diff options
| author | Emmanuel Dreyfus <manu@netbsd.org> | 2015-07-30 13:54:51 +0200 |
|---|---|---|
| committer | Kaleb KEITHLEY <kkeithle@redhat.com> | 2015-08-05 04:51:43 -0700 |
| commit | 28fc199d5dc92a69eb2b899bbea23548dc14a39b (patch) | |
| tree | e56099991bcf6579651cc7b021b26e52ce1ebd26 /xlators/mgmt/glusterd/src/glusterd-volume-set.c | |
| parent | a0919d638a889f03a5bd804cf4c3a63084680fce (diff) | |
SSL improvements: ECDH, DH, CRL, and accessible options
- Introduce ssl.dh-param option to specify a file containinf DH parameters.
If it is provided, EDH ciphers are available.
- Introduce ssl.ec-curve option to specify an elliptic curve name. If
unspecified, ECDH ciphers are available using the prime256v1 curve.
- Introduce ssl.crl-path option to specify the directory where the
CRL hash file can be found. Setting to NULL disable CRL checking,
just like the default.
- Make all ssl.* options accessible through gluster volume set.
- In default cipher list, exclude weak ciphers instead of listing
the strong ones.
- Enforce server cipher preference.
- introduce RPC_SET_OPT macro to factor repetitive code in glusterd-volgen.c
- Add ssl-ciphers.t test to check all the features touched by this change.
Change-Id: I7bfd433df6bbf176f4a58e770e06bcdbe22a101a
BUG: 1247152
Signed-off-by: Emmanuel Dreyfus <manu@netbsd.org>
Reviewed-on: http://review.gluster.org/11735
Tested-by: NetBSD Build System <jenkins@build.gluster.org>
Reviewed-by: Kaushal M <kaushal@redhat.com>
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Jeff Darcy <jdarcy@redhat.com>
Diffstat (limited to 'xlators/mgmt/glusterd/src/glusterd-volume-set.c')
| -rw-r--r-- | xlators/mgmt/glusterd/src/glusterd-volume-set.c | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/xlators/mgmt/glusterd/src/glusterd-volume-set.c b/xlators/mgmt/glusterd/src/glusterd-volume-set.c index f1413dbf525..eb079d072b6 100644 --- a/xlators/mgmt/glusterd/src/glusterd-volume-set.c +++ b/xlators/mgmt/glusterd/src/glusterd-volume-set.c @@ -1077,6 +1077,26 @@ struct volopt_map_entry glusterd_volopt_map[] = { }, /* Generic transport options */ + { .key = SSL_OWN_CERT_OPT, + .voltype = "rpc-transport/socket", + .option = "!ssl-own-cert", + .op_version = GD_OP_VERSION_3_7_4, + }, + { .key = SSL_PRIVATE_KEY_OPT, + .voltype = "rpc-transport/socket", + .option = "!ssl-private-key", + .op_version = GD_OP_VERSION_3_7_4, + }, + { .key = SSL_CA_LIST_OPT, + .voltype = "rpc-transport/socket", + .option = "!ssl-ca-list", + .op_version = GD_OP_VERSION_3_7_4, + }, + { .key = SSL_CRL_PATH_OPT, + .voltype = "rpc-transport/socket", + .option = "!ssl-crl-path", + .op_version = GD_OP_VERSION_3_7_4, + }, { .key = SSL_CERT_DEPTH_OPT, .voltype = "rpc-transport/socket", .option = "!ssl-cert-depth", @@ -1087,6 +1107,16 @@ struct volopt_map_entry glusterd_volopt_map[] = { .option = "!ssl-cipher-list", .op_version = GD_OP_VERSION_3_6_0, }, + { .key = SSL_DH_PARAM_OPT, + .voltype = "rpc-transport/socket", + .option = "!ssl-dh-param", + .op_version = GD_OP_VERSION_3_7_4, + }, + { .key = SSL_EC_CURVE_OPT, + .voltype = "rpc-transport/socket", + .option = "!ssl-ec-curve", + .op_version = GD_OP_VERSION_3_7_4, + }, /* Performance xlators enable/disbable options */ { .key = "performance.write-behind", |