diff options
| author | Jeff Darcy <jdarcy@redhat.com> | 2014-07-03 13:27:13 +0000 |
|---|---|---|
| committer | Vijay Bellur <vbellur@redhat.com> | 2014-07-04 04:18:00 -0700 |
| commit | 83c09b75a8fbc3a46fc0e76f805e061e949678f1 (patch) | |
| tree | 75c91aef9f8af0aa2ea33e192ce6d029fb5c69e9 | |
| parent | 9a50211cdb3d6decac140a31a035bd6e145f5f2f (diff) | |
socket: add certificate-depth and cipher-list options for SSL
Change-Id: I82757f8461807301a4a4f28c4f5bf7f0ee315113
BUG: 1114604
Signed-off-by: Jeff Darcy <jdarcy@redhat.com>
Reviewed-on: http://review.gluster.org/8040
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Rajesh Joseph <rjoseph@redhat.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
| -rw-r--r-- | rpc/rpc-transport/socket/src/socket.c | 29 | ||||
| -rwxr-xr-x | tests/bugs/bug-873367.t | 2 | ||||
| -rw-r--r-- | xlators/mgmt/glusterd/src/glusterd-volgen.c | 75 | ||||
| -rw-r--r-- | xlators/mgmt/glusterd/src/glusterd-volgen.h | 3 | ||||
| -rw-r--r-- | xlators/mgmt/glusterd/src/glusterd-volume-set.c | 12 |
5 files changed, 118 insertions, 3 deletions
diff --git a/rpc/rpc-transport/socket/src/socket.c b/rpc/rpc-transport/socket/src/socket.c index 61c9f60ff7f..ccef2f605cc 100644 --- a/rpc/rpc-transport/socket/src/socket.c +++ b/rpc/rpc-transport/socket/src/socket.c @@ -3480,6 +3480,9 @@ socket_init (rpc_transport_t *this) uint32_t keepalive = 0; uint32_t backlog = 0; int session_id = 0; + int32_t cert_depth = 1; + char *cipher_list = "HIGH:-SSLv2"; + int ret; if (this->private) { gf_log_callingfn (this->name, GF_LOG_ERROR, @@ -3672,14 +3675,22 @@ socket_init (rpc_transport_t *this) "using %s polling thread", priv->own_thread ? "private" : "system"); + if (!dict_get_int32 (this->options, "ssl-cert-depth", &cert_depth)) { + gf_log (this->name, GF_LOG_INFO, + "using certificate depth %d", cert_depth); + } + if (!dict_get_str (this->options, "ssl-cipher-list", &cipher_list)) { + gf_log (this->name, GF_LOG_INFO, + "using cipher list %s", cipher_list); + } + if (priv->use_ssl) { SSL_library_init(); SSL_load_error_strings(); priv->ssl_meth = (SSL_METHOD *)TLSv1_method(); priv->ssl_ctx = SSL_CTX_new(priv->ssl_meth); - if (SSL_CTX_set_cipher_list(priv->ssl_ctx, - "HIGH:-SSLv2") == 0) { + if (SSL_CTX_set_cipher_list(priv->ssl_ctx, cipher_list) == 0) { gf_log(this->name,GF_LOG_ERROR, "failed to find any valid ciphers"); goto err; @@ -3708,7 +3719,7 @@ socket_init (rpc_transport_t *this) } #if (OPENSSL_VERSION_NUMBER < 0x00905100L) - SSL_CTX_set_verify_depth(ctx,1); + SSL_CTX_set_verify_depth(ctx,cert_depth); #endif priv->ssl_session_id = ++session_id; @@ -3865,5 +3876,17 @@ struct volume_options options[] = { { .key = {OWN_THREAD_OPT}, .type = GF_OPTION_TYPE_BOOL }, + { .key = {"ssl-cert-depth"}, + .type = GF_OPTION_TYPE_INT, + .description = "Maximum certificate-chain depth. If zero, the " + "peer's certificate itself must be in the local " + "certificate list. Otherwise, there may be up to N " + "signing certificates between the peer's and the " + "local list. Ignored if SSL is not enabled." + }, + { .key = {"ssl-cipher-list"}, + .type = GF_OPTION_TYPE_STR, + .description = "Allowed SSL ciphers Ignored if SSL is not enabled." + }, { .key = {NULL} } }; diff --git a/tests/bugs/bug-873367.t b/tests/bugs/bug-873367.t index 17be3572b2f..4849c2fea31 100755 --- a/tests/bugs/bug-873367.t +++ b/tests/bugs/bug-873367.t @@ -24,6 +24,8 @@ ln $SSL_CERT $SSL_CA TEST $CLI volume create $V0 $H0:$B0/1 TEST $CLI volume set $V0 server.ssl on TEST $CLI volume set $V0 client.ssl on +TEST $CLI volume set $V0 ssl.certificate-depth 6 +TEST $CLI volume set $V0 ssl.cipher-list HIGH TEST $CLI volume set $V0 auth.ssl-allow Anyone TEST $CLI volume start $V0 diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c index 777e69535df..6ab899a16cf 100644 --- a/xlators/mgmt/glusterd/src/glusterd-volgen.c +++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c @@ -1661,6 +1661,25 @@ server_graph_builder (volgen_graph_t *graph, glusterd_volinfo_t *volinfo, if (NULL == ptranst) return -1; + if (dict_get_str (set_dict, SSL_CERT_DEPTH_OPT, &value) == 0) { + ret = xlator_set_option (rbxl, "ssl-cert-depth", value); + if (ret) { + gf_log ("glusterd", GF_LOG_WARNING, + "failed to set ssl-cert-depth"); + return -1; + } + } + + if (dict_get_str (set_dict, SSL_CIPHER_LIST_OPT, &value) == 0) { + ret = xlator_set_option (rbxl, "ssl-cipher-list", + value); + if (ret) { + gf_log ("glusterd", GF_LOG_WARNING, + "failed to set ssl-cipher-list"); + return -1; + } + } + if (username) { ret = xlator_set_option (rbxl, "username", username); if (ret) @@ -1798,6 +1817,24 @@ server_graph_builder (volgen_graph_t *graph, glusterd_volinfo_t *volinfo, return -1; } + if (dict_get_str (set_dict, SSL_CERT_DEPTH_OPT, &value) == 0) { + ret = xlator_set_option (xl, "ssl-cert-depth", value); + if (ret) { + gf_log ("glusterd", GF_LOG_WARNING, + "failed to set ssl-cert-depth"); + return -1; + } + } + + if (dict_get_str (set_dict, SSL_CIPHER_LIST_OPT, &value) == 0) { + ret = xlator_set_option (xl, "ssl-cipher-list", value); + if (ret) { + gf_log ("glusterd", GF_LOG_WARNING, + "failed to set ssl-cipher-list"); + return -1; + } + } + if (username) { memset (key, 0, sizeof (key)); snprintf (key, sizeof (key), "auth.login.%s.allow", path); @@ -2225,6 +2262,7 @@ volgen_graph_build_client (volgen_graph_t *graph, glusterd_volinfo_t *volinfo, char *str = NULL; char *ssl_str = NULL; gf_boolean_t ssl_bool = _gf_false; + char *value = NULL; GF_ASSERT (graph); GF_ASSERT (subvol); @@ -2289,6 +2327,24 @@ volgen_graph_build_client (volgen_graph_t *graph, glusterd_volinfo_t *volinfo, } } + if (dict_get_str (set_dict, SSL_CERT_DEPTH_OPT, &value) == 0) { + ret = xlator_set_option (xl, "ssl-cert-depth", value); + if (ret) { + gf_log ("glusterd", GF_LOG_WARNING, + "failed to set ssl-cert-depth"); + goto err; + } + } + + if (dict_get_str (set_dict, SSL_CIPHER_LIST_OPT, &value) == 0) { + ret = xlator_set_option (xl, "ssl-cipher-list", value); + if (ret) { + gf_log ("glusterd", GF_LOG_WARNING, + "failed to set ssl-cipher-list"); + goto err; + } + } + return xl; err: return NULL; @@ -4124,6 +4180,7 @@ glusterd_generate_snapd_volfile (volgen_graph_t *graph, dict_t *set_dict = NULL; char *loglevel = NULL; char *xlator = NULL; + char *value = NULL; set_dict = dict_copy (volinfo->dict, NULL); if (!set_dict) @@ -4167,6 +4224,24 @@ glusterd_generate_snapd_volfile (volgen_graph_t *graph, if (ret) return -1; + if (dict_get_str (set_dict, SSL_CERT_DEPTH_OPT, &value) == 0) { + ret = xlator_set_option (xl, "ssl-cert-depth", value); + if (ret) { + gf_log ("glusterd", GF_LOG_WARNING, + "failed to set ssl-cert-depth"); + return -1; + } + } + + if (dict_get_str (set_dict, SSL_CIPHER_LIST_OPT, &value) == 0) { + ret = xlator_set_option (xl, "ssl-cipher-list", value); + if (ret) { + gf_log ("glusterd", GF_LOG_WARNING, + "failed to set ssl-cipher-list"); + return -1; + } + } + username = glusterd_auth_get_username (volinfo); passwd = glusterd_auth_get_password (volinfo); diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.h b/xlators/mgmt/glusterd/src/glusterd-volgen.h index f4959f1e6c2..71b6a770fac 100644 --- a/xlators/mgmt/glusterd/src/glusterd-volgen.h +++ b/xlators/mgmt/glusterd/src/glusterd-volgen.h @@ -35,6 +35,9 @@ #define AUTH_REJECT_OPT_KEY "auth.addr.*.reject" #define NFS_DISABLE_OPT_KEY "nfs.*.disable" +#define SSL_CERT_DEPTH_OPT "ssl.certificate-depth" +#define SSL_CIPHER_LIST_OPT "ssl.cipher-list" + typedef enum { GF_CLIENT_TRUSTED, diff --git a/xlators/mgmt/glusterd/src/glusterd-volume-set.c b/xlators/mgmt/glusterd/src/glusterd-volume-set.c index 4a0a50dfe66..92ab3d1a3a3 100644 --- a/xlators/mgmt/glusterd/src/glusterd-volume-set.c +++ b/xlators/mgmt/glusterd/src/glusterd-volume-set.c @@ -970,6 +970,18 @@ struct volopt_map_entry glusterd_volopt_map[] = { .op_version = GD_OP_VERSION_3_6_0, }, + /* Generic transport options */ + { .key = SSL_CERT_DEPTH_OPT, + .voltype = "rpc-transport/socket", + .option = "!ssl-cert-depth", + .op_version = GD_OP_VERSION_3_6_0, + }, + { .key = SSL_CIPHER_LIST_OPT, + .voltype = "rpc-transport/socket", + .option = "!ssl-cipher-list", + .op_version = GD_OP_VERSION_3_6_0, + }, + /* Performance xlators enable/disbable options */ { .key = "performance.write-behind", .voltype = "performance/write-behind", |