|SSL error on instance export||the2nd||6/16/15 2:29 AM|
since a few days we get the following error when trying to export an instance using "gnt-backup export":
snapshot/2 failed to send data: Exited with status 1 (recent output: socat: E SSL_connect(): error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
i guess its related to the latest openssl updates (logjam).
is there any advice how to fix this? maybe "gnt-cluster renew-crypto"?
|Re: SSL error on instance export||Helga Velroyen||6/16/15 2:49 AM|
|Re: SSL error on instance export||lordotter||6/17/15 4:57 AM|
|Re: SSL error on instance export||the2nd||6/17/15 11:09 PM|
thanks for your answer. is there any workaround available?
|Re: SSL error on instance export||Helga Velroyen||6/18/15 12:37 AM|
I'm afraid, so far there isn't. :(
|Re: SSL error on instance export||Anatoliy Dmytriyev||6/18/15 12:43 AM|
In my opinion, it is important for everyone to vote for this issue: it should rise the priority when many people will complain about this.
|Re: SSL error on instance export||the2nd||6/19/15 3:15 AM|
It seems like temporarily changing "OPENSSL_CIPHERS" to "NULL" in /usr/share/ganeti/2.11/ganeti/_constants.py works.
but as OPENSSL_CIPHERS is also used in /usr/share/ganeti/2.10/ganeti/http/ i looked a little bit deeper and changed:
# original settings
#SOCAT_OPENSSL_OPTS = ["verify=1", "method=TLSv1",
# "cipher=%s" % constants.OPENSSL_CIPHERS]
SOCAT_OPENSSL_OPTS = ["VERIFY=1", "METHOD=TLSV1",
this works too and seems to be a harmless change if one can live with unencrypted exports.
|Re: SSL error on instance export||Anatoliy Dmytriyev||6/22/15 12:44 AM|
A workaround is published there:
Because of logjam attack(https://weakdh.org/) - there must be generated dh params file: openssl dhparam -out dhparams.pem 2048 and then added to server.pem on every node: cat dhparams.pem >> /var/lib/ganeti/server.pem After adding dh to every node - import/export works fine.
|Re: SSL error on instance export||Osvaldo T Crispim Filho||7/5/15 6:00 AM|
Here is ok.
|Re: SSL error on instance export||bruno...@tabmo.io||1/29/16 8:26 AM|
Thank @Anatoliy Dmytriyev
It's work like a charm in Debian 8.3