[ovirt-users] oVirt 3.5 and SSLv3

Alexander Wels awels at redhat.com
Wed Apr 20 12:52:49 UTC 2016 

On Wednesday, April 20, 2016 08:39:14 AM Robert Story wrote:
> Yesterday I had to re-install a host node in my 3.5.6 cluster. After a fresh
> install of CentOS 7.2, attempts to re-install failed, as did removing and
> re-adding the node. Here is a log excerpt from the engine:
> 
> 
> 2016-04-19 18:22:01,100 INFO 
> [org.ovirt.vdsm.jsonrpc.client.reactors.ReactorClient] (SSL Stomp Reactor)
> Connecting to eclipse.localdomain/10.71.10.249 2016-04-19 18:22:01,116 WARN
>  [org.ovirt.vdsm.jsonrpc.client.utils.retry.Retryable] (SSL Stomp Reactor)
> Retry failed 2016-04-19 18:22:01,129 ERROR
> [org.ovirt.vdsm.jsonrpc.client.reactors.ReactorClient]
> (DefaultQuartzScheduler_Worker-38) Exception during connection 2016-04-19
> 18:22:01,208 ERROR
> [org.ovirt.engine.core.vdsbroker.vdsbroker.GetCapabilitiesVDSCommand]
> (DefaultQuartzScheduler_Worker-38) Command
> GetCapabilitiesVDSCommand(HostName = eclipse, HostId =
> 37a4a1c2-4906-489e-947c-1ef9fb828bc5,
> vds=Host[eclipse,37a4a1c2-4906-489e-947c-1ef9fb828bc5]) execution failed.
> Exception: VDSNetworkException: java.net.NoRouteToHostException: No route
> to host 2016-04-19 18:22:01,209 WARN 
> [org.ovirt.engine.core.vdsbroker.VdsManager]
> (DefaultQuartzScheduler_Worker-38) Host eclipse is not responding. It will
> stay in Connecting state for a grace period of 120 seconds and after that
> an attempt to fence the host will be issued. 2016-04-19 18:22:01,938 ERROR
> [org.ovirt.engine.core.vdsbroker.VdsUpdateRunTimeInfo]
> (DefaultQuartzScheduler_Worker-38) Failure to refresh Vds runtime info:
> org.ovirt.engine.core.vdsbroker.vdsbroker.VDSNetworkException:
> java.net.NoRouteToHostException: No route to host at
> org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand.createNetworkExc
> eption(VdsBrokerCommand.java:126) [vdsbroker.jar:]
> 
> 
> Luckily seeing SSL+java in the log tickled my memory about java disabling
> SSLv3, and google helped me find this workaround:
> 
>  - edit /usr/lib/jvm/java/jre/lib/security/java.security
>  - look for jdk.tls.disabledAlgorithms
>  - remove SSLv3 from the list
>  - service ovirt-engine restart
> 
> Google also tells me that this should be an issue for 3.5, and there is a
> vdsm setting, VdsmSSLProtocol, that can be set to use TLS, but I can't find
> how to change/set it. Anyone know the secret?
> 

Pretty much everything engine related can be configured with engine-config. 
engine-config -l will give you a list of all the options. engine-config -g <key> 
will get the current value, engine-config -s <key>=<value> will set it. A quick 
grep indicates that you are looking for the VdsmSSLProtocol key.

> 
> Robert

More information about the Users mailing list