Change in vdsm[master]: ssl: change default protocol

List overview All Threads
Download

newer

older

Change in vdsm[master]: vdsm:...

Change in vdsm[ovirt-3.6]: lvm:...

Piotr Kliczewski

12 Jul 2015 12 Jul '15

9:47 p.m.

Piotr Kliczewski has uploaded a new change for review.

Change subject: ssl: change default protocol ......................................................................

ssl: change default protocol

This setting breaks backward compatibility with older engines.

Change-Id: I40267cb07b19d444c7d85aba6d1160c27e8fe3a6 Signed-off-by: pkliczewski piotr.kliczewski@gmail.com Bug-Url: https://bugzilla.redhat.com/1229765 --- M lib/vdsm/config.py.in 1 file changed, 1 insertion(+), 1 deletion(-)

git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/57/43457/1

diff --git a/lib/vdsm/config.py.in b/lib/vdsm/config.py.in index 3221aab..fbee478 100644 --- a/lib/vdsm/config.py.in +++ b/lib/vdsm/config.py.in @@ -196,7 +196,7 @@ ('transient_disks_repository', '@VDSMLIBDIR@/transient', 'Local path to the transient disks repository.'),

- ('ssl_protocol', 'sslv23', + ('ssl_protocol', 'tlsv1', 'SSL protocol used by encrypted connection'),

('connection_stats_timeout', '3600',

-- To view, visit https://gerrit.ovirt.org/43457 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I40267cb07b19d444c7d85aba6d1160c27e8fe3a6 Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Piotr Kliczewski piotr.kliczewski@gmail.com

Show replies by date

automation＠ovirt.org

12 Jul 12 Jul

9:47 p.m.

automation@ovirt.org has posted comments on this change.

Change subject: ssl: change default protocol ......................................................................

Patch Set 1:

* Update tracker::#1229765::OK * Check Bug-Url::OK * Check Public Bug::#1229765::OK, public bug * Check Product::#1229765::OK, Correct product oVirt * Check TR::SKIP, not in a monitored branch (ovirt-3.5 ovirt-3.4 ovirt-3.3 ovirt-3.2) * Check merged to previous::IGNORE, Not in stable branch (['ovirt-3.5', 'ovirt-3.4', 'ovirt-3.3'])

Piotr Kliczewski

9:48 p.m.

Piotr Kliczewski has posted comments on this change.

Change subject: ssl: change default protocol ......................................................................

Patch Set 1: Verified+1

This change was already tested when we introduced configurable ssl protocol.

Please keep in mind that changing default breaks compatibility with older engines.

-- To view, visit https://gerrit.ovirt.org/43457 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I40267cb07b19d444c7d85aba6d1160c27e8fe3a6 Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Jenkins CI Gerrit-Reviewer: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: automation@ovirt.org Gerrit-HasComments: No

ybronhei＠redhat.com

17 Sep 17 Sep

7:18 a.m.

Yaniv Bronhaim has posted comments on this change.

Change subject: ssl: change default protocol ......................................................................

Patch Set 1: Code-Review-1

you must explain more in the commit message - what happened before, why we used different value and what does it break...

-- To view, visit https://gerrit.ovirt.org/43457 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I40267cb07b19d444c7d85aba6d1160c27e8fe3a6 Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Dan Kenigsberg danken@redhat.com Gerrit-Reviewer: Jenkins CI Gerrit-Reviewer: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Yaniv Bronhaim ybronhei@redhat.com Gerrit-Reviewer: automation@ovirt.org Gerrit-HasComments: No

Piotr Kliczewski

7:35 a.m.

Piotr Kliczewski has posted comments on this change.

Change subject: ssl: change default protocol ......................................................................

Patch Set 1:

-- To view, visit https://gerrit.ovirt.org/43457 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I40267cb07b19d444c7d85aba6d1160c27e8fe3a6 Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Dan Kenigsberg danken@redhat.com Gerrit-Reviewer: Jenkins CI Gerrit-Reviewer: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Yaniv Bronhaim ybronhei@redhat.com Gerrit-Reviewer: automation@ovirt.org Gerrit-HasComments: No

automation＠ovirt.org

28 Sep 28 Sep

2:42 p.m.

automation@ovirt.org has posted comments on this change.

