----- Original Message ----- > From: "ybronhei" <[email protected]> > To: "Alon Bar-Lev" <[email protected]>, "Dan Kenigsberg" <[email protected]> > Cc: [email protected], "Oved Ourfalli" <[email protected]>, [email protected] > Sent: Sunday, April 12, 2015 1:56:18 PM > Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes > > On 04/12/2015 12:17 PM, ybronhei wrote: > > On 04/07/2015 04:45 PM, Alon Bar-Lev wrote: > >> > >> > >> ----- Original Message ----- > >>> From: "knarra" <[email protected]> > >>> To: "Alon Bar-Lev" <[email protected]> > >>> Cc: [email protected] > >>> Sent: Tuesday, April 7, 2015 3:39:58 PM > >>> Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes > >>> > >>> On 04/07/2015 05:58 PM, Alon Bar-Lev wrote: > >>>> > >>>> ----- Original Message ----- > >>>>> From: "knarra" <[email protected]> > >>>>> To: "Alon Bar-Lev" <[email protected]> > >>>>> Cc: [email protected] > >>>>> Sent: Tuesday, April 7, 2015 3:25:07 PM > >>>>> Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes > >>>>> > >>>>> On 04/07/2015 05:50 PM, Alon Bar-Lev wrote: > >>>>>> ----- Original Message ----- > >>>>>>> From: "knarra" <[email protected]> > >>>>>>> To: [email protected] > >>>>>>> Sent: Tuesday, April 7, 2015 3:15:12 PM > >>>>>>> Subject: [ovirt-users] Issue with vdsm on EL6 nodes > >>>>>>> > >>>>>> <snip> > >>>>>> > >>>>>>> SSLError: [Errno 1] _ssl.c:1390: error:1409442E:SSL > >>>>>>> routines:SSL3_READ_BYTES:tlsv1 alert protocol version > >>>>>>> > >>>>>>> Can some one help me to resolve this issue. > >>>>>> your openssl is patched to disable ssv3, and engine is trying to > >>>>>> communicate using sslv3. > >>>>>> > >>>>>> please upgrade engine to latest z-stream, it should be resolved. > >>>>> Hi Alon, > >>>>> > >>>>> I checked the following value in my database and my engine > >>>>> is using > >>>>> TLSv1 and not sslv3 to comminucate. I am on 3.6 master branch. > >>>>> > >>>>> engine=# select option_name,option_value from vdc_options where > >>>>> option_name = 'VdsmSSLProtocol'; > >>>>> option_name | option_value > >>>>> -----------------+-------------- > >>>>> VdsmSSLProtocol | TLSv1 > >>>>> (1 row) > >>>> hmmm.... and you say you get this when you use vdsClient, so maybe > >>>> it tries > >>>> to connect using sslv3. > >>>> > >>>> is engine working proberly? > >>> yes, engine works fine, i have few other nodes where i have the same > >>> vdsm version added to same engine and i do not hit this issue there. I > >>> am just wondering how is this happening. > >>> > >> > >> compare openssl version. > >> > >> yaniv, please fix the vdsClient to use TLSv1 > >> > > should it use v1 always (forcefully)? we can do that, but currently it > > chooses the highest version both parties are able to use > > > > > Vdsm uses ssl.PROTOCOL_SSLv23 which chooses the right tls version in > python 2.7. In el6 we have python 2.6 which picks sslv2 or sslv3 when > using ssl.PROTOCOL_SSLv23 (the highest version both sides support) - > > ovirt 3.6 (vdsm 4.17 and above) doesn't support el6 anymore therefore > current 3.6 code works as expected in el7\fedora>20. > > If we want to fix vdsm 4.16.x (ovirt 3.5 package) to use explicitly > ssl.PROTOCOL_TLSv1 we can do so - but it will be ovirt-3.5 branch only > > do we want that? if so we need bug for 3.5
as far as I understand the ssl.PROTOCOL_SSLv23 will also use TLSv1, the problem is at client side not at server side. Alon _______________________________________________ Devel mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/devel
