Piotr Kliczewski has uploaded a new change for review. Change subject: core: configurable ssl protocol ......................................................................
core: configurable ssl protocol We need to make ssl protocol configurable. I tested 3.5 engine and vdsm with all combinations (sslv3, tlsv1) and there were no issues. I tested 3.0 engine with 3.5 vdsm and noticed that when tlsv1 was set on vdsm side the communication failed with wrong protocol version. I tested 3.0 vdsm with latest engine (tlsv1) and it worked after hacking host-deploy. Change-Id: I33a33c15e8a995eb8de7d5131b3dbadc6191f873 Signed-off-by: pkliczewski <[email protected]> Bug-Url: https://bugzilla.redhat.com/1154184 --- M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/host/provider/foreman/ForemanHostProviderProxy.java M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/ConfigValues.java M backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/ssl/AuthSSLProtocolSocketFactory.java M backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/attestation/AttestationService.java M backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/jsonrpc/EngineManagerProvider.java M backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/jsonrpc/JsonRpcUtils.java M backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/jsonrpc/TransportFactory.java M backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/xmlrpc/XmlRpcUtils.java M backend/manager/modules/vdsbroker/src/test/java/org/ovirt/engine/core/vdsbroker/jsonrpc/JsonRpcIntegrationTest.java M packaging/dbscripts/upgrade/pre_upgrade/0000_config.sql M packaging/etc/engine-config/engine-config.properties 11 files changed, 52 insertions(+), 21 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/17/34917/1 diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/host/provider/foreman/ForemanHostProviderProxy.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/host/provider/foreman/ForemanHostProviderProxy.java index 38af618..5a03da1 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/host/provider/foreman/ForemanHostProviderProxy.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/host/provider/foreman/ForemanHostProviderProxy.java @@ -368,7 +368,7 @@ int hostPort = hostUrl.getPort() == -1 ? HttpsURL.DEFAULT_PORT : hostUrl.getPort(); Protocol httpsProtocol = new Protocol(String.valueOf(HttpsURL.DEFAULT_SCHEME), - (ProtocolSocketFactory) new AuthSSLProtocolSocketFactory(ExternalTrustStoreInitializer.getTrustStore()), + (ProtocolSocketFactory) new AuthSSLProtocolSocketFactory(ExternalTrustStoreInitializer.getTrustStore(), "SSLv3"), hostPort); httpClient.getHostConfiguration().setHost(hostUrl.getHost(), hostPort, httpsProtocol); } else { diff --git a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/ConfigValues.java b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/ConfigValues.java index fe609f6..ce91cda 100644 --- a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/ConfigValues.java +++ b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/ConfigValues.java @@ -388,6 +388,9 @@ @TypeConverterAttribute(Boolean.class) @DefaultValueAttribute("true") EncryptHostCommunication, + @TypeConverterAttribute(String.class) + @DefaultValueAttribute("TLSv1") + VdsmSSLProtocol, @Reloadable @TypeConverterAttribute(String.class) @DefaultValueAttribute("oVirt") diff --git a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/ssl/AuthSSLProtocolSocketFactory.java b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/ssl/AuthSSLProtocolSocketFactory.java index c48735f..4a952ca 100644 --- a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/ssl/AuthSSLProtocolSocketFactory.java +++ b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/ssl/AuthSSLProtocolSocketFactory.java @@ -190,12 +190,15 @@ private final SSLContext sslcontext; + private String protocol; + /** * Constructor for AuthSSLProtocolSocketFactory. Either a keystore or truststore file must be given. Otherwise SSL * context initialization error will result. */ - public AuthSSLProtocolSocketFactory(KeyManager[] keymanagers, TrustManager[] trustmanagers) { + public