[ovirt-devel] Re: noVNC not working when FIPS is enabled
Michal Skrivanek <michal.skrivanek(a)redhat.com> writes:
> On 8. 9. 2021, at 20:48, Milan Zamazal
<mzamazal(a)redhat.com> wrote:
>
> Hi,
>
> we had to disable VNC OST test some time ago because it started failing.
> I looked at why it fails and the reason provided by
> ovirt-websocket-proxy is
>
> do_vencrypt_handshake:187 Server supports the following subtypes: 263
263 is VNC_AUTH_VENCRYPT_X509SASL
because with fips we change libvirt configuration to SASL?
libvirt configuration is the same whether we boot with fips=0 or fips=1
(and disable/enable FIPS for the cluster accordingly). And the proxy
works with fips=0 even when auth_unix_rw="sasl" is set in the libvirt
configuration.
So should we add VENCRYPT_X509SASL support to the proxy?
> Server does not support X509VNC. OvirtProxy only supports
X509VNC
>
> This happens only when FIPS is enabled and is reproducible outside OST.
> The only thing that seems to have influence on whether it works or not
> is the value of `fips' kernel command line parameter -- when it's
> changed to fips=0 then noVNC console works without any other changes.
>
> So it looks like some change in QEMU. I'm not an expert in this area
> and don't know what those protocols are about, why the proxy supports
> only X509VNC and why the mismatch in expectations on both the ends
> happens when FIPS is enabled. Can anybody help clarify it and provide
> an idea how to resolve the problem?
>
> Thanks,
> Milan
> _______________________________________________
> Devel mailing list -- devel(a)ovirt.org
> To unsubscribe send an email to devel-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
>
https://lists.ovirt.org/archives/list/devel@ovirt.org/message/S6MCLJV2QMQ...