----- Original Message -----
From: "ybronhei" <ybronhei(a)redhat.com>
To: "Alon Bar-Lev" <alonbl(a)redhat.com>, "Dan Kenigsberg"
<danken(a)redhat.com>
Cc: users(a)ovirt.org, "Oved Ourfalli" <oourfali(a)redhat.com>,
devel(a)ovirt.org
Sent: Sunday, April 12, 2015 1:56:18 PM
Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
On 04/12/2015 12:17 PM, ybronhei wrote:
> On 04/07/2015 04:45 PM, Alon Bar-Lev wrote:
>>
>>
>> ----- Original Message -----
>>> From: "knarra" <knarra(a)redhat.com>
>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
>>> Cc: users(a)ovirt.org
>>> Sent: Tuesday, April 7, 2015 3:39:58 PM
>>> Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
>>>
>>> On 04/07/2015 05:58 PM, Alon Bar-Lev wrote:
>>>>
>>>> ----- Original Message -----
>>>>> From: "knarra" <knarra(a)redhat.com>
>>>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
>>>>> Cc: users(a)ovirt.org
>>>>> Sent: Tuesday, April 7, 2015 3:25:07 PM
>>>>> Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
>>>>>
>>>>> On 04/07/2015 05:50 PM, Alon Bar-Lev wrote:
>>>>>> ----- Original Message -----
>>>>>>> From: "knarra" <knarra(a)redhat.com>
>>>>>>> To: users(a)ovirt.org
>>>>>>> Sent: Tuesday, April 7, 2015 3:15:12 PM
>>>>>>> Subject: [ovirt-users] Issue with vdsm on EL6 nodes
>>>>>>>
>>>>>> <snip>
>>>>>>
>>>>>>> SSLError: [Errno 1] _ssl.c:1390: error:1409442E:SSL
>>>>>>> routines:SSL3_READ_BYTES:tlsv1 alert protocol version
>>>>>>>
>>>>>>> Can some one help me to resolve this issue.
>>>>>> your openssl is patched to disable ssv3, and engine is trying
to
>>>>>> communicate using sslv3.
>>>>>>
>>>>>> please upgrade engine to latest z-stream, it should be
resolved.
>>>>> Hi Alon,
>>>>>
>>>>> I checked the following value in my database and my engine
>>>>> is using
>>>>> TLSv1 and not sslv3 to comminucate. I am on 3.6 master branch.
>>>>>
>>>>> engine=# select option_name,option_value from vdc_options where
>>>>> option_name = 'VdsmSSLProtocol';
>>>>> option_name | option_value
>>>>> -----------------+--------------
>>>>> VdsmSSLProtocol | TLSv1
>>>>> (1 row)
>>>> hmmm.... and you say you get this when you use vdsClient, so maybe
>>>> it tries
>>>> to connect using sslv3.
>>>>
>>>> is engine working proberly?
>>> yes, engine works fine, i have few other nodes where i have the same
>>> vdsm version added to same engine and i do not hit this issue there. I
>>> am just wondering how is this happening.
>>>
>>
>> compare openssl version.
>>
>> yaniv, please fix the vdsClient to use TLSv1
>>
> should it use v1 always (forcefully)? we can do that, but currently it
> chooses the highest version both parties are able to use
>
>
Vdsm uses ssl.PROTOCOL_SSLv23 which chooses the right tls version in
python 2.7. In el6 we have python 2.6 which picks sslv2 or sslv3 when
using ssl.PROTOCOL_SSLv23 (the highest version both sides support) -
ovirt 3.6 (vdsm 4.17 and above) doesn't support el6 anymore therefore
current 3.6 code works as expected in el7\fedora>20.
If we want to fix vdsm 4.16.x (ovirt 3.5 package) to use explicitly
ssl.PROTOCOL_TLSv1 we can do so - but it will be ovirt-3.5 branch only
do we want that? if so we need bug for 3.5
as far as I understand the ssl.PROTOCOL_SSLv23 will also use TLSv1, the problem is at
client side not at server side.
Alon