AuthSSLProtocolSocketFactory(KeyManager[] keymanagers, TrustManager[] trustmanagers, String protocol) { super(); + this.protocol = protocol; this.sslcontext = createSSLContext(keymanagers, trustmanagers); } @@ -203,9 +206,10 @@ * Constructor for AuthSSLProtocolSocketFactory. Either a keystore or truststore file must be given. Otherwise SSL * context initialization error will result. */ - public AuthSSLProtocolSocketFactory(KeyStore truststore) { + public AuthSSLProtocolSocketFactory(KeyStore truststore, String protocol) { super(); try { + this.protocol = protocol; TrustManagerFactory tmfactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmfactory.init(truststore); this.sslcontext = createSSLContext(null, tmfactory.getTrustManagers()); @@ -228,7 +232,7 @@ private SSLContext createSSLContext(KeyManager[] keymanagers, TrustManager[] trustmanagers) { try { trustmanagers = createTrustManagers(trustmanagers); - SSLContext sslcontext = SSLContext.getInstance("SSLv3"); + SSLContext sslcontext = SSLContext.getInstance(this.protocol); sslcontext.init(keymanagers, trustmanagers, null); return sslcontext; } catch (NoSuchAlgorithmException e) { @@ -278,7 +282,7 @@ SocketFactory socketfactory = sslcontext.getSocketFactory(); if (timeout == 0) { SSLSocket socket = (SSLSocket) socketfactory.createSocket(host, port, localAddress, localPort); - socket.setEnabledProtocols(new String[] { "SSLv3" }); + socket.setEnabledProtocols(new String[] { this.protocol }); return socket; } else { SSLSocket socket = (SSLSocket) socketfactory.createSocket(); @@ -286,7 +290,7 @@ SocketAddress remoteaddr = new InetSocketAddress(host, port); socket.bind(localaddr); socket.connect(remoteaddr, timeout); - socket.setEnabledProtocols(new String[] { "SSLv3" }); + socket.setEnabledProtocols(new String[] { this.protocol }); return socket; } } @@ -298,7 +302,7 @@ UnknownHostException { SSLSocket socket = (SSLSocket) sslcontext.getSocketFactory().createSocket(host, port, clientHost, clientPort); - socket.setEnabledProtocols(new String[] { "SSLv3" }); + socket.setEnabledProtocols(new String[] { this.protocol }); return socket; } @@ -307,7 +311,7 @@ */ public Socket createSocket(String host, int port) throws IOException, UnknownHostException { SSLSocket socket = (SSLSocket) sslcontext.getSocketFactory().createSocket(host, port); - socket.setEnabledProtocols(new String[] { "SSLv3" }); + socket.setEnabledProtocols(new String[] { this.protocol }); return socket; } @@ -318,7 +322,7 @@ UnknownHostException { SSLSocket sslSocket = (SSLSocket) sslcontext.getSocketFactory() .createSocket(socket, host, port, autoClose); - sslSocket.setEnabledProtocols(new String[] { "SSLv3" }); + sslSocket.setEnabledProtocols(new String[] { this.protocol }); return sslSocket; } } diff --git a/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/attestation/AttestationService.java b/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/attestation/AttestationService.java index b84316f..7033028 100644 --- a/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/attestation/AttestationService.java +++ b/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/attestation/AttestationService.java @@ -53,7 +53,7 @@ // registering the https protocol with a socket factory that // provides client authentication. ProtocolSocketFactory factory = new AuthSSLProtocolSocketFactory(getTrustStore(trustStoreUrl.getPath(), - truststorePassword)); + truststorePassword), "SSLv3"); Protocol clientAuthHTTPS = new Protocol("https", factory, port); httpClient.getHostConfiguration().setHost(attestationServer, port, clientAuthHTTPS); diff --git a/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/jsonrpc/EngineManagerProvider.java b/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/jsonrpc/EngineManagerProvider.java index 16d7561..98e8f21 100644 --- a/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/jsonrpc/EngineManagerProvider.java +++ b/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/jsonrpc/EngineManagerProvider.java @@ -1,8 +1,11 @@ package org.ovirt.engine.core.vdsbroker.jsonrpc; import java.security.GeneralSecurityException; +import java.security.KeyManagementException; +import java.security.NoSuchAlgorithmException; import