Re: error during host deploy

Michal Prívozník <mprivozn@xxxxxxxxxx> · Tue, 21 Dec 2021 10:02:42 +0100

On 12/20/21 11:34, Dana Elfassy wrote:
> Hi,
> While running a test case of adding hosts on ovirt system tests there
> was a failure while the following command was executed:
> vdsm-tool configure --force
> 
> On libvirtd log I found this error:
> 
> 2021-12-17 00:11:41.753+0000: 28031: error : virNetTLSContextNew:732 :
> Unable to generate diffie-hellman parameters: Error in public key
> generation.


This is the code on that line:

  err = gnutls_dh_params_init(&ctxt->dhParams);
  if (err < 0) {
      virReportError(VIR_ERR_SYSTEM_ERROR,
                     _("Unable to initialize diffie-hellman parameters: %s"),
                     gnutls_strerror(err));
      goto error;
  }
  err = gnutls_dh_params_generate2(ctxt->dhParams, DH_BITS);
  if (err < 0) {
      virReportError(VIR_ERR_SYSTEM_ERROR,
                     _("Unable to generate diffie-hellman parameters: %s"),
                     gnutls_strerror(err));
      goto error;
  }
  
  gnutls_certificate_set_dh_params(ctxt->x509cred,
                                         ctxt->dhParams);


More specific, it's gnutls_dh_params_generate2() that fails. I suspect
it's because DH_BITS is defined as following:

  #define DH_BITS 2048

which might be too short for system policy. If you're able, you can try
the following patch:

diff --git i/src/rpc/virnettlscontext.c w/src/rpc/virnettlscontext.c
index 1a3dd92676..3ab9f6c4ce 100644
--- i/src/rpc/virnettlscontext.c
+++ w/src/rpc/virnettlscontext.c
@@ -717,16 +717,20 @@ static virNetTLSContext *virNetTLSContextNew(const char *cacert,
      * once a day, once a week or once a month. Depending on the
      * security requirements.
      */
     if (isServer) {
+        unsigned int bits = 0;
+
+        bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_HIGH);
+
         err = gnutls_dh_params_init(&ctxt->dhParams);
         if (err < 0) {
             virReportError(VIR_ERR_SYSTEM_ERROR,
                            _("Unable to initialize diffie-hellman parameters: %s"),
                            gnutls_strerror(err));
             goto error;
         }
-        err = gnutls_dh_params_generate2(ctxt->dhParams, DH_BITS);
+        err = gnutls_dh_params_generate2(ctxt->dhParams, bits);
         if (err < 0) {
             virReportError(VIR_ERR_SYSTEM_ERROR,
                            _("Unable to generate diffie-hellman parameters: %s"),
                            gnutls_strerror(err));


If it helps, I can post it for review.

Michal