Change subject: ssl: change default protocol ......................................................................

Patch Set 2:

* Update tracker::#1229765::OK * Check Bug-Url::OK * Check Public Bug::#1229765::OK, public bug * Check Product::#1229765::SKIPPED, not (oVirt Red Hat Enterprise Virtualization Manager) product but vdsm * Check Product::WARN, no bug url with correct product found, make sure you have at least one bug-url with a product in oVirt Red Hat Enterprise Virtualization Manager. * Check merged to previous::IGNORE, Not in stable branch (['ovirt-3.5', 'ovirt-3.4', 'ovirt-3.3'])

-- To view, visit https://gerrit.ovirt.org/43457 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I40267cb07b19d444c7d85aba6d1160c27e8fe3a6 Gerrit-PatchSet: 2 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Dan Kenigsberg danken@redhat.com Gerrit-Reviewer: Jenkins CI Gerrit-Reviewer: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Yaniv Bronhaim ybronhei@redhat.com Gerrit-Reviewer: automation@ovirt.org Gerrit-HasComments: No

Piotr Kliczewski

2:42 p.m.

Piotr Kliczewski has posted comments on this change.

Change subject: ssl: change default protocol ......................................................................

Patch Set 2:

Yaniv please check updated commit message.

-- To view, visit https://gerrit.ovirt.org/43457 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I40267cb07b19d444c7d85aba6d1160c27e8fe3a6 Gerrit-PatchSet: 2 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Dan Kenigsberg danken@redhat.com Gerrit-Reviewer: Jenkins CI Gerrit-Reviewer: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Yaniv Bronhaim ybronhei@redhat.com Gerrit-Reviewer: automation@ovirt.org Gerrit-HasComments: No

Jenkins CI RO

9 Oct 9 Oct

11:41 p.m.

Yaniv Bronhaim has posted comments on this change.

Change subject: ssl: change default protocol ......................................................................

Patch Set 2:

(1 comment)

https://gerrit.ovirt.org/#/c/43457/2//COMMIT_MSG Commit Message:

Line 11: see issues that it is already sslv3 is disabled and users need Line 12: to switch to tls. Line 13: Line 14: There is an issue when we switch to tls older engines are not Line 15: able to talk to vdsm anymore. how old? 3.5 and below? so to work with those versions we need to have vdsm set to sslv23 back? Line 16: Line 17: Line 18: Change-Id: I40267cb07b19d444c7d85aba6d1160c27e8fe3a6 Line 19: Signed-off-by: pkliczewski piotr.kliczewski@gmail.com

-- To view, visit https://gerrit.ovirt.org/43457 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I40267cb07b19d444c7d85aba6d1160c27e8fe3a6 Gerrit-PatchSet: 2 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Dan Kenigsberg danken@redhat.com Gerrit-Reviewer: Jenkins CI Gerrit-Reviewer: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Yaniv Bronhaim Gerrit-Reviewer: Yaniv Bronhaim ybronhei@redhat.com Gerrit-Reviewer: automation@ovirt.org Gerrit-HasComments: Yes

Piotr Kliczewski

12 Oct 12 Oct

8:40 a.m.

Piotr Kliczewski has posted comments on this change.

Change subject: ssl: change default protocol ......................................................................

Patch Set 2:

(1 comment)

https://gerrit.ovirt.org/#/c/43457/2//COMMIT_MSG Commit Message:

...

how old? 3.5 and below? so to work with those versions we need to have vdsm

I tested this behavior with engine 3.0. We have never stated that we do not support it. Once we change this setting 3.0 won't be able to connect to a vdsm. Line 16: Line 17: Line 18: Change-Id: I40267cb07b19d444c7d85aba6d1160c27e8fe3a6 Line 19: Signed-off-by: pkliczewski piotr.kliczewski@gmail.com

-- To view, visit https://gerrit.ovirt.org/43457 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I40267cb07b19d444c7d85aba6d1160c27e8fe3a6 Gerrit-PatchSet: 2 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Dan Kenigsberg danken@redhat.com Gerrit-Reviewer: Jenkins CI Gerrit-Reviewer: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Yaniv Bronhaim Gerrit-Reviewer: Yaniv Bronhaim ybronhei@redhat.com Gerrit-Reviewer: automation@ovirt.org Gerrit-HasComments: Yes

ybronhei＠redhat.com

20 Oct 20 Oct

2:01 p.m.