javax.net.ssl.KeyManager; +import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; import org.ovirt.engine.core.utils.crypt.EngineEncryptionUtils; @@ -15,6 +18,12 @@ */ public class EngineManagerProvider extends ManagerProvider { + private String sslProtocol; + + public EngineManagerProvider(String sslProtocol) { + this.sslProtocol = sslProtocol; + } + @Override public KeyManager[] getKeyManagers() throws GeneralSecurityException { return EngineEncryptionUtils.getKeyManagers(); @@ -25,4 +34,15 @@ return EngineEncryptionUtils.getTrustManagers(); } + @Override + public SSLContext getSSLContext() throws GeneralSecurityException { + final SSLContext context; + try { + context = SSLContext.getInstance(this.sslProtocol); + context.init(getKeyManagers(), getTrustManagers(), null); + } catch (KeyManagementException | NoSuchAlgorithmException ex) { + throw new RuntimeException(ex); + } + return context; + } } diff --git a/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/jsonrpc/JsonRpcUtils.java b/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/jsonrpc/JsonRpcUtils.java index 99bb7df..fae1145 100644 --- a/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/jsonrpc/JsonRpcUtils.java +++ b/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/jsonrpc/JsonRpcUtils.java @@ -18,21 +18,21 @@ private static Log log = LogFactory.getLog(JsonRpcUtils.class); public static JsonRpcClient createStompClient(String hostname, int port, int connectionTimeout, - int clientTimeout, int connectionRetry, int heartbeat, boolean isSecure) { - return createClient(hostname, port, connectionTimeout, clientTimeout, connectionRetry, heartbeat, isSecure, ReactorType.STOMP); + int clientTimeout, int connectionRetry, int heartbeat, boolean isSecure, String protocol) { + return createClient(hostname, port, connectionTimeout, clientTimeout, connectionRetry, heartbeat, isSecure, ReactorType.STOMP, protocol); } - private static ManagerProvider getManagerProvider(boolean isSecure) { + private static ManagerProvider getManagerProvider(boolean isSecure, String protocol) { ManagerProvider provider = null; if (isSecure) { - provider = new EngineManagerProvider(); + provider = new EngineManagerProvider(protocol); } return provider; } private static JsonRpcClient createClient(String hostname, int port, int connectionTimeout, - int clientTimeout, int connectionRetry, int heartbeat, boolean isSecure, ReactorType type) { - final ManagerProvider provider = getManagerProvider(isSecure); + int clientTimeout, int connectionRetry, int heartbeat, boolean isSecure, ReactorType type, String protocol) { + final ManagerProvider provider = getManagerProvider(isSecure, protocol); try { final Reactor reactor = ReactorFactory.getReactor(provider, type); return getJsonClient(reactor, hostname, port, connectionTimeout, clientTimeout, connectionRetry, heartbeat); diff --git a/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/jsonrpc/TransportFactory.java b/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/jsonrpc/TransportFactory.java index 7f9d146..912aa42 100644 --- a/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/jsonrpc/TransportFactory.java +++ b/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/jsonrpc/TransportFactory.java @@ -20,7 +20,8 @@ if (VdsProtocol.STOMP == vdsProtocol) { irsServer = new JsonRpcIIrsServer(JsonRpcUtils.createStompClient(hostname, port, connectionTimeOut, clientTimeOut, clientRetries, heartbeat, - Config.<Boolean> getValue(ConfigValues.EncryptHostCommunication))); + Config.<Boolean> getValue(ConfigValues.EncryptHostCommunication), + Config.<String> getValue(ConfigValues.VdsmSSLProtocol))); } else if (VdsProtocol.XML == vdsProtocol){ Pair<IrsServerConnector, HttpClient> returnValue = XmlRpcUtils.getConnection(hostname, port, clientTimeOut, connectionTimeOut, @@ -42,7 +43,8 @@ if (VdsProtocol.STOMP == vdsProtocol) { vdsServer = new JsonRpcVdsServer(JsonRpcUtils.createStompClient(hostname, port, connectionTimeOut, clientTimeOut, clientRetries, heartbeat, - Config.<Boolean> getValue(ConfigValues.EncryptHostCommunication)), returnValue.getSecond()); + Config.<Boolean> getValue(ConfigValues.EncryptHostCommunication), + Config.