How to disable older SSL/TLS protocols in libvirtd
Environment
Red Hat Enterprise Linux 6 (libvirt-0.10.2-62.el6 or later)
Red Hat Enterprise Linux 7 (libvirt-daemon-2.0.0-10.el7 or later)
Red Hat Virtualization
Issue
Need to disable older, insecure SSL/TLS protocols in libvirtd
Resolution
To disable certain protocols, use the following syntax in /etc/libvirt/libvirtd.conf
:
tls_priority="NORMAL:-<PROTOCOL>"
Valid protocols are:
VERS-SSL3.0
VERS-TLS1.0
VERS-TLS1.1
VERS-TLS1.2
Multiple protocols can be specified, separated by colons. For example, to disable SSL3 and TLS 1.0, add the following:
tls_priority="NORMAL:-VERS-SSL3.0:-VERS-TLS1.0"
or
tls_priority="NORMAL:-VERS-ALL:+VERS-TLS1.2"
This can also be used to disable ciphers as required. The example below disables SSL3 as well as RC4 and 3DES ciphers.
tls_priority=”NORMAL:-VERS-SSL3.0:-ARCFOUR-128:-3DES-CBC”
After modifying the file, restart libvirtd:
# systemctl restart libvirtd # RHEL 7
# initctl restart libvirtd # RHEL 6
Root Cause
This feature was added in the following Bugzillas:
RHEL 6:
Bug 1333415 libvirtd allows SSLv3 connections and poor ciphers
libvirt bug fix and enhancement update
RHEL 7:
Bug 1333404 – libvirtd allows SSLv3 connections and poor ciphers
Moderate: libvirt security, bug fix, and enhancement update
Diagnostic Steps
To test:
$ openssl s_client -connect localhost:16514 -CAfile /etc/pki/vdsm/certs/cacert.pem -ssl3
$ openssl s_client -connect localhost:16514 -CAfile /etc/pki/vdsm/certs/cacert.pem -tls1
$ openssl s_client -connect localhost:16514 -CAfile /etc/pki/vdsm/certs/cacert.pem -tls1_1
$ openssl s_client -connect localhost:16514 -CAfile /etc/pki/vdsm/certs/cacert.pem -tls1_2
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.