Alon Bar-Lev has posted comments on this change. Change subject: core: configurable ssl protocol ......................................................................
Patch Set 2: (3 comments) have you confirmed that we can communicate with old vdsm, let's say vdsm from rhev-3.0 with tlsv1? http://gerrit.ovirt.org/#/c/34372/2/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/ConfigValues.java File backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/ConfigValues.java: Line 389: @DefaultValueAttribute("true") Line 390: EncryptHostCommunication, Line 391: @TypeConverterAttribute(String.class) Line 392: @DefaultValueAttribute("TLSv1") Line 393: SSLProtocol, VdsmSLLProtocol? we need to make sure we control that channel only... Line 394: @Reloadable Line 395: @TypeConverterAttribute(String.class) Line 396: @DefaultValueAttribute("oVirt") Line 397: OrganizationName, http://gerrit.ovirt.org/#/c/34372/2/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/ssl/AuthSSLProtocolSocketFactory.java File backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/ssl/AuthSSLProtocolSocketFactory.java: Line 208: */ Line 209: public AuthSSLProtocolSocketFactory(KeyStore truststore) { Line 210: super(); Line 211: try { Line 212: this.protocol = "SSLv3"; > We want to keep other providers as they were. We only make protocol configu we are working on removing this anyway, you it will be used by vdsm communication only for now, so you can replace it with your configuration. Line 213: TrustManagerFactory tmfactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); Line 214: tmfactory.init(truststore); Line 215: this.sslcontext = createSSLContext(null, tmfactory.getTrustManagers()); Line 216: } http://gerrit.ovirt.org/#/c/34372/2/packaging/dbscripts/upgrade/pre_upgrade/0000_config.sql File packaging/dbscripts/upgrade/pre_upgrade/0000_config.sql: Line 632: select fn_db_add_config_value('DelayResetForSpmInSeconds','20','general'); Line 633: select fn_db_add_config_value('DelayResetPerVmInSeconds','0.5','general'); Line 634: --Handling Use Secure Connection with Hosts Line 635: select fn_db_add_config_value('EncryptHostCommunication','true','general'); Line 636: select fn_db_add_config_value('SSLProtocol','TLSv1','general'); if this will effect legacy protocol we should probably have two? the problem is that the new protocol also works with the old protocol... so I am unsure what we expect. Line 637: select fn_db_add_config_value('TimeToReduceFailedRunOnVdsInMinutes','30','general'); Line 638: select fn_db_add_config_value('UnknownTaskPrePollingLapse','60000','general'); Line 639: select fn_db_add_config_value('UserSessionHardLimit','600','general'); Line 640: select fn_db_add_config_value('UserDefinedVMProperties','','3.0'); -- To view, visit http://gerrit.ovirt.org/34372 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I33a33c15e8a995eb8de7d5131b3dbadc6191f873 Gerrit-PatchSet: 2 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Piotr Kliczewski <piotr.kliczew...@gmail.com> Gerrit-Reviewer: Alon Bar-Lev <alo...@redhat.com> Gerrit-Reviewer: Oved Ourfali <oourf...@redhat.com> Gerrit-Reviewer: Piotr Kliczewski <piotr.kliczew...@gmail.com> Gerrit-Reviewer: Saggi Mizrahi <smizr...@redhat.com> Gerrit-Reviewer: automat...@ovirt.org Gerrit-Reviewer: oVirt Jenkins CI Server Gerrit-HasComments: Yes _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
