summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMohit Agrawal <moagrawa@redhat.com>2018-03-14 09:37:52 +0530
committerJeff Darcy <jeff@pl.atyp.us>2018-03-19 19:00:03 +0000
commitcf06dd544004701ef43fa81c5b7a95353d5c1d65 (patch)
tree7f52598cb402269c781d020686886bf28c481232
parentde52876407040a8cae9656ede9f66084d4cb45ac (diff)
glusterd: TLS verification fails while using intermediate CA
Problem: TLS verification fails while using intermediate CA if mgmt SSL is enabled. Solution: There are two main issue of TLS verification failing 1) not calling ssl_api to set cert_depth 2) The current code does not allow to set certificate depth while MGMT SSL is enabled. After apply this patch to set certificate depth user need to set parameter option transport.socket.ssl-cert-depth <depth> in /var/lib/glusterd/secure_acccess instead to set in /etc/glusterfs/glusterd.vol. At the time of set secure_mgmt in ctx we will check the value of cert-depth and save the value of cert-depth in ctx.If user does not provide any value in cert-depth in that case it will consider default value is 1 BUG: 1555154 Change-Id: I89e9a9e1026e37efb5c20f9ec62b1989ef644f35 Signed-off-by: Mohit Agrawal <moagrawa@redhat.com>
-rw-r--r--api/src/glfs-mgmt.c1
-rw-r--r--cli/src/cli.c1
-rw-r--r--glusterfsd/src/glusterfsd-mgmt.c2
-rw-r--r--glusterfsd/src/glusterfsd.c1
-rw-r--r--heal/src/glfs-heal.c1
-rw-r--r--libglusterfs/src/glusterfs.h6
-rw-r--r--libglusterfs/src/graph.c42
-rw-r--r--libglusterfs/src/libglusterfs.sym3
-rw-r--r--rpc/rpc-transport/socket/src/socket.c12
-rw-r--r--xlators/mgmt/glusterd/src/glusterd-handler.c3
10 files changed, 66 insertions, 6 deletions
diff --git a/api/src/glfs-mgmt.c b/api/src/glfs-mgmt.c
index f709b54d49e..229caa98777 100644
--- a/api/src/glfs-mgmt.c
+++ b/api/src/glfs-mgmt.c
@@ -1040,6 +1040,7 @@ glfs_mgmt_init (struct glfs *fs)
if (sys_access (SECURE_ACCESS_FILE, F_OK) == 0) {
ctx->secure_mgmt = 1;
+ ctx->ssl_cert_depth = glusterfs_read_secure_access_file ();
}
rpc = rpc_clnt_new (options, THIS, THIS->name, 8);
diff --git a/cli/src/cli.c b/cli/src/cli.c
index 930182c65b7..b58f211d3dd 100644
--- a/cli/src/cli.c
+++ b/cli/src/cli.c
@@ -439,6 +439,7 @@ parse_cmdline (int argc, char *argv[], struct cli_state *state)
/* Do this first so that an option can override. */
if (sys_access (SECURE_ACCESS_FILE, F_OK) == 0) {
state->ctx->secure_mgmt = 1;
+ state->ctx->ssl_cert_depth = glusterfs_read_secure_access_file ();
}
if (state->argc > GEO_REP_CMD_CONFIG_INDEX &&
diff --git a/glusterfsd/src/glusterfsd-mgmt.c b/glusterfsd/src/glusterfsd-mgmt.c
index bf55a0770b4..d2b39494e51 100644
--- a/glusterfsd/src/glusterfsd-mgmt.c
+++ b/glusterfsd/src/glusterfsd-mgmt.c
@@ -2650,6 +2650,8 @@ glusterfs_mgmt_init (glusterfs_ctx_t *ctx)
goto out;
}
+
+ ctx->ssl_cert_depth = glusterfs_read_secure_access_file ();
}
rpc = rpc_clnt_new (options, THIS, THIS->name, 8);
diff --git a/glusterfsd/src/glusterfsd.c b/glusterfsd/src/glusterfsd.c
index 0cc46c78943..ef06ddfed31 100644
--- a/glusterfsd/src/glusterfsd.c
+++ b/glusterfsd/src/glusterfsd.c
@@ -1951,6 +1951,7 @@ parse_cmdline (int argc, char *argv[], glusterfs_ctx_t *ctx)
/* Do this before argp_parse so it can be overridden. */
if (sys_access (SECURE_ACCESS_FILE, F_OK) == 0) {
cmd_args->secure_mgmt = 1;
+ ctx->ssl_cert_depth = glusterfs_read_secure_access_file ();
}
argp_parse (&argp, argc, argv, ARGP_IN_ORDER, NULL, cmd_args);
diff --git a/heal/src/glfs-heal.c b/heal/src/glfs-heal.c
index 10d00e6d737..e86c76cde49 100644
--- a/heal/src/glfs-heal.c
+++ b/heal/src/glfs-heal.c
@@ -1661,6 +1661,7 @@ main (int argc, char **argv)
if (sys_access(SECURE_ACCESS_FILE, F_OK) == 0) {
fs->ctx->secure_mgmt = 1;
+ fs->ctx->ssl_cert_depth = glusterfs_read_secure_access_file ();
}
ret = glfs_set_volfile_server (fs, "unix", DEFAULT_GLUSTERD_SOCKFILE, 0);
diff --git a/libglusterfs/src/glusterfs.h b/libglusterfs/src/glusterfs.h
index 6b0df533e69..250d8e69a4f 100644
--- a/libglusterfs/src/glusterfs.h
+++ b/libglusterfs/src/glusterfs.h
