This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 893979 - Add support for SSLv3 when Apache is not used as proxy
Add support for SSLv3 when Apache is not used as proxy
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-setup (Show other bugs)
3.1.0
Unspecified Unspecified
high Severity unspecified
: ---
: 3.2.0
Assigned To: Juan Hernández
Pavel Stehlik
integration
: ZStream
Depends On:
Blocks: 907532
  Show dependency treegraph
 
Reported: 2013-01-10 07:49 EST by Juan Hernández
Modified: 2013-06-11 04:32 EDT (History)
11 users (show)

See Also:
Fixed In Version: si-4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 907532 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 10858 None None None Never

  None (edit)
Description Juan Hernández 2013-01-10 07:49:17 EST
Description of problem:

When we run without Apache as proxy we don't support SSLv3, only TLSv1.


Version-Release number of selected component (if applicable):

ovirt-engine-3.2

How reproducible:

Always.

Steps to Reproduce:

1. Perform the installation and select not to override the Apache configuration when asked. This will enable the HTTPS connector in the application server (by default in port 8701) and will configure it to use TLSv1 only.

2. Try to connect to the application server using SSLv3:

# openssl s_client -ssl3 -connect f17.example.com:8701
CONNECTED(00000003)
139937368467296:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:

Actual results:

The connection fails because the server doesn't support the requested SSLv3 protocol.

Expected results:

The connection should succeed:

Additional info:

To workaround this issue the /usr/share/ovirt-engine/service/engine-service.xml.in file can be modified replacing the value of the "protocols" attribute inside the "ssl" tag with "SSLv3,TLSv1" (its current value is "TLSv1") and then restarting the engine.
Comment 1 james labocki 2013-01-11 10:31:36 EST
For reference.

Before:

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
          <ssl name="ssl" password="mypass" certificate-key-file="/etc/pki/ovirt-engine/.keystore" key-alias="engine" protocol="TLSv1" verify-client="false"/>
</connector>

After:

        <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
          <ssl name="ssl" password="mypass" certificate-key-file="/etc/pki/ovirt-engine/.keystore" key-alias="engine" protocol="SSLv3,TLSv1" verify-client="false"/>
        </connector>
Comment 6 Itamar Heim 2013-01-27 07:28:16 EST
the fix here is for 3.1.z/3.2.0 to not break until we move to 3.3.
Comment 11 Vinny Valdez 2013-03-26 15:35:20 EDT
In addition to the change noted, after a RHEV 3.0 to 3.1 upgrade the following process must be followed: https://access.redhat.com/knowledge/solutions/291993

Otherwise autodiscovery and SmartState Analysis from ManageIQ EVM will fail against RHEV VMs.
Comment 13 Itamar Heim 2013-06-11 04:29:29 EDT
3.2 has been released
Comment 14 Itamar Heim 2013-06-11 04:29:32 EDT
3.2 has been released
Comment 15 Itamar Heim 2013-06-11 04:32:04 EDT
3.2 has been released

Note You need to log in before you can comment on or make changes to this bug.