component (if applicable):

ovirt-engine-3.2

How reproducible:

Always.

Steps to Reproduce:

1. Perform the installation and select not to override the Apache configuration when asked. This will enable the HTTPS connector in the application server (by default in port 8701) and will configure it to use TLSv1 only.

2. Try to connect to the application server using SSLv3:

# openssl s_client -ssl3 -connect f17.example.com:8701
CONNECTED(00000003)
139937368467296:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:

Actual results:

The connection fails because the server doesn't support the requested SSLv3 protocol.

Expected results:

The connection should succeed:

Additional info:

To workaround this issue the /usr/share/ovirt-engine/service/engine-service.xml.in file can be modified replacing the value of the "protocols" attribute inside the "ssl" tag with "SSLv3,TLSv1" (its current value is "TLSv1") and then restarting the engine.

Comment 1 james labocki 2013-01-11 15:31:36 UTC
For reference.

Before:

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
          <ssl name="ssl" password="mypass" certificate-key-file="/etc/pki/ovirt-engine/.keystore" key-alias="engine" protocol="TLSv1" verify-client="false"/>
</connector>

After:

        <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
          <ssl name="ssl" password="mypass" certificate-key-file="/etc/pki/ovirt-engine/.keystore" key-alias="engine" protocol="SSLv3,TLSv1" verify-client="false"/>
        </connector>

Comment 6 Itamar Heim 2013-01-27 12:28:16 UTC
the fix here is for 3.1.z/3.2.0 to not break until we move to 3.3.

Comment 11 Vinny Valdez 2013-03-26 19:35:20 UTC
In addition to the change noted, after a RHEV 3.0 to 3.1 upgrade the following process must be followed: https://access.redhat.com/knowledge/solutions/291993

Otherwise autodiscovery and SmartState Analysis from ManageIQ EVM will fail against RHEV VMs.

Comment 13 Itamar Heim 2013-06-11 08:29:29 UTC
3.2 has been released

Comment 14 Itamar Heim 2013-06-11 08:29:32 UTC
3.2 has been released

Comment 15 Itamar Heim 2013-06-11 08:32:04 UTC
3.2 has been released


Note You need to log in before you can comment on or make changes to this bug.