Piotr Kliczewski has uploaded a new change for review.
Change subject: ssl: change default protocol ......................................................................
ssl: change default protocol
This setting breaks backward compatibility with older engines.
Change-Id: I40267cb07b19d444c7d85aba6d1160c27e8fe3a6 Signed-off-by: pkliczewski piotr.kliczewski@gmail.com Bug-Url: https://bugzilla.redhat.com/1229765 --- M lib/vdsm/config.py.in 1 file changed, 1 insertion(+), 1 deletion(-)
git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/57/43457/1
diff --git a/lib/vdsm/config.py.in b/lib/vdsm/config.py.in index 3221aab..fbee478 100644 --- a/lib/vdsm/config.py.in +++ b/lib/vdsm/config.py.in @@ -196,7 +196,7 @@ ('transient_disks_repository', '@VDSMLIBDIR@/transient', 'Local path to the transient disks repository.'),
- ('ssl_protocol', 'sslv23', + ('ssl_protocol', 'tlsv1', 'SSL protocol used by encrypted connection'),
('connection_stats_timeout', '3600',
automation@ovirt.org has posted comments on this change.
Change subject: ssl: change default protocol ......................................................................
Patch Set 1:
* Update tracker::#1229765::OK * Check Bug-Url::OK * Check Public Bug::#1229765::OK, public bug * Check Product::#1229765::OK, Correct product oVirt * Check TR::SKIP, not in a monitored branch (ovirt-3.5 ovirt-3.4 ovirt-3.3 ovirt-3.2) * Check merged to previous::IGNORE, Not in stable branch (['ovirt-3.5', 'ovirt-3.4', 'ovirt-3.3'])
Piotr Kliczewski has posted comments on this change.
Change subject: ssl: change default protocol ......................................................................
Patch Set 1: Verified+1
This change was already tested when we introduced configurable ssl protocol.
Please keep in mind that changing default breaks compatibility with older engines.
Yaniv Bronhaim has posted comments on this change.
Change subject: ssl: change default protocol ......................................................................
Patch Set 1: Code-Review-1
you must explain more in the commit message - what happened before, why we used different value and what does it break...
Piotr Kliczewski has posted comments on this change.
Change subject: ssl: change default protocol ......................................................................
Patch Set 1:
OK
automation@ovirt.org has posted comments on this change.
Change subject: ssl: change default protocol ......................................................................
Patch Set 2:
* Update tracker::#1229765::OK * Check Bug-Url::OK * Check Public Bug::#1229765::OK, public bug * Check Product::#1229765::SKIPPED, not (oVirt Red Hat Enterprise Virtualization Manager) product but vdsm * Check Product::WARN, no bug url with correct product found, make sure you have at least one bug-url with a product in oVirt Red Hat Enterprise Virtualization Manager. * Check merged to previous::IGNORE, Not in stable branch (['ovirt-3.5', 'ovirt-3.4', 'ovirt-3.3'])
Piotr Kliczewski has posted comments on this change.
Change subject: ssl: change default protocol ......................................................................
Patch Set 2:
Yaniv please check updated commit message.
Yaniv Bronhaim has posted comments on this change.
Change subject: ssl: change default protocol ......................................................................
Patch Set 2:
(1 comment)
https://gerrit.ovirt.org/#/c/43457/2//COMMIT_MSG Commit Message:
Line 11: see issues that it is already sslv3 is disabled and users need Line 12: to switch to tls. Line 13: Line 14: There is an issue when we switch to tls older engines are not Line 15: able to talk to vdsm anymore. how old? 3.5 and below? so to work with those versions we need to have vdsm set to sslv23 back? Line 16: Line 17: Line 18: Change-Id: I40267cb07b19d444c7d85aba6d1160c27e8fe3a6 Line 19: Signed-off-by: pkliczewski piotr.kliczewski@gmail.com
Piotr Kliczewski has posted comments on this change.
Change subject: ssl: change default protocol ......................................................................
