On 8/7/20 5:11 PM, Martin Perina wrote: > Hi, > > legacy ciphers and protocols are disabled on EL8 by default, for more > information please take a look at crypto-policies: > > https://access.redhat.com/articles/3666211 > https://access.redhat.com/articles/3642912 > > So in theory if you switch to LEGACY crypto-policy on ovirt-engine > machine, you could be able to use TLSv1, but we have never tested it and > we highly recommend to use only TLSv1.2 or newer.
thanks for links, after switching engine vm to LEGACY policy I was able to login via our ldap profile [root@ovirt ~]# update-crypto-policies --show DEFAULT [root@ovirt ~]# update-crypto-policies --set LEGACY Setting system policy to LEGACY [root@ovirt ~]# systemctl restart ovirt-engine ...and of course we should use TLSv1.2+, work is in progress. Cheers, Jiri > > Regards, > Martin > > > On Fri, Aug 7, 2020 at 2:11 PM Jiří Sléžka <jiri.sle...@slu.cz > <mailto:jiri.sle...@slu.cz>> wrote: > > Hello, > > better start new thread... > > it looks like tls1.0 is not supported anymore in > ovirt-engine-extension-aaa-ldap > > I just migrated engine from 4.3 to 4.4 and cannot use my ldap profile > because > > server_error: The connection reader was unable to successfully complete > TLS negotiation: SSLHandshakeException(The server selected protocol > version TLS10 is not accepted by client preferences [TLS12]), > ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb > > but when I try to force tls 1.0 by setting > > ... > pool.default.ssl.startTLS = true > pool.default.ssl.startTLSProtocol = TLSv1 > ... > > I got > > server_error: The connection reader was unable to successfully complete > TLS negotiation: SSLHandshakeException(No appropriate protocol (protocol > is disabled or cipher suites are inappropriate)), ldapSDKVersion=4.0.14, > revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb > > I can't switch to something better on server side, is it possible to > allow weak ciphers/protocols on client side? > > Thanks in advance, > > Jiri > > > _______________________________________________ > Users mailing list -- users@ovirt.org <mailto:users@ovirt.org> > To unsubscribe send an email to users-le...@ovirt.org > <mailto:users-le...@ovirt.org> > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > > https://lists.ovirt.org/archives/list/users@ovirt.org/message/CBVIAEO3R4BQNJ5453O2D5NJH7FQ7YGR/ > > > > -- > Martin Perina > Manager, Software Engineering > Red Hat Czech s.r.o.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/3RGQWPRLUS56MQPMYSSZXXISXKFS33GT/