Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1519753

Summary: combination of ssl_protocol = tlsv1 and ssl_excludes = OP_NO_TLSv1 does not prevent TLSv1 communication
Product: [oVirt] vdsm Reporter: Jiri Belka <jbelka>
Component: CoreAssignee: Dan Kenigsberg <danken>
Status: CLOSED DEFERRED QA Contact: Pavel Stehlik <pstehlik>
Severity: low Docs Contact:
Priority: unspecified    
Version: 4.19.35CC: bugs
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-02 06:51:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jiri Belka 2017-12-01 11:46:18 UTC
Description of problem:

surprisingly, combination of ssl_protocol = tlsv1 and ssl_excludes = OP_NO_TLSv1 does not prevent TLSv1 communication.

2017-12-01 12:18:05,887+01 INFO  [stdout] (SSL Stomp Reactor) SSL Stomp Reactor, WRITE: TLSv1 Application Data, length = 286

+ capturing between engine and vdsm

Capturing on 'eth0'
  1 0.000000000 10.37.138.131 -> 10.37.138.79 TLSv1 364 Application Data, Application Data
  2 0.008328613 10.37.138.79 -> 10.37.138.131 TLSv1 364 Application Data, Application Data

Version-Release number of selected component (if applicable):
vdsm-4.19.40-1.el7ev.x86_64

How reproducible:
100%

Steps to Reproduce:
1. put ssl_protocol = tlsv1 and ssl_excludes = OP_NO_TLSv1 into vdsm.conf
2. restart vdsm
3. check what TLS version is used if any

Actual results:
TLSv1

Expected results:
i was expecting to have communication failure because of this "strange" configuration

Additional info:

Comment 2 Yaniv Kaul 2017-12-02 06:51:47 UTC
Not sure why it's an interesting combo to test or aupport. We'll only want to support TLS 1.2. Closing for the time being.

Comment 3 Jiri Belka 2017-12-02 20:09:16 UTC
(In reply to Yaniv Kaul from comment #2)
> Not sure why it's an interesting combo to test or aupport. We'll only want
> to support TLS 1.2. Closing for the time being.

What if this combo has reveal an implementation issue around excludes?