----- Original Message -----
From: "ybronhei" <ybronhei@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "knarra" <knarra@redhat.com>, users@ovirt.org, "Dima Kuznetsov" <dkuznets@redhat.com> Sent: Sunday, April 12, 2015 12:17:03 PM Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
On 04/07/2015 04:45 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "knarra" <knarra@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, April 7, 2015 3:39:58 PM Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
On 04/07/2015 05:58 PM, Alon Bar-Lev wrote:
From: "knarra" <knarra@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, April 7, 2015 3:25:07 PM Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
On 04/07/2015 05:50 PM, Alon Bar-Lev wrote:
----- Original Message ----- > From: "knarra" <knarra@redhat.com> > To: users@ovirt.org > Sent: Tuesday, April 7, 2015 3:15:12 PM > Subject: [ovirt-users] Issue with vdsm on EL6 nodes > <snip>
> SSLError: [Errno 1] _ssl.c:1390: error:1409442E:SSL > routines:SSL3_READ_BYTES:tlsv1 alert protocol version > > Can some one help me to resolve this issue. your openssl is patched to disable ssv3, and engine is trying to communicate using sslv3.
please upgrade engine to latest z-stream, it should be resolved. Hi Alon,
I checked the following value in my database and my engine is using TLSv1 and not sslv3 to comminucate. I am on 3.6 master branch.
engine=# select option_name,option_value from vdc_options where option_name = 'VdsmSSLProtocol'; option_name | option_value -----------------+-------------- VdsmSSLProtocol | TLSv1 (1 row) hmmm.... and you say you get this when you use vdsClient, so maybe it
----- Original Message ----- tries to connect using sslv3.
is engine working proberly?
yes, engine works fine, i have few other nodes where i have the same vdsm version added to same engine and i do not hit this issue there. I am just wondering how is this happening.
compare openssl version.
yaniv, please fix the vdsClient to use TLSv1
should it use v1 always (forcefully)? we can do that, but currently it chooses the highest version both parties are able to use
it looks like it uses SSLv3 per this report.