SSL error on instance export

Showing 1-10 of 10 messages
SSL error on instance export the2nd 6/16/15 2:29 AM
Hi,

since a few days we get the following error when trying to export an instance using "gnt-backup export":

snapshot/2 failed to send data: Exited with status 1 (recent output: socat: E SSL_connect(): error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small

i guess its related to the latest openssl updates (logjam).

is there any advice how to fix this? maybe "gnt-cluster renew-crypto"?

regards
Re: SSL error on instance export Helga Velroyen 6/16/15 2:49 AM

Hi!
Afaik none of the certs that renew-crypto generates have to do with the exports, so rerunning renew crypto will probably not fix it. I assume er have the key size hard coded somewhere and it needs to be adapted. Do you mind filing a bug?
Cheers,
Helga

Re: SSL error on instance export lordotter 6/17/15 4:57 AM
Hallo,

Hope it is all about that.

Thanks,
Thomas
Re: SSL error on instance export the2nd 6/17/15 11:09 PM
hi,

thanks for your answer. is there any workaround available?

regards


Am Dienstag, 16. Juni 2015 11:49:00 UTC+2 schrieb Helga Velroyen:
Re: SSL error on instance export Helga Velroyen 6/18/15 12:37 AM
I'm afraid, so far there isn't. :(
Re: SSL error on instance export Anatoliy Dmytriyev 6/18/15 12:43 AM

In my opinion, it is important for everyone to vote for this issue: it should rise the priority when many people will complain about this.
Re: SSL error on instance export the2nd 6/19/15 3:15 AM

It seems like temporarily changing "OPENSSL_CIPHERS" to "NULL" in /usr/share/ganeti/2.11/ganeti/_constants.py works.

but as OPENSSL_CIPHERS is also used in /usr/share/ganeti/2.10/ganeti/http/ i looked a little bit deeper and changed:
# original settings
#SOCAT_OPENSSL_OPTS = ["verify=1", "method=TLSv1",
#                      "cipher=%s" % constants.OPENSSL_CIPHERS]
SOCAT_OPENSSL_OPTS = ["VERIFY=1", "METHOD=TLSV1",
                      "cipher=NULL"]

in /usr/share/ganeti/2.10/ganeti/impexpd/__init__.py

this works too and seems to be a harmless change if one can live with unencrypted exports.

regards
Re: SSL error on instance export Anatoliy Dmytriyev 6/22/15 12:44 AM
A workaround is published there:

====
Because of logjam attack(https://weakdh.org/) - there must be generated dh params file:

openssl dhparam -out dhparams.pem 2048
and then added to server.pem on every node:
cat dhparams.pem >> /var/lib/ganeti/server.pem

After adding dh to every node - import/export works fine.
====

But it doesn't work for me.
Has anybody success using this solution?
Re: SSL error on instance export Osvaldo T Crispim Filho 7/5/15 6:00 AM
Thank you.
Here is ok.
Re: SSL error on instance export bruno...@tabmo.io 1/29/16 8:26 AM
Thank @Anatoliy Dmytriyev 

It's work like a charm in Debian 8.3