@@ -593,6 +593,11 @@ struct _glusterfs_ctx {
*/
int secure_mgmt;
+ /* The option is use to set cert_depth while management connection
+ use SSL
+ */
+ int ssl_cert_depth;
+
/*
* Should *our* server/inbound connections use SSL? This is only true
* if we're glusterd and secure_mgmt is set, or if we're glusterfsd
@@ -700,4 +705,5 @@ int glusterfs_graph_parent_up (glusterfs_graph_t *graph);
void
gf_free_mig_locks (lock_migration_info_t *locks);
+int glusterfs_read_secure_access_file (void);
#endif /* _GLUSTERFS_H */
diff --git a/libglusterfs/src/graph.c b/libglusterfs/src/graph.c
index db80e21272a..d36cf7b3da5 100644
--- a/libglusterfs/src/graph.c
+++ b/libglusterfs/src/graph.c
@@ -16,7 +16,7 @@
#include "defaults.h"
#include <unistd.h>
#include "syscall.h"
-
+#include <regex.h>
#include "libglusterfs-messages.h"
#if 0
@@ -68,7 +68,47 @@ _gf_dump_details (int argc, char **argv)
}
#endif
+int
+glusterfs_read_secure_access_file (void)
+{
+ FILE *fp = NULL;
+ char line[100] = {0,};
+ int cert_depth = 1; /* Default SSL CERT DEPTH */
+ regex_t regcmpl;
+ char *key = {"^option transport.socket.ssl-cert-depth"};
+ char keyval[50] = {0,};
+ int start = 0, end = 0, copy_len = 0;
+ regmatch_t result[1] = {{0} };
+
+ fp = fopen (SECURE_ACCESS_FILE, "r");
+ if (!fp)
+ goto out;
+ /* Check if any line matches with key */
+ while (fgets(line, sizeof(line), fp) != NULL) {
+ if (regcomp (&regcmpl, key, REG_EXTENDED)) {
+ goto out;
+ }
+ if (!regexec (&regcmpl, line, 1, result, 0)) {
+ start = result[0].rm_so;
+ end = result[0].rm_eo;
+ copy_len = end - start;
+ strcpy (keyval, line+copy_len);
+ if (keyval[0]) {
+ cert_depth = atoi(keyval);
+ if (cert_depth == 0)
+ cert_depth = 1; /* Default SSL CERT DEPTH */
+ break;
+ }
+ }
+ regfree(&regcmpl);
+ }
+
+out:
+ if (fp)
+ fclose (fp);
+ return cert_depth;
+}
int
glusterfs_xlator_link (xlator_t *pxl, xlator_t *cxl)
diff --git a/libglusterfs/src/libglusterfs.sym b/libglusterfs/src/libglusterfs.sym
index df97a7fd89a..6340bc8a3a2 100644
--- a/libglusterfs/src/libglusterfs.sym
+++ b/libglusterfs/src/libglusterfs.sym
@@ -733,6 +733,7 @@ glusterfs_graph_deactivate
glusterfs_graph_destroy
glusterfs_graph_destroy_residual
glusterfs_graph_prepare
+glusterfs_read_secure_access_file
glusterfs_graph_print_file
glusterfs_graph_set_first
glusterfs_is_local_pathinfo
@@ -1107,4 +1108,4 @@ use_spinlocks
dump_options
glusterfs_leaseid_buf_get
gf_replace_old_iatt_in_dict
-gf_replace_new_iatt_in_dict \ No newline at end of file
+gf_replace_new_iatt_in_dict
diff --git a/rpc/rpc-transport/socket/src/socket.c b/rpc/rpc-transport/socket/src/socket.c
index e05b6f88799..a3917040069 100644
--- a/rpc/rpc-transport/socket/src/socket.c
+++ b/rpc/rpc-transport/socket/src/socket.c
@@ -4489,7 +4489,13 @@ socket_init (rpc_transport_t *this)
"using %s polling thread",
priv->own_thread ? "private" : "system");
- if (!dict_get_int32 (this->options, SSL_CERT_DEPTH_OPT, &cert_depth)) {
+ if (!priv->mgmt_ssl) {
+ if (!dict_get_int32 (this->options, SSL_CERT_DEPTH_OPT, &cert_depth)) {
+ gf_log (this->name, GF_LOG_INFO,
+ "using certificate depth %d", cert_depth);
+ }
+ } else {
+ cert_depth = this->ctx->ssl_cert_depth;
gf_log (this->name, GF_LOG_INFO,
"using certificate depth %d", cert_depth);
}
@@ -4628,9 +4634,7 @@ socket_init (rpc_transport_t *this)
goto err;
}
-#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
- SSL_CTX_set_verify_depth(ctx, cert_depth);
-#endif
+ SSL_CTX_set_verify_depth(priv->ssl_ctx, cert_depth);
if (crl_path) {
#ifdef X509_V_FLAG_CRL_CHECK_ALL
diff --git a/xlators/mgmt/glusterd/src/glusterd-handler.c b/xlators/mgmt/glusterd/src/glusterd-handler.c
index 2505fcff4de..26115a26b35 100644
--- a/xlators/mgmt/glusterd/src/glusterd-handler.c
+++ b/xlators/mgmt/glusterd/src/glusterd-handler.c
@@ -3475,6 +3475,9 @@ glusterd_friend_rpc_create (xlator_t *this, glusterd_peerinfo_t *peerinfo,
"failed to set ssl-enabled in dict");
goto out;
}
+
+ this->ctx->ssl_cert_depth = glusterfs_read_secure_access_file ();
+
}
ret = glusterd_rpc_create (&peerinfo->rpc, options,