summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--rpc/rpc-transport/socket/src/socket.c29
-rwxr-xr-xtests/bugs/bug-873367.t2
-rw-r--r--xlators/mgmt/glusterd/src/glusterd-volgen.c75
-rw-r--r--xlators/mgmt/glusterd/src/glusterd-volgen.h3
-rw-r--r--xlators/mgmt/glusterd/src/glusterd-volume-set.c12
5 files changed, 118 insertions, 3 deletions
diff --git a/rpc/rpc-transport/socket/src/socket.c b/rpc/rpc-transport/socket/src/socket.c
index 61c9f60ff7f..ccef2f605cc 100644
--- a/rpc/rpc-transport/socket/src/socket.c
+++ b/rpc/rpc-transport/socket/src/socket.c
@@ -3480,6 +3480,9 @@ socket_init (rpc_transport_t *this)
uint32_t keepalive = 0;
uint32_t backlog = 0;
int session_id = 0;
+ int32_t cert_depth = 1;
+ char *cipher_list = "HIGH:-SSLv2";
+ int ret;
if (this->private) {
gf_log_callingfn (this->name, GF_LOG_ERROR,
@@ -3672,14 +3675,22 @@ socket_init (rpc_transport_t *this)
"using %s polling thread",
priv->own_thread ? "private" : "system");
+ if (!dict_get_int32 (this->options, "ssl-cert-depth", &cert_depth)) {
+ gf_log (this->name, GF_LOG_INFO,
+ "using certificate depth %d", cert_depth);
+ }
+ if (!dict_get_str (this->options, "ssl-cipher-list", &cipher_list)) {
+ gf_log (this->name, GF_LOG_INFO,
+ "using cipher list %s", cipher_list);
+ }
+
if (priv->use_ssl) {
SSL_library_init();
SSL_load_error_strings();
priv->ssl_meth = (SSL_METHOD *)TLSv1_method();
priv->ssl_ctx = SSL_CTX_new(priv->ssl_meth);
- if (SSL_CTX_set_cipher_list(priv->ssl_ctx,
- "HIGH:-SSLv2") == 0) {
+ if (SSL_CTX_set_cipher_list(priv->ssl_ctx, cipher_list) == 0) {
gf_log(this->name,GF_LOG_ERROR,
"failed to find any valid ciphers");
goto err;
@@ -3708,7 +3719,7 @@ socket_init (rpc_transport_t *this)
}
#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
- SSL_CTX_set_verify_depth(ctx,1);
+ SSL_CTX_set_verify_depth(ctx,cert_depth);
#endif
priv->ssl_session_id = ++session_id;
@@ -3865,5 +3876,17 @@ struct volume_options options[] = {
{ .key = {OWN_THREAD_OPT},
.type = GF_OPTION_TYPE_BOOL
},
+ { .key = {"ssl-cert-depth"},
+ .type = GF_OPTION_TYPE_INT,
+ .description = "Maximum certificate-chain depth. If zero, the "
+ "peer's certificate itself must be in the local "
+ "certificate list. Otherwise, there may be up to N "
+ "signing certificates between the peer's and the "
+ "local list. Ignored if SSL is not enabled."
+ },
+ { .key = {"ssl-cipher-list"},
+ .type = GF_OPTION_TYPE_STR,
+ .description = "Allowed SSL ciphers Ignored if SSL is not enabled."
+ },
{ .key = {NULL} }
};
diff --git a/tests/bugs/bug-873367.t b/tests/bugs/bug-873367.t
index 17be3572b2f..4849c2fea31 100755
--- a/tests/bugs/bug-873367.t
+++ b/tests/bugs/bug-873367.t
@@ -24,6 +24,8 @@ ln $SSL_CERT $SSL_CA
TEST $CLI volume create $V0 $H0:$B0/1
TEST $CLI volume set $V0 server.ssl on
TEST $CLI volume set $V0 client.ssl on
+TEST $CLI volume set $V0 ssl.certificate-depth 6
+TEST $CLI volume set $V0 ssl.cipher-list HIGH
TEST $CLI volume set $V0 auth.ssl-allow Anyone
TEST $CLI volume start $V0
diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c
index 777e69535df..6ab899a16cf 100644
--- a/xlators/mgmt/glusterd/src/glusterd-volgen.c
+++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c
@@ -1661,6 +1661,25 @@ server_graph_builder (volgen_graph_t *graph, glusterd_volinfo_t *volinfo,
if (NULL == ptranst)
return -1;
+ if (dict_get_str (set_dict, SSL_CERT_DEPTH_OPT, &value) == 0) {
+ ret = xlator_set_option (rbxl, "ssl-cert-depth", value);
+ if (ret) {
+ gf_log ("glusterd", GF_LOG_WARNING,
+ "failed to set ssl-cert-depth");
+ return -1;
+ }
+ }
+
+ if (dict_get_str (set_dict, SSL_CIPHER_LIST_OPT, &value) == 0) {
+ ret = xlator_set_option (rbxl, "ssl-cipher-list",
+ value);
+ if (ret) {
+ gf_log ("glusterd", GF_LOG_WARNING,
+ "failed to set ssl-cipher-list");
+ return -1;
+ }
+ }
+
