----- Original Message -----
From: "ybronhei" <ybronhei@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com>, "Dan Kenigsberg" <danken@redhat.com> Cc: users@ovirt.org, "Oved Ourfalli" <oourfali@redhat.com>, devel@ovirt.org Sent: Sunday, April 12, 2015 1:56:18 PM Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
On 04/12/2015 12:17 PM, ybronhei wrote:
On 04/07/2015 04:45 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "knarra" <knarra@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, April 7, 2015 3:39:58 PM Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
On 04/07/2015 05:58 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "knarra" <knarra@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, April 7, 2015 3:25:07 PM Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
On 04/07/2015 05:50 PM, Alon Bar-Lev wrote: > ----- Original Message ----- >> From: "knarra" <knarra@redhat.com> >> To: users@ovirt.org >> Sent: Tuesday, April 7, 2015 3:15:12 PM >> Subject: [ovirt-users] Issue with vdsm on EL6 nodes >> > <snip> > >> SSLError: [Errno 1] _ssl.c:1390: error:1409442E:SSL >> routines:SSL3_READ_BYTES:tlsv1 alert protocol version >> >> Can some one help me to resolve this issue. > your openssl is patched to disable ssv3, and engine is trying to > communicate using sslv3. > > please upgrade engine to latest z-stream, it should be resolved. Hi Alon,
I checked the following value in my database and my engine is using TLSv1 and not sslv3 to comminucate. I am on 3.6 master branch.
engine=# select option_name,option_value from vdc_options where option_name = 'VdsmSSLProtocol'; option_name | option_value -----------------+-------------- VdsmSSLProtocol | TLSv1 (1 row) hmmm.... and you say you get this when you use vdsClient, so maybe it tries to connect using sslv3.
is engine working proberly?
yes, engine works fine, i have few other nodes where i have the same vdsm version added to same engine and i do not hit this issue there. I am just wondering how is this happening.
compare openssl version.
yaniv, please fix the vdsClient to use TLSv1
should it use v1 always (forcefully)? we can do that, but currently it chooses the highest version both parties are able to use
Vdsm uses ssl.PROTOCOL_SSLv23 which chooses the right tls version in python 2.7. In el6 we have python 2.6 which picks sslv2 or sslv3 when using ssl.PROTOCOL_SSLv23 (the highest version both sides support) -
ovirt 3.6 (vdsm 4.17 and above) doesn't support el6 anymore therefore current 3.6 code works as expected in el7\fedora>20.
If we want to fix vdsm 4.16.x (ovirt 3.5 package) to use explicitly ssl.PROTOCOL_TLSv1 we can do so - but it will be ovirt-3.5 branch only
do we want that? if so we need bug for 3.5
as far as I understand the ssl.PROTOCOL_SSLv23 will also use TLSv1, the problem is at client side not at server side. Alon