Yaniv Bronhaim has posted comments on this change.

Change subject: ssl: change default protocol ......................................................................

Patch Set 2:

(1 comment)

https://gerrit.ovirt.org/#/c/43457/2//COMMIT_MSG Commit Message:

...

I tested this behavior with engine 3.0. We have never stated that we do not

so please write it in the commit message- engine 3.0 and older won't work with current default value Line 16: Line 17: Line 18: Change-Id: I40267cb07b19d444c7d85aba6d1160c27e8fe3a6 Line 19: Signed-off-by: pkliczewski piotr.kliczewski@gmail.com

-- To view, visit https://gerrit.ovirt.org/43457 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I40267cb07b19d444c7d85aba6d1160c27e8fe3a6 Gerrit-PatchSet: 2 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Dan Kenigsberg danken@redhat.com Gerrit-Reviewer: Jenkins CI Gerrit-Reviewer: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Yaniv Bronhaim Gerrit-Reviewer: Yaniv Bronhaim ybronhei@redhat.com Gerrit-Reviewer: Yeela Kaplan ykaplan@redhat.com Gerrit-Reviewer: automation@ovirt.org Gerrit-HasComments: Yes

ybronhei＠redhat.com

2:03 p.m.

Yaniv Bronhaim has posted comments on this change.

Change subject: ssl: change default protocol ......................................................................

Patch Set 2: Code-Review+1

-- To view, visit https://gerrit.ovirt.org/43457 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I40267cb07b19d444c7d85aba6d1160c27e8fe3a6 Gerrit-PatchSet: 2 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Dan Kenigsberg danken@redhat.com Gerrit-Reviewer: Jenkins CI Gerrit-Reviewer: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Yaniv Bronhaim Gerrit-Reviewer: Yaniv Bronhaim ybronhei@redhat.com Gerrit-Reviewer: Yeela Kaplan ykaplan@redhat.com Gerrit-Reviewer: automation@ovirt.org Gerrit-HasComments: No

ybronhei＠redhat.com

2:04 p.m.

Yaniv Bronhaim has posted comments on this change.

Change subject: ssl: change default protocol ......................................................................

Patch Set 2:

we support engine 3.3 and above. older then that weren't checked, so I agree to leave it as is

-- To view, visit https://gerrit.ovirt.org/43457 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I40267cb07b19d444c7d85aba6d1160c27e8fe3a6 Gerrit-PatchSet: 2 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Dan Kenigsberg danken@redhat.com Gerrit-Reviewer: Jenkins CI Gerrit-Reviewer: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Yaniv Bronhaim Gerrit-Reviewer: Yaniv Bronhaim ybronhei@redhat.com Gerrit-Reviewer: Yeela Kaplan ykaplan@redhat.com Gerrit-Reviewer: automation@ovirt.org Gerrit-HasComments: No

Dan Kenigsberg

29 Oct 29 Oct

8:48 a.m.

Dan Kenigsberg has posted comments on this change.

Change subject: ssl: change default protocol ......................................................................

Patch Set 3: Code-Review+2

-- To view, visit https://gerrit.ovirt.org/43457 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I40267cb07b19d444c7d85aba6d1160c27e8fe3a6 Gerrit-PatchSet: 3 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Dan Kenigsberg danken@redhat.com Gerrit-Reviewer: Jenkins CI Gerrit-Reviewer: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Yaniv Bronhaim Gerrit-Reviewer: Yaniv Bronhaim ybronhei@redhat.com Gerrit-Reviewer: Yeela Kaplan ykaplan@redhat.com Gerrit-Reviewer: automation@ovirt.org Gerrit-HasComments: No

automation＠ovirt.org

8:48 a.m.

automation@ovirt.org has posted comments on this change.

Change subject: ssl: change default protocol ......................................................................

