[ovirt-users] Engine AAA LDAP startTLS Protocol Issue

Ondra Machacek omachace at redhat.com
Thu Feb 8 12:56:01 UTC 2018


On 02/08/2018 11:04 AM, Alan Griffiths wrote:
> Hi,
> 
> Trying to configure Engine to authenticate against OpenLDAP and I seem
> to be hitting a protocol bug.
> 
> Attempts to test the login during the setup fail with
> 
> 2018-02-07 12:27:37,872Z WARNING Exception: The connection reader was
> unable to successfully complete TLS negotiation:
> SSLException(message='Received fatal alert: protocol_version',
> trace='getSSLException(Alerts.java:208) /
> getSSLException(Alerts.java:154) / recvAlert(SSLSocketImpl.java:2033)
> / readRecord(SSLSocketImpl.java:1135) /
> performInitialHandshake(SSLSocketImpl.java:1385) /
> startHandshake(SSLSocketImpl.java:1413) /
> startHandshake(SSLSocketImpl.java:1397) /
> run(LDAPConnectionReader.java:301)', revision=0)
> 
> Running a packet trace I see that it's trying to negotiate with TLS
> 1.0, but my LDAP server only support TLS 1.2.

I've sent a fix:

  https://gerrit.ovirt.org/87327

To workaround it just please add to you profile properties file:

  pool.default.ssl.startTLSProtocol = TLSv1.2

> 
> This looks like a regression as it works fine in 4.0.
> 
> I see the issue in both 4.1 and 4.2
> 
> 4.1.9.1
> 4.2.0.2
> 
> Should I submit a bug?
> 
> Thanks,
> 
> Alan
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 


More information about the Users mailing list