Re: error during host deploy

Tue, 21 Dec 2021 23:47:20 -0800 

Thanks,
Is it possible that you create an rpm with this fix so I can use it on the
test runs and try to reproduce?

On Tue, Dec 21, 2021 at 11:02 AM Michal Prívozník <mpriv...@redhat.com>
wrote:

> On 12/20/21 11:34, Dana Elfassy wrote:
> > Hi,
> > While running a test case of adding hosts on ovirt system tests there
> > was a failure while the following command was executed:
> > vdsm-tool configure --force
> >
> > On libvirtd log I found this error:
> >
> > 2021-12-17 00:11:41.753+0000: 28031: error : virNetTLSContextNew:732 :
> > Unable to generate diffie-hellman parameters: Error in public key
> > generation.
>
>
> This is the code on that line:
>
>   err = gnutls_dh_params_init(&ctxt->dhParams);
>   if (err < 0) {
>       virReportError(VIR_ERR_SYSTEM_ERROR,
>                      _("Unable to initialize diffie-hellman parameters:
> %s"),
>                      gnutls_strerror(err));
>       goto error;
>   }
>   err = gnutls_dh_params_generate2(ctxt->dhParams, DH_BITS);
>   if (err < 0) {
>       virReportError(VIR_ERR_SYSTEM_ERROR,
>                      _("Unable to generate diffie-hellman parameters: %s"),
>                      gnutls_strerror(err));
>       goto error;
>   }
>
>   gnutls_certificate_set_dh_params(ctxt->x509cred,
>                                          ctxt->dhParams);
>
>
> More specific, it's gnutls_dh_params_generate2() that fails. I suspect
> it's because DH_BITS is defined as following:
>
>   #define DH_BITS 2048
>
> which might be too short for system policy. If you're able, you can try
> the following patch:
>
> diff --git i/src/rpc/virnettlscontext.c w/src/rpc/virnettlscontext.c
> index 1a3dd92676..3ab9f6c4ce 100644
> --- i/src/rpc/virnettlscontext.c
> +++ w/src/rpc/virnettlscontext.c
> @@ -717,16 +717,20 @@ static virNetTLSContext *virNetTLSContextNew(const
> char *cacert,
>       * once a day, once a week or once a month. Depending on the
>       * security requirements.
>       */
>      if (isServer) {
> +        unsigned int bits = 0;
> +
> +        bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH,
> GNUTLS_SEC_PARAM_HIGH);
> +
>          err = gnutls_dh_params_init(&ctxt->dhParams);
>          if (err < 0) {
>              virReportError(VIR_ERR_SYSTEM_ERROR,
>                             _("Unable to initialize diffie-hellman
> parameters: %s"),
>                             gnutls_strerror(err));
>              goto error;
>          }
> -        err = gnutls_dh_params_generate2(ctxt->dhParams, DH_BITS);
> +        err = gnutls_dh_params_generate2(ctxt->dhParams, bits);
>          if (err < 0) {
>              virReportError(VIR_ERR_SYSTEM_ERROR,
>                             _("Unable to generate diffie-hellman
> parameters: %s"),
>                             gnutls_strerror(err));
>
>
> If it helps, I can post it for review.
>
> Michal
>
>

Reply via email to