SSL error on instance export
瀏覽次數:3,978 次
跳到第一則未讀訊息
the2nd
2015年6月16日 清晨5:29:102015/6/16
收件者:gan...@googlegroups.com
Hi,
since a few days we get the following error when trying to export an instance using "gnt-backup export":
snapshot/2 failed to send data: Exited with status 1 (recent output: socat: E SSL_connect(): error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
i guess its related to the latest openssl updates (logjam).
is there any advice how to fix this? maybe "gnt-cluster renew-crypto"?
regards
since a few days we get the following error when trying to export an instance using "gnt-backup export":
snapshot/2 failed to send data: Exited with status 1 (recent output: socat: E SSL_connect(): error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
i guess its related to the latest openssl updates (logjam).
is there any advice how to fix this? maybe "gnt-cluster renew-crypto"?
regards
Helga Velroyen
2015年6月16日 清晨5:49:002015/6/16
收件者:gan...@googlegroups.com
Hi!
Afaik none of the certs that renew-crypto generates have to do with the exports, so rerunning renew crypto will probably not fix it. I assume er have the key size hard coded somewhere and it needs to be adapted. Do you mind filing a bug?
Cheers,
Helga
lordotter
2015年6月17日 清晨7:57:182015/6/17
收件者:gan...@googlegroups.com
Hallo,
I filled a bug report https://code.google.com/p/ganeti/issues/detail?id=1104 for that.
Hope it is all about that.
Thanks,
Thomas
the2nd
2015年6月18日 凌晨2:09:572015/6/18
收件者:gan...@googlegroups.com
hi,
thanks for your answer. is there any workaround available?
regards
thanks for your answer. is there any workaround available?
regards
Am Dienstag, 16. Juni 2015 11:49:00 UTC+2 schrieb Helga Velroyen:
Helga Velroyen
2015年6月18日 凌晨3:37:182015/6/18
收件者:gan...@googlegroups.com
I'm afraid, so far there isn't. :(
Anatoliy Dmytriyev
2015年6月18日 凌晨3:43:162015/6/18
收件者:gan...@googlegroups.com
In my opinion, it is important for everyone to vote for this issue: it should rise the priority when many people will complain about this.
the2nd
2015年6月19日 清晨6:15:022015/6/19
收件者:gan...@googlegroups.com
It seems like temporarily changing "OPENSSL_CIPHERS" to "NULL" in /usr/share/ganeti/2.11/ganeti/_constants.py works.
but as OPENSSL_CIPHERS is also used in /usr/share/ganeti/2.10/ganeti/http/ i looked a little bit deeper and changed:
# original settings
#SOCAT_OPENSSL_OPTS = ["verify=1", "method=TLSv1",
# "cipher=%s" % constants.OPENSSL_CIPHERS]
SOCAT_OPENSSL_OPTS = ["VERIFY=1", "METHOD=TLSV1",
"cipher=NULL"]
in /usr/share/ganeti/2.10/ganeti/impexpd/__init__.py
this works too and seems to be a harmless change if one can live with unencrypted exports.
regards
Anatoliy Dmytriyev
2015年6月22日 凌晨3:44:412015/6/22
收件者:gan...@googlegroups.com
A workaround is published there:
====
====
Because of logjam attack(https://weakdh.org/) - there must be generated dh params file: openssl dhparam -out dhparams.pem 2048 and then added to server.pem on every node: cat dhparams.pem >> /var/lib/ganeti/server.pem After adding dh to every node - import/export works fine.
====
But it doesn't work for me.
Has anybody success using this solution?
Osvaldo T Crispim Filho
2015年7月5日 上午9:00:052015/7/5
收件者:gan...@googlegroups.com
Thank you.
Here is ok.
Here is ok.
bruno...@tabmo.io
2016年1月29日 上午11:26:362016/1/29
收件者:ganeti
Thank @Anatoliy Dmytriyev
It's work like a charm in Debian 8.3
回覆所有人
回覆作者
轉寄
0 則新訊息