ovirt4.4 and ldap auth with starttls
Hello, better start new thread... it looks like tls1.0 is not supported anymore in ovirt-engine-extension-aaa-ldap I just migrated engine from 4.3 to 4.4 and cannot use my ldap profile because server_error: The connection reader was unable to successfully complete TLS negotiation: SSLHandshakeException(The server selected protocol version TLS10 is not accepted by client preferences [TLS12]), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb but when I try to force tls 1.0 by setting ... pool.default.ssl.startTLS = true pool.default.ssl.startTLSProtocol = TLSv1 ... I got server_error: The connection reader was unable to successfully complete TLS negotiation: SSLHandshakeException(No appropriate protocol (protocol is disabled or cipher suites are inappropriate)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb I can't switch to something better on server side, is it possible to allow weak ciphers/protocols on client side? Thanks in advance, Jiri
Hi, legacy ciphers and protocols are disabled on EL8 by default, for more information please take a look at crypto-policies: https://access.redhat.com/articles/3666211 https://access.redhat.com/articles/3642912 So in theory if you switch to LEGACY crypto-policy on ovirt-engine machine, you could be able to use TLSv1, but we have never tested it and we highly recommend to use only TLSv1.2 or newer. Regards, Martin On Fri, Aug 7, 2020 at 2:11 PM Jiří Sléžka <jiri.slezka@slu.cz> wrote:
Hello,
better start new thread...
it looks like tls1.0 is not supported anymore in ovirt-engine-extension-aaa-ldap
I just migrated engine from 4.3 to 4.4 and cannot use my ldap profile because
server_error: The connection reader was unable to successfully complete TLS negotiation: SSLHandshakeException(The server selected protocol version TLS10 is not accepted by client preferences [TLS12]), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb
but when I try to force tls 1.0 by setting
... pool.default.ssl.startTLS = true pool.default.ssl.startTLSProtocol = TLSv1 ...
I got
server_error: The connection reader was unable to successfully complete TLS negotiation: SSLHandshakeException(No appropriate protocol (protocol is disabled or cipher suites are inappropriate)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb
I can't switch to something better on server side, is it possible to allow weak ciphers/protocols on client side?
Thanks in advance,
Jiri
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/CBVIAEO3R4BQNJ...
-- Martin Perina Manager, Software Engineering Red Hat Czech s.r.o.
On 8/7/20 5:11 PM, Martin Perina wrote:
Hi,
legacy ciphers and protocols are disabled on EL8 by default, for more information please take a look at crypto-policies:
https://access.redhat.com/articles/3666211 https://access.redhat.com/articles/3642912
So in theory if you switch to LEGACY crypto-policy on ovirt-engine machine, you could be able to use TLSv1, but we have never tested it and we highly recommend to use only TLSv1.2 or newer.
thanks for links, after switching engine vm to LEGACY policy I was able to login via our ldap profile [root@ovirt ~]# update-crypto-policies --show DEFAULT [root@ovirt ~]# update-crypto-policies --set LEGACY Setting system policy to LEGACY [root@ovirt ~]# systemctl restart ovirt-engine ...and of course we should use TLSv1.2+, work is in progress. Cheers, Jiri
Regards, Martin
On Fri, Aug 7, 2020 at 2:11 PM Jiří Sléžka <jiri.slezka@slu.cz <mailto:jiri.slezka@slu.cz>> wrote:
Hello,
better start new thread...
it looks like tls1.0 is not supported anymore in ovirt-engine-extension-aaa-ldap
I just migrated engine from 4.3 to 4.4 and cannot use my ldap profile because
server_error: The connection reader was unable to successfully complete TLS negotiation: SSLHandshakeException(The server selected protocol version TLS10 is not accepted by client preferences [TLS12]), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb
but when I try to force tls 1.0 by setting
... pool.default.ssl.startTLS = true pool.default.ssl.startTLSProtocol = TLSv1 ...
I got
server_error: The connection reader was unable to successfully complete TLS negotiation: SSLHandshakeException(No appropriate protocol (protocol is disabled or cipher suites are inappropriate)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb
I can't switch to something better on server side, is it possible to allow weak ciphers/protocols on client side?
Thanks in advance,
Jiri
_______________________________________________ Users mailing list -- users@ovirt.org <mailto:users@ovirt.org> To unsubscribe send an email to users-leave@ovirt.org <mailto:users-leave@ovirt.org> Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/CBVIAEO3R4BQNJ...
-- Martin Perina Manager, Software Engineering Red Hat Czech s.r.o.
participants (2)
-
Jiří Sléžka -
Martin Perina