[ovirt-devel] [ovirt-users] Issue with vdsm on EL6 nodes

Sun Apr 12 10:56:18 UTC 2015

On 04/12/2015 12:17 PM, ybronhei wrote:
> On 04/07/2015 04:45 PM, Alon Bar-Lev wrote:
>>
>>
>> ----- Original Message -----
>>> From: "knarra" <knarra at redhat.com>
>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
>>> Cc: users at ovirt.org
>>> Sent: Tuesday, April 7, 2015 3:39:58 PM
>>> Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
>>>
>>> On 04/07/2015 05:58 PM, Alon Bar-Lev wrote:
>>>>
>>>> ----- Original Message -----
>>>>> From: "knarra" <knarra at redhat.com>
>>>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
>>>>> Cc: users at ovirt.org
>>>>> Sent: Tuesday, April 7, 2015 3:25:07 PM
>>>>> Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
>>>>>
>>>>> On 04/07/2015 05:50 PM, Alon Bar-Lev wrote:
>>>>>> ----- Original Message -----
>>>>>>> From: "knarra" <knarra at redhat.com>
>>>>>>> To: users at ovirt.org
>>>>>>> Sent: Tuesday, April 7, 2015 3:15:12 PM
>>>>>>> Subject: [ovirt-users] Issue with vdsm on EL6 nodes
>>>>>>>
>>>>>> <snip>
>>>>>>
>>>>>>> SSLError: [Errno 1] _ssl.c:1390: error:1409442E:SSL
>>>>>>> routines:SSL3_READ_BYTES:tlsv1 alert protocol version
>>>>>>>
>>>>>>> Can some one help me to resolve this issue.
>>>>>> your openssl is patched to disable ssv3, and engine is trying to
>>>>>> communicate using sslv3.
>>>>>>
>>>>>> please upgrade engine to latest z-stream, it should be resolved.
>>>>> Hi Alon,
>>>>>
>>>>>        I checked the following value in my database and my engine
>>>>> is using
>>>>> TLSv1 and not sslv3 to comminucate. I am on 3.6 master branch.
>>>>>
>>>>> engine=# select option_name,option_value from vdc_options where
>>>>> option_name = 'VdsmSSLProtocol';
>>>>>       option_name   | option_value
>>>>> -----------------+--------------
>>>>>     VdsmSSLProtocol | TLSv1
>>>>> (1 row)
>>>> hmmm.... and you say you get this when you use vdsClient, so maybe
>>>> it tries
>>>> to connect using sslv3.
>>>>
>>>> is engine working proberly?
>>> yes, engine works fine, i have few other nodes where i have the same
>>> vdsm version added to same engine and i do not hit this issue there. I
>>> am just wondering how is this happening.
>>>
>>
>> compare openssl version.
>>
>> yaniv, please fix the vdsClient to use TLSv1
>>
> should it use v1 always (forcefully)? we can do that, but currently it
> chooses the highest version both parties are able to use
>
>
Vdsm uses ssl.PROTOCOL_SSLv23 which chooses the right tls version in 
python 2.7. In el6 we have python 2.6 which picks sslv2 or sslv3 when 
using ssl.PROTOCOL_SSLv23 (the highest version both sides support) -

ovirt 3.6 (vdsm 4.17 and above) doesn't support el6 anymore therefore 
current 3.6 code works as expected in el7\fedora>20.

If we want to fix vdsm 4.16.x (ovirt 3.5 package) to use explicitly 
ssl.PROTOCOL_TLSv1 we can do so - but it will be ovirt-3.5 branch only

do we want that? if so we need bug for 3.5

-- 
Yaniv Bronhaim.