SSL error on instance export
3,977 views
Skip to first unread message
the2nd
Jun 16, 2015, 5:29:10 AM6/16/15
to gan...@googlegroups.com
Hi,
since a few days we get the following error when trying to export an instance using "gnt-backup export":
snapshot/2 failed to send data: Exited with status 1 (recent output: socat: E SSL_connect(): error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
i guess its related to the latest openssl updates (logjam).
is there any advice how to fix this? maybe "gnt-cluster renew-crypto"?
regards
since a few days we get the following error when trying to export an instance using "gnt-backup export":
snapshot/2 failed to send data: Exited with status 1 (recent output: socat: E SSL_connect(): error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
i guess its related to the latest openssl updates (logjam).
is there any advice how to fix this? maybe "gnt-cluster renew-crypto"?
regards
Helga Velroyen
Jun 16, 2015, 5:49:00 AM6/16/15
to gan...@googlegroups.com
Hi!
Afaik none of the certs that renew-crypto generates have to do with the exports, so rerunning renew crypto will probably not fix it. I assume er have the key size hard coded somewhere and it needs to be adapted. Do you mind filing a bug?
Cheers,
Helga
lordotter
Jun 17, 2015, 7:57:18 AM6/17/15
to gan...@googlegroups.com
Hallo,
I filled a bug report https://code.google.com/p/ganeti/issues/detail?id=1104 for that.
Hope it is all about that.
Thanks,
Thomas
the2nd
Jun 18, 2015, 2:09:57 AM6/18/15
to gan...@googlegroups.com
hi,
thanks for your answer. is there any workaround available?
regards
thanks for your answer. is there any workaround available?
regards
Am Dienstag, 16. Juni 2015 11:49:00 UTC+2 schrieb Helga Velroyen:
Helga Velroyen
Jun 18, 2015, 3:37:18 AM6/18/15
to gan...@googlegroups.com
I'm afraid, so far there isn't. :(
Anatoliy Dmytriyev
Jun 18, 2015, 3:43:16 AM6/18/15
to gan...@googlegroups.com
In my opinion, it is important for everyone to vote for this issue: it should rise the priority when many people will complain about this.
the2nd
Jun 19, 2015, 6:15:02 AM6/19/15
to gan...@googlegroups.com
It seems like temporarily changing "OPENSSL_CIPHERS" to "NULL" in /usr/share/ganeti/2.11/ganeti/_constants.py works.
but as OPENSSL_CIPHERS is also used in /usr/share/ganeti/2.10/ganeti/http/ i looked a little bit deeper and changed:
# original settings
#SOCAT_OPENSSL_OPTS = ["verify=1", "method=TLSv1",
# "cipher=%s" % constants.OPENSSL_CIPHERS]
SOCAT_OPENSSL_OPTS = ["VERIFY=1", "METHOD=TLSV1",
"cipher=NULL"]
in /usr/share/ganeti/2.10/ganeti/impexpd/__init__.py
this works too and seems to be a harmless change if one can live with unencrypted exports.
regards
Anatoliy Dmytriyev
Jun 22, 2015, 3:44:41 AM6/22/15
to gan...@googlegroups.com
A workaround is published there:
====
====
Because of logjam attack(https://weakdh.org/) - there must be generated dh params file: openssl dhparam -out dhparams.pem 2048 and then added to server.pem on every node: cat dhparams.pem >> /var/lib/ganeti/server.pem After adding dh to every node - import/export works fine.
====
But it doesn't work for me.
Has anybody success using this solution?
Osvaldo T Crispim Filho
Jul 5, 2015, 9:00:05 AM7/5/15
to gan...@googlegroups.com
Thank you.
Here is ok.
Here is ok.
bruno...@tabmo.io
Jan 29, 2016, 11:26:36 AM1/29/16
to ganeti
Thank @Anatoliy Dmytriyev
It's work like a charm in Debian 8.3
Reply all
Reply to author
Forward
0 new messages