if (username) {
ret = xlator_set_option (rbxl, "username", username);
if (ret)
@@ -1798,6 +1817,24 @@ server_graph_builder (volgen_graph_t *graph, glusterd_volinfo_t *volinfo,
return -1;
}
+ if (dict_get_str (set_dict, SSL_CERT_DEPTH_OPT, &value) == 0) {
+ ret = xlator_set_option (xl, "ssl-cert-depth", value);
+ if (ret) {
+ gf_log ("glusterd", GF_LOG_WARNING,
+ "failed to set ssl-cert-depth");
+ return -1;
+ }
+ }
+
+ if (dict_get_str (set_dict, SSL_CIPHER_LIST_OPT, &value) == 0) {
+ ret = xlator_set_option (xl, "ssl-cipher-list", value);
+ if (ret) {
+ gf_log ("glusterd", GF_LOG_WARNING,
+ "failed to set ssl-cipher-list");
+ return -1;
+ }
+ }
+
if (username) {
memset (key, 0, sizeof (key));
snprintf (key, sizeof (key), "auth.login.%s.allow", path);
@@ -2225,6 +2262,7 @@ volgen_graph_build_client (volgen_graph_t *graph, glusterd_volinfo_t *volinfo,
char *str = NULL;
char *ssl_str = NULL;
gf_boolean_t ssl_bool = _gf_false;
+ char *value = NULL;
GF_ASSERT (graph);
GF_ASSERT (subvol);
@@ -2289,6 +2327,24 @@ volgen_graph_build_client (volgen_graph_t *graph, glusterd_volinfo_t *volinfo,
}
}
+ if (dict_get_str (set_dict, SSL_CERT_DEPTH_OPT, &value) == 0) {
+ ret = xlator_set_option (xl, "ssl-cert-depth", value);
+ if (ret) {
+ gf_log ("glusterd", GF_LOG_WARNING,
+ "failed to set ssl-cert-depth");
+ goto err;
+ }
+ }
+
+ if (dict_get_str (set_dict, SSL_CIPHER_LIST_OPT, &value) == 0) {
+ ret = xlator_set_option (xl, "ssl-cipher-list", value);
+ if (ret) {
+ gf_log ("glusterd", GF_LOG_WARNING,
+ "failed to set ssl-cipher-list");
+ goto err;
+ }
+ }
+
return xl;
err:
return NULL;
@@ -4124,6 +4180,7 @@ glusterd_generate_snapd_volfile (volgen_graph_t *graph,
dict_t *set_dict = NULL;
char *loglevel = NULL;
char *xlator = NULL;
+ char *value = NULL;
set_dict = dict_copy (volinfo->dict, NULL);
if (!set_dict)
@@ -4167,6 +4224,24 @@ glusterd_generate_snapd_volfile (volgen_graph_t *graph,
if (ret)
return -1;
+ if (dict_get_str (set_dict, SSL_CERT_DEPTH_OPT, &value) == 0) {
+ ret = xlator_set_option (xl, "ssl-cert-depth", value);
+ if (ret) {
+ gf_log ("glusterd", GF_LOG_WARNING,
+ "failed to set ssl-cert-depth");
+ return -1;
+ }
+ }
+
+ if (dict_get_str (set_dict, SSL_CIPHER_LIST_OPT, &value) == 0) {
+ ret = xlator_set_option (xl, "ssl-cipher-list", value);
+ if (ret) {
+ gf_log ("glusterd", GF_LOG_WARNING,
+ "failed to set ssl-cipher-list");
+ return -1;
+ }
+ }
+
username = glusterd_auth_get_username (volinfo);
passwd = glusterd_auth_get_password (volinfo);
diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.h b/xlators/mgmt/glusterd/src/glusterd-volgen.h
index f4959f1e6c2..71b6a770fac 100644
--- a/xlators/mgmt/glusterd/src/glusterd-volgen.h
+++ b/xlators/mgmt/glusterd/src/glusterd-volgen.h
@@ -35,6 +35,9 @@
#define AUTH_REJECT_OPT_KEY "auth.addr.*.reject"
#define NFS_DISABLE_OPT_KEY "nfs.*.disable"
+#define SSL_CERT_DEPTH_OPT "ssl.certificate-depth"
+#define SSL_CIPHER_LIST_OPT "ssl.cipher-list"
+
typedef enum {
GF_CLIENT_TRUSTED,
diff --git a/xlators/mgmt/glusterd/src/glusterd-volume-set.c b/xlators/mgmt/glusterd/src/glusterd-volume-set.c
index 4a0a50dfe66..92ab3d1a3a3 100644
--- a/xlators/mgmt/glusterd/src/glusterd-volume-set.c
+++ b/xlators/mgmt/glusterd/src/glusterd-volume-set.c
@@ -970,6 +970,18 @@ struct volopt_map_entry glusterd_volopt_map[] = {
.op_version = GD_OP_VERSION_3_6_0,
},
+ /* Generic transport options */
+ { .key = SSL_CERT_DEPTH_OPT,
+ .voltype = "rpc-transport/socket",
+ .option = "!ssl-cert-depth",
+ .op_version = GD_OP_VERSION_3_6_0,
+ },
+ { .key = SSL_CIPHER_LIST_OPT,
+ .voltype = "rpc-transport/socket",
+ .option = "!ssl-cipher-list",
+ .op_version = GD_OP_VERSION_3_6_0,
+ },
+
/* Performance xlators enable/disbable options */
{ .key = "performance.write-behind",
.voltype = "performance/write-behind",