<String> getValue(ConfigValues.VdsmSSLProtocol)), returnValue.getSecond()); } else if (VdsProtocol.XML == vdsProtocol) { vdsServer = new VdsServerWrapper(returnValue.getFirst(), returnValue.getSecond()); } diff --git a/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/xmlrpc/XmlRpcUtils.java b/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/xmlrpc/XmlRpcUtils.java index efc6b90..141fcca 100644 --- a/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/xmlrpc/XmlRpcUtils.java +++ b/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/xmlrpc/XmlRpcUtils.java @@ -47,12 +47,11 @@ private static final Log log = LogFactory.getLog(XmlRpcUtils.class); static { if (Config.<Boolean> getValue(ConfigValues.EncryptHostCommunication)) { - URL keystoreUrl; try { // registering the https protocol with a socket factory that // provides client authentication. ProtocolSocketFactory factory = new AuthSSLProtocolSocketFactory(EngineEncryptionUtils.getKeyManagers(), - EngineEncryptionUtils.getTrustManagers()); + EngineEncryptionUtils.getTrustManagers(), Config.<String> getValue(ConfigValues.VdsmSSLProtocol)); Protocol clientAuthHTTPS = new Protocol("https", factory, 54321); Protocol.registerProtocol("https", clientAuthHTTPS); } catch (Exception e) { diff --git a/backend/manager/modules/vdsbroker/src/test/java/org/ovirt/engine/core/vdsbroker/jsonrpc/JsonRpcIntegrationTest.java b/backend/manager/modules/vdsbroker/src/test/java/org/ovirt/engine/core/vdsbroker/jsonrpc/JsonRpcIntegrationTest.java index d4faefa..f204417 100644 --- a/backend/manager/modules/vdsbroker/src/test/java/org/ovirt/engine/core/vdsbroker/jsonrpc/JsonRpcIntegrationTest.java +++ b/backend/manager/modules/vdsbroker/src/test/java/org/ovirt/engine/core/vdsbroker/jsonrpc/JsonRpcIntegrationTest.java @@ -27,7 +27,7 @@ @Test public void testGetVdsCapabilities() throws InterruptedException, ExecutionException, ClientConnectionException { - JsonRpcClient client = JsonRpcUtils.createStompClient(HOST_ADDRESS, PORT, TIMEOUT, 0, TIMEOUT, TIMEOUT, true); + JsonRpcClient client = JsonRpcUtils.createStompClient(HOST_ADDRESS, PORT, TIMEOUT, 0, TIMEOUT, TIMEOUT, true, "TLSv1"); final JsonRpcRequest request = new RequestBuilder("Host.getCapabilities").build(); Map<String, Object> map = new FutureMap(client, request); assertTrue(map.isEmpty()); diff --git a/packaging/dbscripts/upgrade/pre_upgrade/0000_config.sql b/packaging/dbscripts/upgrade/pre_upgrade/0000_config.sql index 3b1dcef..e143f43 100644 --- a/packaging/dbscripts/upgrade/pre_upgrade/0000_config.sql +++ b/packaging/dbscripts/upgrade/pre_upgrade/0000_config.sql @@ -641,6 +641,7 @@ select fn_db_add_config_value('DelayResetPerVmInSeconds','0.5','general'); --Handling Use Secure Connection with Hosts select fn_db_add_config_value('EncryptHostCommunication','true','general'); +select fn_db_add_config_value('VdsmSSLProtocol','TLSv1','general'); select fn_db_add_config_value('TimeToReduceFailedRunOnVdsInMinutes','30','general'); select fn_db_add_config_value('UnknownTaskPrePollingLapse','60000','general'); select fn_db_add_config_value('UserSessionHardLimit','600','general'); diff --git a/packaging/etc/engine-config/engine-config.properties b/packaging/etc/engine-config/engine-config.properties index 07407c7..666fd2c 100644 --- a/packaging/etc/engine-config/engine-config.properties +++ b/packaging/etc/engine-config/engine-config.properties @@ -37,6 +37,8 @@ EnableVdsLoadBalancing.validValues=true,false EncryptHostCommunication.description="Determine whether to use secure communication with hosts" EncryptHostCommunication.type=Boolean +VdsmSSLProtocol.description="Determines protocol used by vdsm" +VdsmSSLProtocol.type=String FreeSpaceCriticalLowInGB.description="Critical low disk space alert threshold (in GB)" FreeSpaceCriticalLowInGB.type=Integer FreeSpaceCriticalLowInGB.validValues=0..2147483647 -- To view, visit http://gerrit.ovirt.org/34917 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I33a33c15e8a995eb8de7d5131b3dbadc6191f873 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: ovirt-engine-3.5 Gerrit-Owner: Piotr Kliczewski <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