Patch Set 3:

* Update tracker::#1229765::OK * Check Bug-Url::OK * Check Public Bug::#1229765::OK, public bug * Check Product::#1229765::OK, Correct classification oVirt * Check TM::SKIP, not in a monitored branch (ovirt-3.5 ovirt-3.4 ovirt-3.3 ovirt-3.2) * Check merged to previous::IGNORE, Not in stable branch (['ovirt-3.5', 'ovirt-3.4', 'ovirt-3.3'])

-- To view, visit https://gerrit.ovirt.org/43457 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I40267cb07b19d444c7d85aba6d1160c27e8fe3a6 Gerrit-PatchSet: 3 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Dan Kenigsberg danken@redhat.com Gerrit-Reviewer: Jenkins CI Gerrit-Reviewer: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Yaniv Bronhaim Gerrit-Reviewer: Yaniv Bronhaim ybronhei@redhat.com Gerrit-Reviewer: Yeela Kaplan ykaplan@redhat.com Gerrit-Reviewer: automation@ovirt.org Gerrit-HasComments: No

Dan Kenigsberg

8:51 a.m.

Dan Kenigsberg has submitted this change and it was merged.

Change subject: ssl: change default protocol ......................................................................

ssl: change default protocol

We used 'sslv23' but when Paddle (CVE-2014-3566) was found it is recommended to switch to 'tlsv1'. On some of the OSes we see issues that it is already sslv3 is disabled and users need to switch to tls.

There is an issue when we switch to tls older engines (<= 3.0) are not able to talk to vdsm anymore.

Change-Id: I40267cb07b19d444c7d85aba6d1160c27e8fe3a6 Signed-off-by: pkliczewski piotr.kliczewski@gmail.com Bug-Url: https://bugzilla.redhat.com/1229765 Reviewed-on: https://gerrit.ovirt.org/43457 Continuous-Integration: Jenkins CI Reviewed-by: Yaniv Bronhaim ybronhei@redhat.com Reviewed-by: Dan Kenigsberg danken@redhat.com --- M lib/vdsm/config.py.in 1 file changed, 1 insertion(+), 1 deletion(-)

Approvals: Piotr Kliczewski: Verified Yaniv Bronhaim: Looks good to me, but someone else must approve Jenkins CI: Passed CI tests Dan Kenigsberg: Looks good to me, approved

-- To view, visit https://gerrit.ovirt.org/43457 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: merged Gerrit-Change-Id: I40267cb07b19d444c7d85aba6d1160c27e8fe3a6 Gerrit-PatchSet: 4 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Dan Kenigsberg danken@redhat.com Gerrit-Reviewer: Jenkins CI Gerrit-Reviewer: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Yaniv Bronhaim Gerrit-Reviewer: Yaniv Bronhaim ybronhei@redhat.com Gerrit-Reviewer: Yeela Kaplan ykaplan@redhat.com Gerrit-Reviewer: automation@ovirt.org

automation＠ovirt.org

8:51 a.m.

automation@ovirt.org has posted comments on this change.

Change subject: ssl: change default protocol ......................................................................

Patch Set 4:

* Update tracker::#1229765::OK * Set MODIFIED::bug 1229765::::#1229765::::IGNORE, not oVirt prod but vdsm

-- To view, visit https://gerrit.ovirt.org/43457 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I40267cb07b19d444c7d85aba6d1160c27e8fe3a6 Gerrit-PatchSet: 4 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Dan Kenigsberg danken@redhat.com Gerrit-Reviewer: Jenkins CI Gerrit-Reviewer: Piotr Kliczewski piotr.kliczewski@gmail.com Gerrit-Reviewer: Yaniv Bronhaim Gerrit-Reviewer: Yaniv Bronhaim ybronhei@redhat.com Gerrit-Reviewer: Yeela Kaplan ykaplan@redhat.com Gerrit-Reviewer: automation@ovirt.org Gerrit-HasComments: No

3165

Age (days ago)

3274

Last active (days ago)

vdsm-patches@lists.fedorahosted.org

15 comments

5 participants

tags (0)

participants (5)

automation＠ovirt.org
Dan Kenigsberg
Jenkins CI RO
Piotr Kliczewski
ybronhei＠redhat.com