glusterfs.git/tests/features/ssl-authz.t, branch v3.6.3 tests/features/ssl-authz.t: Fix spurious failures 2015-02-19T06:57:39+00:00 Emmanuel Dreyfus manu@netbsd.org 2015-01-23T10:24:07+00:00 58b71c64308e7680b5fc5326ed1aed294f848ecb Fix two spurious failures in tests/features/ssl-authz.t 1) Wait for bricks to come online after starting a volume, so that the mount is usable without "socket not connected" error 2) For a mount that must fail, we may get the situation where there is no mount at all, which means creating a file will write to the mount point instead of failing. To cover that case, write the file and check it is absent from the brick. BUG: 1193970 Change-Id: If95e1d65ab23d11123f778c20f8110a3177b0e7f Signed-off-by: Emmanuel Dreyfus <manu@netbsd.org> Reviewed-on: http://review.gluster.org/9483 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Jeff Darcy <jdarcy@redhat.com> Reviewed-on: http://review.gluster.org/9686 Reviewed-by: Justin Clift <justin@gluster.org> Reviewed-by: Raghavendra Bhat <raghavendra@redhat.com> 
Fix two spurious failures in tests/features/ssl-authz.t
1) Wait for bricks to come online after starting a volume, so that
   the mount is usable without "socket not connected" error
2) For a mount that must fail, we may get the situation where there
   is no mount at all, which means creating a file will write to the
   mount point instead of failing. To cover that case, write the
   file and check it is absent from the brick.

BUG: 1193970
Change-Id: If95e1d65ab23d11123f778c20f8110a3177b0e7f
Signed-off-by: Emmanuel Dreyfus <manu@netbsd.org>
Reviewed-on: http://review.gluster.org/9483
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Jeff Darcy <jdarcy@redhat.com>
Reviewed-on: http://review.gluster.org/9686
Reviewed-by: Justin Clift <justin@gluster.org>
Reviewed-by: Raghavendra Bhat <raghavendra@redhat.com>
socket: disallow CBC cipher modes 2014-10-29T11:37:55+00:00 Jeff Darcy jdarcy@redhat.com 2014-10-21T20:54:48+00:00 ab017cabfb547f423fd0d9702865edcb91b58c53 This is related to CVE-2014-3566 a.k.a. POODLE. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 POODLE is specific to CBC cipher modes in SSLv3. Because there is no way to prevent SSLv3 fallback on a system with an unpatched version of OpenSSL, users of such systems can only be protected by disallowing CBC modes. The default cipher-mode specification in our code has been changed accordingly. Users can still set their own cipher modes if they wish. To support them, the ssl-authz.t test script provides an example of how to combine the CBC exclusion with other criteria in a script. Change-Id: Ib1fa547082fbb7de9df94ffd182b1800d6e354e5 BUG: 1157659 Signed-off-by: Jeff Darcy <jdarcy@redhat.com> Reviewed-on: http://review.gluster.org/8962 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Kaleb KEITHLEY <kkeithle@redhat.com> Reviewed-by: Vijay Bellur <vbellur@redhat.com> Reviewed-on: http://review.gluster.org/8987 Reviewed-by: Niels de Vos <ndevos@redhat.com> Tested-by: Niels de Vos <ndevos@redhat.com> 
This is related to CVE-2014-3566 a.k.a. POODLE.

	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566

POODLE is specific to CBC cipher modes in SSLv3.  Because there is no
way to prevent SSLv3 fallback on a system with an unpatched version of
OpenSSL, users of such systems can only be protected by disallowing CBC
modes.  The default cipher-mode specification in our code has been
changed accordingly.  Users can still set their own cipher modes if they
wish.  To support them, the ssl-authz.t test script provides an example
of how to combine the CBC exclusion with other criteria in a script.

Change-Id: Ib1fa547082fbb7de9df94ffd182b1800d6e354e5
BUG: 1157659
Signed-off-by: Jeff Darcy <jdarcy@redhat.com>
Reviewed-on: http://review.gluster.org/8962
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Kaleb KEITHLEY <kkeithle@redhat.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
Reviewed-on: http://review.gluster.org/8987
Reviewed-by: Niels de Vos <ndevos@redhat.com>
Tested-by: Niels de Vos <ndevos@redhat.com>
Use sane OS-dependent defaults for SSL configuration 2014-09-26T12:24:20+00:00 Emmanuel Dreyfus manu@netbsd.org 2014-09-26T00:13:57+00:00 61353a428903047d800b572637ab1df6f2b04a42 Current code assumes /etc/ssl exists, which may not be the case. Attempt to guess sane default for a few OS. Backport of I0f3168f79b8f4275636581041740dfcaf25f3edd BUG: 1138897 Change-Id: I972c26236cbf070f15c3846add059bd33d60216d Signed-off-by: Emmanuel Dreyfus <manu@netbsd.org> Reviewed-on: http://review.gluster.org/8861 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Vijay Bellur <vbellur@redhat.com> 
Current code assumes /etc/ssl exists, which may not be the case.
Attempt to guess sane default for a few OS.

Backport of I0f3168f79b8f4275636581041740dfcaf25f3edd

BUG: 1138897
Change-Id: I972c26236cbf070f15c3846add059bd33d60216d
Signed-off-by: Emmanuel Dreyfus <manu@netbsd.org>
Reviewed-on: http://review.gluster.org/8861
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
rpc/auth: allow SSL identity to be used for authorization 2014-07-02T09:47:05+00:00 Jeff Darcy jdarcy@redhat.com 2014-04-17T23:21:05+00:00 caa8a4ea50734378e7e19f70b39a837c58e9d229 Access to a volume is now controlled by the following options, based on whether SSL is enabled or not. * server.ssl-allow: get identity from certificate, no password needed * auth.allow: get identity and matching password from command line It is not possible to allow both simultaneously, since the connection itself is either using SSL or it isn't. Change-Id: I5a5be66520f56778563d62f4b3ab35c66cc41ac0 BUG: 1114604 Signed-off-by: Jeff Darcy <jdarcy@redhat.com> Reviewed-on: http://review.gluster.org/3695 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Vijay Bellur <vbellur@redhat.com> 
Access to a volume is now controlled by the following options, based on
whether SSL is enabled or not.

 * server.ssl-allow: get identity from certificate, no password needed

 * auth.allow: get identity and matching password from command line

It is not possible to allow both simultaneously, since the connection
itself is either using SSL or it isn't.

Change-Id: I5a5be66520f56778563d62f4b3ab35c66cc41ac0
BUG: 1114604
Signed-off-by: Jeff Darcy <jdarcy@redhat.com>
Reviewed-on: http://review.gluster.org/3695
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>