[ovirt-devel] [ovirt-users] Issue with vdsm on EL6 nodes

Alon Bar-Lev alonbl at redhat.com
Sun Apr 12 10:59:42 UTC 2015



----- Original Message -----
> From: "ybronhei" <ybronhei at redhat.com>
> To: "Alon Bar-Lev" <alonbl at redhat.com>, "Dan Kenigsberg" <danken at redhat.com>
> Cc: users at ovirt.org, "Oved Ourfalli" <oourfali at redhat.com>, devel at ovirt.org
> Sent: Sunday, April 12, 2015 1:56:18 PM
> Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
> 
> On 04/12/2015 12:17 PM, ybronhei wrote:
> > On 04/07/2015 04:45 PM, Alon Bar-Lev wrote:
> >>
> >>
> >> ----- Original Message -----
> >>> From: "knarra" <knarra at redhat.com>
> >>> To: "Alon Bar-Lev" <alonbl at redhat.com>
> >>> Cc: users at ovirt.org
> >>> Sent: Tuesday, April 7, 2015 3:39:58 PM
> >>> Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
> >>>
> >>> On 04/07/2015 05:58 PM, Alon Bar-Lev wrote:
> >>>>
> >>>> ----- Original Message -----
> >>>>> From: "knarra" <knarra at redhat.com>
> >>>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
> >>>>> Cc: users at ovirt.org
> >>>>> Sent: Tuesday, April 7, 2015 3:25:07 PM
> >>>>> Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
> >>>>>
> >>>>> On 04/07/2015 05:50 PM, Alon Bar-Lev wrote:
> >>>>>> ----- Original Message -----
> >>>>>>> From: "knarra" <knarra at redhat.com>
> >>>>>>> To: users at ovirt.org
> >>>>>>> Sent: Tuesday, April 7, 2015 3:15:12 PM
> >>>>>>> Subject: [ovirt-users] Issue with vdsm on EL6 nodes
> >>>>>>>
> >>>>>> <snip>
> >>>>>>
> >>>>>>> SSLError: [Errno 1] _ssl.c:1390: error:1409442E:SSL
> >>>>>>> routines:SSL3_READ_BYTES:tlsv1 alert protocol version
> >>>>>>>
> >>>>>>> Can some one help me to resolve this issue.
> >>>>>> your openssl is patched to disable ssv3, and engine is trying to
> >>>>>> communicate using sslv3.
> >>>>>>
> >>>>>> please upgrade engine to latest z-stream, it should be resolved.
> >>>>> Hi Alon,
> >>>>>
> >>>>>        I checked the following value in my database and my engine
> >>>>> is using
> >>>>> TLSv1 and not sslv3 to comminucate. I am on 3.6 master branch.
> >>>>>
> >>>>> engine=# select option_name,option_value from vdc_options where
> >>>>> option_name = 'VdsmSSLProtocol';
> >>>>>       option_name   | option_value
> >>>>> -----------------+--------------
> >>>>>     VdsmSSLProtocol | TLSv1
> >>>>> (1 row)
> >>>> hmmm.... and you say you get this when you use vdsClient, so maybe
> >>>> it tries
> >>>> to connect using sslv3.
> >>>>
> >>>> is engine working proberly?
> >>> yes, engine works fine, i have few other nodes where i have the same
> >>> vdsm version added to same engine and i do not hit this issue there. I
> >>> am just wondering how is this happening.
> >>>
> >>
> >> compare openssl version.
> >>
> >> yaniv, please fix the vdsClient to use TLSv1
> >>
> > should it use v1 always (forcefully)? we can do that, but currently it
> > chooses the highest version both parties are able to use
> >
> >
> Vdsm uses ssl.PROTOCOL_SSLv23 which chooses the right tls version in
> python 2.7. In el6 we have python 2.6 which picks sslv2 or sslv3 when
> using ssl.PROTOCOL_SSLv23 (the highest version both sides support) -
> 
> ovirt 3.6 (vdsm 4.17 and above) doesn't support el6 anymore therefore
> current 3.6 code works as expected in el7\fedora>20.
> 
> If we want to fix vdsm 4.16.x (ovirt 3.5 package) to use explicitly
> ssl.PROTOCOL_TLSv1 we can do so - but it will be ovirt-3.5 branch only
> 
> do we want that? if so we need bug for 3.5

as far as I understand the ssl.PROTOCOL_SSLv23 will also use TLSv1, the problem is at client side not at server side.

Alon



More information about the Devel mailing list