Description of problem: When we run without Apache as proxy we don't support SSLv3, only TLSv1. Version-Release number of selected component (if applicable): ovirt-engine-3.2 How reproducible: Always. Steps to Reproduce: 1. Perform the installation and select not to override the Apache configuration when asked. This will enable the HTTPS connector in the application server (by default in port 8701) and will configure it to use TLSv1 only. 2. Try to connect to the application server using SSLv3: # openssl s_client -ssl3 -connect f17.example.com:8701 CONNECTED(00000003) 139937368467296:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339: Actual results: The connection fails because the server doesn't support the requested SSLv3 protocol. Expected results: The connection should succeed: Additional info: To workaround this issue the /usr/share/ovirt-engine/service/engine-service.xml.in file can be modified replacing the value of the "protocols" attribute inside the "ssl" tag with "SSLv3,TLSv1" (its current value is "TLSv1") and then restarting the engine.
For reference. Before: <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true"> <ssl name="ssl" password="mypass" certificate-key-file="/etc/pki/ovirt-engine/.keystore" key-alias="engine" protocol="TLSv1" verify-client="false"/> </connector> After: <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true"> <ssl name="ssl" password="mypass" certificate-key-file="/etc/pki/ovirt-engine/.keystore" key-alias="engine" protocol="SSLv3,TLSv1" verify-client="false"/> </connector>
the fix here is for 3.1.z/3.2.0 to not break until we move to 3.3.
In addition to the change noted, after a RHEV 3.0 to 3.1 upgrade the following process must be followed: https://access.redhat.com/knowledge/solutions/291993 Otherwise autodiscovery and SmartState Analysis from ManageIQ EVM will fail against RHEV VMs.
3.2 has been released