Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1519753 - combination of ssl_protocol = tlsv1 and ssl_excludes = OP_NO_TLSv1 does not prevent TLSv1 communication
Summary: combination of ssl_protocol = tlsv1 and ssl_excludes = OP_NO_TLSv1 does not p...
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: vdsm
Classification: oVirt
Component: Core
Version: 4.19.35
Hardware: Unspecified
OS: Unspecified
unspecified
low vote
Target Milestone: ---
: ---
Assignee: Dan Kenigsberg
QA Contact: Pavel Stehlik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-12-01 11:46 UTC by Jiri Belka
Modified: 2017-12-02 20:12 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-02 06:51:47 UTC
oVirt Team: Infra


Attachments (Terms of Use)

Description Jiri Belka 2017-12-01 11:46:18 UTC
Description of problem:

surprisingly, combination of ssl_protocol = tlsv1 and ssl_excludes = OP_NO_TLSv1 does not prevent TLSv1 communication.

2017-12-01 12:18:05,887+01 INFO  [stdout] (SSL Stomp Reactor) SSL Stomp Reactor, WRITE: TLSv1 Application Data, length = 286

+ capturing between engine and vdsm

Capturing on 'eth0'
  1 0.000000000 10.37.138.131 -> 10.37.138.79 TLSv1 364 Application Data, Application Data
  2 0.008328613 10.37.138.79 -> 10.37.138.131 TLSv1 364 Application Data, Application Data

Version-Release number of selected component (if applicable):
vdsm-4.19.40-1.el7ev.x86_64

How reproducible:
100%

Steps to Reproduce:
1. put ssl_protocol = tlsv1 and ssl_excludes = OP_NO_TLSv1 into vdsm.conf
2. restart vdsm
3. check what TLS version is used if any

Actual results:
TLSv1

Expected results:
i was expecting to have communication failure because of this "strange" configuration

Additional info:

Comment 2 Yaniv Kaul 2017-12-02 06:51:47 UTC
Not sure why it's an interesting combo to test or aupport. We'll only want to support TLS 1.2. Closing for the time being.

Comment 3 Jiri Belka 2017-12-02 20:09:16 UTC
(In reply to Yaniv Kaul from comment #2)
> Not sure why it's an interesting combo to test or aupport. We'll only want
> to support TLS 1.2. Closing for the time being.

What if this combo has reveal an implementation issue around excludes?


Note You need to log in before you can comment on or make changes to this bug.