Hi,

legacy ciphers and protocols are disabled on EL8 by default, for more information please take a look at crypto-policies:

https://access.redhat.com/articles/3666211

https://access.redhat.com/articles/3642912

So in theory if you switch to LEGACY crypto-policy on ovirt-engine machine, you could be able to use TLSv1, but we have never tested it and we highly recommend to use only TLSv1.2 or newer.

Regards,

Martin

On Fri, Aug 7, 2020 at 2:11 PM Jiří Sléžka <jiri.slezka@slu.cz> wrote:

Hello,

better start new thread...

it looks like tls1.0 is not supported anymore in
ovirt-engine-extension-aaa-ldap

I just migrated engine from 4.3 to 4.4 and cannot use my ldap profile
because

server_error: The connection reader was unable to successfully complete
TLS negotiation: SSLHandshakeException(The server selected protocol
version TLS10 is not accepted by client preferences [TLS12]),
ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb

but when I try to force tls 1.0 by setting

...
pool.default.ssl.startTLS = true
pool.default.ssl.startTLSProtocol = TLSv1
...

I got

server_error: The connection reader was unable to successfully complete
TLS negotiation: SSLHandshakeException(No appropriate protocol (protocol
is disabled or cipher suites are inappropriate)), ldapSDKVersion=4.0.14,
revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb

I can't switch to something better on server side, is it possible to
allow weak ciphers/protocols on client side?

Thanks in advance,

Jiri

_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/CBVIAEO3R4BQNJ5453O2D5NJH7FQ7YGR/

Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.