[ovirt-users] Re: ovirt4.4 and ldap auth with starttls

2020-08-11 Thread Jiří Sléžka 
On 8/7/20 5:11 PM, Martin Perina wrote:
> Hi,
> 
> legacy ciphers and protocols are disabled on EL8 by default, for more
> information please take a look at crypto-policies:
> 
> https://access.redhat.com/articles/3666211
> https://access.redhat.com/articles/3642912
> 
> So in theory if you switch to LEGACY crypto-policy on ovirt-engine
> machine, you could be able to use TLSv1, but we have never tested it and
> we highly recommend to use only TLSv1.2 or newer.

thanks for links, after switching engine vm to LEGACY policy I was able
to login via our ldap profile

[root@ovirt ~]# update-crypto-policies --show
DEFAULT

[root@ovirt ~]# update-crypto-policies --set LEGACY
Setting system policy to LEGACY

[root@ovirt ~]# systemctl restart ovirt-engine

...and of course we should use TLSv1.2+, work is in progress.

Cheers,

Jiri

> 
> Regards,
> Martin
> 
> 
> On Fri, Aug 7, 2020 at 2:11 PM Jiří Sléžka  > wrote:
> 
> Hello,
> 
> better start new thread...
> 
> it looks like tls1.0 is not supported anymore in
> ovirt-engine-extension-aaa-ldap
> 
> I just migrated engine from 4.3 to 4.4 and cannot use my ldap profile
> because
> 
> server_error: The connection reader was unable to successfully complete
> TLS negotiation: SSLHandshakeException(The server selected protocol
> version TLS10 is not accepted by client preferences [TLS12]),
> ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb
> 
> but when I try to force tls 1.0 by setting
> 
> ...
> pool.default.ssl.startTLS = true
> pool.default.ssl.startTLSProtocol = TLSv1
> ...
> 
> I got
> 
> server_error: The connection reader was unable to successfully complete
> TLS negotiation: SSLHandshakeException(No appropriate protocol (protocol
> is disabled or cipher suites are inappropriate)), ldapSDKVersion=4.0.14,
> revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb
> 
> I can't switch to something better on server side, is it possible to
> allow weak ciphers/protocols on client side?
> 
> Thanks in advance,
> 
> Jiri
> 
> 
> ___
> Users mailing list -- users@ovirt.org 
> To unsubscribe send an email to users-le...@ovirt.org
> 
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> 
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/CBVIAEO3R4BQNJ5453O2D5NJH7FQ7YGR/
> 
> 
> 
> -- 
> Martin Perina
> Manager, Software Engineering
> Red Hat Czech s.r.o.




smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/3RGQWPRLUS56MQPMYSSZXXISXKFS33GT/

[ovirt-users] Re: ovirt4.4 and ldap auth with starttls

2020-08-07 Thread Martin Perina 
Hi,

legacy ciphers and protocols are disabled on EL8 by default, for more
information please take a look at crypto-policies:

https://access.redhat.com/articles/3666211
https://access.redhat.com/articles/3642912

So in theory if you switch to LEGACY crypto-policy on ovirt-engine machine,
you could be able to use TLSv1, but we have never tested it and we highly
recommend to use only TLSv1.2 or newer.

Regards,
Martin


On Fri, Aug 7, 2020 at 2:11 PM Jiří Sléžka  wrote:

> Hello,
>
> better start new thread...
>
> it looks like tls1.0 is not supported anymore in
> ovirt-engine-extension-aaa-ldap
>
> I just migrated engine from 4.3 to 4.4 and cannot use my ldap profile
> because
>
> server_error: The connection reader was unable to successfully complete
> TLS negotiation: SSLHandshakeException(The server selected protocol
> version TLS10 is not accepted by client preferences [TLS12]),
> ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb
>
> but when I try to force tls 1.0 by setting
>
> ...
> pool.default.ssl.startTLS = true
> pool.default.ssl.startTLSProtocol = TLSv1
> ...
>
> I got
>
> server_error: The connection reader was unable to successfully complete
> TLS negotiation: SSLHandshakeException(No appropriate protocol (protocol
> is disabled or cipher suites are inappropriate)), ldapSDKVersion=4.0.14,
> revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb
>
> I can't switch to something better on server side, is it possible to
> allow weak ciphers/protocols on client side?
>
> Thanks in advance,
>
> Jiri
>
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/CBVIAEO3R4BQNJ5453O2D5NJH7FQ7YGR/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/IOMG3R7W3RTGWNEIDRYEVHSWLUGCFZMJ/