Re: [ovirt-users] Issue with vdsm on EL6 nodes
On 04/12/2015 12:17 PM, ybronhei wrote:
On 04/07/2015 04:45 PM, Alon Bar-Lev wrote:
>
>
> ----- Original Message -----
>> From: "knarra" <knarra(a)redhat.com>
>> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
>> Cc: users(a)ovirt.org
>> Sent: Tuesday, April 7, 2015 3:39:58 PM
>> Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
>>
>> On 04/07/2015 05:58 PM, Alon Bar-Lev wrote:
>>>
>>> ----- Original Message -----
>>>> From: "knarra" <knarra(a)redhat.com>
>>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
>>>> Cc: users(a)ovirt.org
>>>> Sent: Tuesday, April 7, 2015 3:25:07 PM
>>>> Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
>>>>
>>>> On 04/07/2015 05:50 PM, Alon Bar-Lev wrote:
>>>>> ----- Original Message -----
>>>>>> From: "knarra" <knarra(a)redhat.com>
>>>>>> To: users(a)ovirt.org
>>>>>> Sent: Tuesday, April 7, 2015 3:15:12 PM
>>>>>> Subject: [ovirt-users] Issue with vdsm on EL6 nodes
>>>>>>
>>>>> <snip>
>>>>>
>>>>>> SSLError: [Errno 1] _ssl.c:1390: error:1409442E:SSL
>>>>>> routines:SSL3_READ_BYTES:tlsv1 alert protocol version
>>>>>>
>>>>>> Can some one help me to resolve this issue.
>>>>> your openssl is patched to disable ssv3, and engine is trying to
>>>>> communicate using sslv3.
>>>>>
>>>>> please upgrade engine to latest z-stream, it should be resolved.
>>>> Hi Alon,
>>>>
>>>> I checked the following value in my database and my engine
>>>> is using
>>>> TLSv1 and not sslv3 to comminucate. I am on 3.6 master branch.
>>>>
>>>> engine=# select option_name,option_value from vdc_options where
>>>> option_name = 'VdsmSSLProtocol';
>>>> option_name | option_value
>>>> -----------------+--------------
>>>> VdsmSSLProtocol | TLSv1
>>>> (1 row)
>>> hmmm.... and you say you get this when you use vdsClient, so maybe
>>> it tries
>>> to connect using sslv3.
>>>
>>> is engine working proberly?
>> yes, engine works fine, i have few other nodes where i have the same
>> vdsm version added to same engine and i do not hit this issue there. I
>> am just wondering how is this happening.
>>
>
> compare openssl version.
>
> yaniv, please fix the vdsClient to use TLSv1
>
should it use v1 always (forcefully)? we can do that, but currently it
chooses the highest version both parties are able to use
Vdsm uses ssl.PROTOCOL_SSLv23 which chooses the right tls version in
python 2.7. In el6 we have python 2.6 which picks sslv2 or sslv3 when
using ssl.PROTOCOL_SSLv23 (the highest version both sides support) -
ovirt 3.6 (vdsm 4.17 and above) doesn't support el6 anymore therefore
current 3.6 code works as expected in el7\fedora>20.
If we want to fix vdsm 4.16.x (ovirt 3.5 package) to use explicitly
ssl.PROTOCOL_TLSv1 we can do so - but it will be ovirt-3.5 branch only
do we want that? if so we need bug for 3.5
--
Yaniv Bronhaim.