Patch Set 2:
(1 comment)
https://gerrit.ovirt.org/#/c/43457/2//COMMIT_MSG Commit Message:
Line 11: see issues that it is already sslv3 is disabled and users need Line 12: to switch to tls. Line 13: Line 14: There is an issue when we switch to tls older engines are not Line 15: able to talk to vdsm anymore.
how old? 3.5 and below? so to work with those versions we need to have vdsm
I tested this behavior with engine 3.0. We have never stated that we do not support it. Once we change this setting 3.0 won't be able to connect to a vdsm. Line 16: Line 17: Line 18: Change-Id: I40267cb07b19d444c7d85aba6d1160c27e8fe3a6 Line 19: Signed-off-by: pkliczewski piotr.kliczewski@gmail.com
Yaniv Bronhaim has posted comments on this change.
Change subject: ssl: change default protocol ......................................................................
Patch Set 2:
(1 comment)
https://gerrit.ovirt.org/#/c/43457/2//COMMIT_MSG Commit Message:
Line 11: see issues that it is already sslv3 is disabled and users need Line 12: to switch to tls. Line 13: Line 14: There is an issue when we switch to tls older engines are not Line 15: able to talk to vdsm anymore.
I tested this behavior with engine 3.0. We have never stated that we do not
so please write it in the commit message- engine 3.0 and older won't work with current default value Line 16: Line 17: Line 18: Change-Id: I40267cb07b19d444c7d85aba6d1160c27e8fe3a6 Line 19: Signed-off-by: pkliczewski piotr.kliczewski@gmail.com
Yaniv Bronhaim has posted comments on this change.
Change subject: ssl: change default protocol ......................................................................
Patch Set 2: Code-Review+1
Yaniv Bronhaim has posted comments on this change.
Change subject: ssl: change default protocol ......................................................................
Patch Set 2:
we support engine 3.3 and above. older then that weren't checked, so I agree to leave it as is
Dan Kenigsberg has posted comments on this change.
Change subject: ssl: change default protocol ......................................................................
Patch Set 3: Code-Review+2
automation@ovirt.org has posted comments on this change.
Change subject: ssl: change default protocol ......................................................................
Patch Set 3:
* Update tracker::#1229765::OK * Check Bug-Url::OK * Check Public Bug::#1229765::OK, public bug * Check Product::#1229765::OK, Correct classification oVirt * Check TM::SKIP, not in a monitored branch (ovirt-3.5 ovirt-3.4 ovirt-3.3 ovirt-3.2) * Check merged to previous::IGNORE, Not in stable branch (['ovirt-3.5', 'ovirt-3.4', 'ovirt-3.3'])
Dan Kenigsberg has submitted this change and it was merged.
Change subject: ssl: change default protocol ......................................................................
ssl: change default protocol
We used 'sslv23' but when Paddle (CVE-2014-3566) was found it is recommended to switch to 'tlsv1'. On some of the OSes we see issues that it is already sslv3 is disabled and users need to switch to tls.
There is an issue when we switch to tls older engines (<= 3.0) are not able to talk to vdsm anymore.
Change-Id: I40267cb07b19d444c7d85aba6d1160c27e8fe3a6 Signed-off-by: pkliczewski piotr.kliczewski@gmail.com Bug-Url: https://bugzilla.redhat.com/1229765 Reviewed-on: https://gerrit.ovirt.org/43457 Continuous-Integration: Jenkins CI Reviewed-by: Yaniv Bronhaim ybronhei@redhat.com Reviewed-by: Dan Kenigsberg danken@redhat.com --- M lib/vdsm/config.py.in 1 file changed, 1 insertion(+), 1 deletion(-)
Approvals: Piotr Kliczewski: Verified Yaniv Bronhaim: Looks good to me, but someone else must approve Jenkins CI: Passed CI tests Dan Kenigsberg: Looks good to me, approved
automation@ovirt.org has posted comments on this change.
Change subject: ssl: change default protocol ......................................................................
Patch Set 4:
* Update tracker::#1229765::OK * Set MODIFIED::bug 1229765::::#1229765::::IGNORE, not oVirt prod but vdsm
vdsm-patches@lists.fedorahosted.org