On 12/20/21 11:34, Dana Elfassy wrote:
> Hi,
> While running a test case of adding hosts on ovirt system tests there
> was a failure while the following command was executed:
> vdsm-tool configure --force
>
> On libvirtd log I found this error:
>
> 2021-12-17 00:11:41.753+0000: 28031: error : virNetTLSContextNew:732 :
> Unable to generate diffie-hellman parameters: Error in public key
> generation.
This is the code on that line:
err = gnutls_dh_params_init(&ctxt->dhParams);
if (err < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("Unable to initialize diffie-hellman parameters: %s"),
gnutls_strerror(err));
goto error;
}
err = gnutls_dh_params_generate2(ctxt->dhParams, DH_BITS);
if (err < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("Unable to generate diffie-hellman parameters: %s"),
gnutls_strerror(err));
goto error;
}
gnutls_certificate_set_dh_params(ctxt->x509cred,
ctxt->dhParams);
More specific, it's gnutls_dh_params_generate2() that fails. I suspect
it's because DH_BITS is defined as following:
#define DH_BITS 2048
which might be too short for system policy. If you're able, you can try
the following patch:
diff --git i/src/rpc/virnettlscontext.c w/src/rpc/virnettlscontext.c
index 1a3dd92676..3ab9f6c4ce 100644
--- i/src/rpc/virnettlscontext.c
+++ w/src/rpc/virnettlscontext.c
@@ -717,16 +717,20 @@ static virNetTLSContext *virNetTLSContextNew(const char *cacert,
* once a day, once a week or once a month. Depending on the
* security requirements.
*/
if (isServer) {
+ unsigned int bits = 0;
+
+ bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_HIGH);
+
err = gnutls_dh_params_init(&ctxt->dhParams);
if (err < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("Unable to initialize diffie-hellman parameters: %s"),
gnutls_strerror(err));
goto error;
}
- err = gnutls_dh_params_generate2(ctxt->dhParams, DH_BITS);
+ err = gnutls_dh_params_generate2(ctxt->dhParams, bits);
if (err < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("Unable to generate diffie-hellman parameters: %s"),
gnutls_strerror(err));
If it helps, I can post it for review.
Michal