On 04/12/2015 12:17 PM, ybronhei wrote:
On 04/07/2015 04:45 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "knarra" <[email protected]>
To: "Alon Bar-Lev" <[email protected]>
Cc: [email protected]
Sent: Tuesday, April 7, 2015 3:39:58 PM
Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
On 04/07/2015 05:58 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "knarra" <[email protected]>
To: "Alon Bar-Lev" <[email protected]>
Cc: [email protected]
Sent: Tuesday, April 7, 2015 3:25:07 PM
Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes
On 04/07/2015 05:50 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "knarra" <[email protected]>
To: [email protected]
Sent: Tuesday, April 7, 2015 3:15:12 PM
Subject: [ovirt-users] Issue with vdsm on EL6 nodes
<snip>
SSLError: [Errno 1] _ssl.c:1390: error:1409442E:SSL
routines:SSL3_READ_BYTES:tlsv1 alert protocol version
Can some one help me to resolve this issue.
your openssl is patched to disable ssv3, and engine is trying to
communicate using sslv3.
please upgrade engine to latest z-stream, it should be resolved.
Hi Alon,
I checked the following value in my database and my engine
is using
TLSv1 and not sslv3 to comminucate. I am on 3.6 master branch.
engine=# select option_name,option_value from vdc_options where
option_name = 'VdsmSSLProtocol';
option_name | option_value
-----------------+--------------
VdsmSSLProtocol | TLSv1
(1 row)
hmmm.... and you say you get this when you use vdsClient, so maybe
it tries
to connect using sslv3.
is engine working proberly?
yes, engine works fine, i have few other nodes where i have the same
vdsm version added to same engine and i do not hit this issue there. I
am just wondering how is this happening.
compare openssl version.
yaniv, please fix the vdsClient to use TLSv1
should it use v1 always (forcefully)? we can do that, but currently it
chooses the highest version both parties are able to use
Vdsm uses ssl.PROTOCOL_SSLv23 which chooses the right tls version in
python 2.7. In el6 we have python 2.6 which picks sslv2 or sslv3 when
using ssl.PROTOCOL_SSLv23 (the highest version both sides support) -
ovirt 3.6 (vdsm 4.17 and above) doesn't support el6 anymore therefore
current 3.6 code works as expected in el7\fedora>20.
If we want to fix vdsm 4.16.x (ovirt 3.5 package) to use explicitly
ssl.PROTOCOL_TLSv1 we can do so - but it will be ovirt-3.5 branch only
do we want that? if so we need bug for 3.5
--
Yaniv Bronhaim.
_______________________________________________
Devel mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/devel
