diff options
| author | Milind Changire <mchangir@redhat.com> | 2019-03-14 10:55:52 +0530 |
|---|---|---|
| committer | MOHIT AGRAWAL <moagrawa@redhat.com> | 2020-07-10 04:36:02 +0000 |
| commit | 36d972d537d4eec4af8a22eca8eab5b12a2a8e65 (patch) | |
| tree | 23585cc94d4826d62066113c369418523adffcb2 /tests | |
| parent | 64ba4fde9fca5cfc059395a444b55f57940ab06b (diff) | |
socket/ssl: fix crl handling
Problem:
Just setting the path to the CRL directory in socket_init() wasn't working.
Solution:
Need to use special API to retrieve and set X509_VERIFY_PARAM and set
the CRL checking flags explicitly.
Also, setting the CRL checking flags is a big pain, since the connection
is declared as failed if any CRL isn't found in the designated file or
directory. A comment has been added to the code appropriately.
> Change-Id: I8a8ed2ddaf4b5eb974387d2f7b1a85c1ca39fe79
> fixes: bz#1687326
> Signed-off-by: Milind Changire <mchangir@redhat.com>
> (Cherry pick from commit 06fa261207f0f0625c52fa977b96e5875e9a91e0)
> (Reviewed on upstream link https://review.gluster.org/#/c/glusterfs/+/22334)
Change-Id: I8a8ed2ddaf4b5eb974387d2f7b1a85c1ca39fe79
Fixes: #1362
Signed-off-by: Mohit Agrawal <moagrawa@redhat.com>
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/features/ssl-ciphers.t | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/tests/features/ssl-ciphers.t b/tests/features/ssl-ciphers.t index 563d37c5277..7e1e1996ac6 100644 --- a/tests/features/ssl-ciphers.t +++ b/tests/features/ssl-ciphers.t @@ -175,8 +175,6 @@ BRICK_PORT=`brick_port $V0` EXPECT "Y" openssl_connect -cipher EECDH -connect $H0:$BRICK_PORT # test revocation -# no need to restart the volume since the options are used -# by the client here. TEST $CLI volume set $V0 ssl.crl-path $TMPDIR EXPECT $TMPDIR volume_option $V0 ssl.crl-path $GFS --volfile-id=$V0 --volfile-server=$H0 $M0 @@ -189,14 +187,25 @@ TEST openssl ca -batch -config $SSL_CFG -revoke $SSL_CERT 2>&1 TEST openssl ca -config $SSL_CFG -gencrl -out $SSL_CRL 2>&1 # Failed once revoked +# Although client fails to mount without restarting the server after crl-path +# is set when no actual crl file is found on the client, it would also fail +# when server is restarted for the same reason. Since the socket initialization +# code is the same for client and server, the crl verification flags need to +# be turned off for the client to avoid SSL searching for CRLs in the +# ssl.crl-path. If no CRL files are found in the ssl.crl-path, SSL fails the +# connect() attempt on the client. +TEST $CLI volume stop $V0 +TEST $CLI volume start $V0 $GFS --volfile-id=$V0 --volfile-server=$H0 $M0 EXPECT "N" wait_mount $M0 TEST ! test -f $TEST_FILE EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" force_umount $M0 # Succeed with CRL disabled +TEST $CLI volume stop $V0 TEST $CLI volume set $V0 ssl.crl-path NULL EXPECT NULL volume_option $V0 ssl.crl-path +TEST $CLI volume start $V0 $GFS --volfile-id=$V0 --volfile-server=$H0 $M0 EXPECT "Y" wait_mount $M0 TEST test -f $TEST_FILE |