How do I disable SSL on both RHEV-M and Hypervisors?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Virtualization
  • Red Hat Enterprise Linux

Issue

  • We would like to disable SSLv2/v3 in Red Hat Enterprise Virtualization

Resolution

Note: this will disable TLS as well, meaning all traffic will be unencrypted.

On each RHEV host

  • To disable SSL in libvirt and vdsm these changes need to be implemented
# egrep "ssl|listen_tcp|listen_tls|auth_tcp|tls_port|spice_tls[ \t]+" /etc/libvirt/libvirtd.conf /etc/libvirt/qemu.conf /etc/vdsm/vdsm.conf | grep -v :#

/etc/libvirt/libvirtd.conf:listen_tcp = 1
/etc/libvirt/libvirtd.conf:listen_tls = 0
/etc/libvirt/libvirtd.conf:auth_tcp = "none"
/etc/libvirt/libvirtd.conf:tls_port = "16514"
/etc/libvirt/qemu.conf:spice_tls = 0
/etc/vdsm/vdsm.conf:ssl = false

Note: When disabling SPICE TLS (/etc/libvirt/qemu.conf:spice_tls = 0), this will take effect on a per-VM basis for any future VM start operation. This means that any VMs running on hypervisors where the above changes are made must be rebooted (the VM itself, not the RHEV host) in order for the SPICE channels to be created without encryption. Migrations of the VMs will fail before the reboot occurs since migrations are designed to migrate the existing channels so that existing sessions are not interrupted. See 'SPICE Notes' under the Root Cause section for more information.

On the RHEV-M

  • Disabling SSLv2 and SSLv3 in mod_ssl
  • Set the SSLProtocol directive as follows in /etc/httpd/conf.d/ssl.conf:
    SSLProtocol All -SSLv2 -SSLv3
  • Then restart httpd:
    # service httpd restart
  • Disabling SSL in engine database
  psql -U engine engine -c "UPDATE vdc_options set option_value = 'false' 
                                                 WHERE option_name = 'SSLEnabled';"
  psql -U engine engine -c "UPDATE vdc_options set option_value = 'false' 
                                                 WHERE option_name = 'EncryptHostCommunication';"
  • Then restart the engine service:
  # service ovirt-engine restart

Root Cause

  • These steps have to be done on BOTH the RHEV hosts and RHEV-M or the hosts will go into a non-responsive state.
  • Port 16514 (TLS) or port 16509 (TCP) is used to support migration communication generated by libvirt.
  • In /etc/libvirt/libvirtd.conf
# This is enabled by default, uncomment this to disable it
#listen_tls = 0
  • The 'listen_tls' line has to be uncommented to disable TLS
# Override the port for accepting secure TLS connections
# This can be a port number, or service name
#
#tls_port = "16514"
  • The 'tls_port' line has to be uncommented to disable port 16514

SPICE Notes

When a VM in RHEV starts, if it is configured for SPICE, it opens a new socket and creates multiple secure SPICE channels. These are for graphics, mouse input, keyboard input, etc... each in a separate secure channel, secured by TLS encryption. By design, and for security, once these channels are established they cannot have their configuration changed, as allowing that could compromise the security of the channels.

When there are VMs running and then TLS is disabled across all nodes, the VMs now have channels expecting TLS, but the host is refusing/dropping the connections using TLS, thus no communication can happen.

Since the design of the channel creation is secure, the only way to force the channels to not expect TLS is to recreate the channels fresh from the updated configuration, which in turn requires restarting the VM to initiate the creation of new SPICE channels.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.