summaryrefslogtreecommitdiffstats
path: root/rpc
diff options
context:
space:
mode:
Diffstat (limited to 'rpc')
-rw-r--r--rpc/rpc-transport/socket/src/socket.c72
-rw-r--r--rpc/rpc-transport/socket/src/socket.h4
2 files changed, 56 insertions, 20 deletions
diff --git a/rpc/rpc-transport/socket/src/socket.c b/rpc/rpc-transport/socket/src/socket.c
index ccef2f605cc..e969a5cf7fd 100644
--- a/rpc/rpc-transport/socket/src/socket.c
+++ b/rpc/rpc-transport/socket/src/socket.c
@@ -318,6 +318,7 @@ ssl_teardown_connection (socket_private_t *priv)
SSL_clear(priv->ssl_ssl);
SSL_free(priv->ssl_ssl);
priv->ssl_ssl = NULL;
+ priv->use_ssl = _gf_false;
}
@@ -2563,12 +2564,29 @@ socket_server_event_handler (int fd, int idx, void *data,
new_trans->listener = this;
new_priv = new_trans->private;
- new_priv->use_ssl = priv->use_ssl;
+ if (new_sockaddr.ss_family == AF_UNIX) {
+ new_priv->use_ssl = _gf_false;
+ }
+ else {
+ switch (priv->srvr_ssl) {
+ case MGMT_SSL_ALWAYS:
+ /* Glusterd with secure_mgmt. */
+ new_priv->use_ssl = _gf_true;
+ break;
+ case MGMT_SSL_COPY_IO:
+ /* Glusterfsd. */
+ new_priv->use_ssl = priv->ssl_enabled;
+ break;
+ default:
+ new_priv->use_ssl = _gf_false;
+ }
+ }
+
new_priv->sock = new_sock;
new_priv->own_thread = priv->own_thread;
new_priv->ssl_ctx = priv->ssl_ctx;
- if (priv->use_ssl && !priv->own_thread) {
+ if (new_priv->use_ssl && !new_priv->own_thread) {
cname = ssl_setup_connection(new_trans,1);
if (!cname) {
gf_log(this->name,GF_LOG_ERROR,
@@ -2692,6 +2710,23 @@ socket_connect_error_cbk (void *opaque)
return NULL;
}
+static void
+socket_fix_ssl_opts (rpc_transport_t *this, socket_private_t *priv,
+ uint16_t port)
+{
+ if (port == GF_DEFAULT_SOCKET_LISTEN_PORT) {
+ gf_log (this->name, GF_LOG_DEBUG,
+ "%s SSL for portmapper connection",
+ priv->mgmt_ssl ? "enabling" : "disabling");
+ priv->use_ssl = priv->mgmt_ssl;
+ }
+ else if (priv->ssl_enabled && !priv->use_ssl) {
+ gf_log(this->name,GF_LOG_DEBUG,
+ "re-enabling SSL for I/O connection");
+ priv->use_ssl = _gf_true;
+ }
+}
+
static int
socket_connect (rpc_transport_t *this, int port)
{
@@ -2744,23 +2779,16 @@ socket_connect (rpc_transport_t *this, int port)
goto unlock;
}
- if (port > 0) {
- sock_union.sin.sin_port = htons (port);
- }
- if (ntohs(sock_union.sin.sin_port) ==
- GF_DEFAULT_SOCKET_LISTEN_PORT) {
- if (priv->use_ssl) {
- gf_log(this->name,GF_LOG_DEBUG,
- "disabling SSL for portmapper connection");
- priv->use_ssl = _gf_false;
- }
+ if (sa_family == AF_UNIX) {
+ priv->ssl_enabled = _gf_false;
+ priv->mgmt_ssl = _gf_false;
}
else {
- if (priv->ssl_enabled && !priv->use_ssl) {
- gf_log(this->name,GF_LOG_DEBUG,
- "re-enabling SSL for I/O connection");
- priv->use_ssl = _gf_true;
+ if (port > 0) {
+ sock_union.sin.sin_port = htons (port);
}
+ socket_fix_ssl_opts (this, priv,
+ ntohs(sock_union.sin.sin_port));
}
memcpy (&this->peerinfo.sockaddr, &sock_union.storage,
@@ -3621,6 +3649,8 @@ socket_init (rpc_transport_t *this)
"invalid value given for ssl-enabled boolean");
}
}
+ priv->mgmt_ssl = this->ctx->secure_mgmt;
+ priv->srvr_ssl = this->ctx->secure_srvr;
priv->ssl_own_cert = DEFAULT_CERT_PATH;
if (dict_get_str(this->options,SSL_OWN_CERT_OPT,&optstr) == 0) {
@@ -3656,8 +3686,11 @@ socket_init (rpc_transport_t *this)
priv->ssl_ca_list = gf_strdup(priv->ssl_ca_list);
gf_log(this->name, priv->ssl_enabled ? GF_LOG_INFO: GF_LOG_DEBUG,
- "SSL support is %s",
+ "SSL support on the I/O path is %s",
priv->ssl_enabled ? "ENABLED" : "NOT enabled");
+ gf_log(this->name, priv->mgmt_ssl ? GF_LOG_INFO: GF_LOG_DEBUG,
+ "SSL support for glusterd is %s",
+ priv->mgmt_ssl ? "ENABLED" : "NOT enabled");
/*
* This might get overridden temporarily in socket_connect (q.v.)
* if we're using the glusterd portmapper.
@@ -3666,8 +3699,9 @@ socket_init (rpc_transport_t *this)
priv->own_thread = priv->use_ssl;
if (dict_get_str(this->options,OWN_THREAD_OPT,&optstr) == 0) {
+ gf_log (this->name, GF_LOG_INFO, "OWN_THREAD_OPT found");
if (gf_string2boolean (optstr, &priv->own_thread) != 0) {
- gf_log (this->name, GF_LOG_ERROR,
+ gf_log (this->name, GF_LOG_WARNING,
"invalid value given for own-thread boolean");
}
}
@@ -3684,7 +3718,7 @@ socket_init (rpc_transport_t *this)
"using cipher list %s", cipher_list);
}
- if (priv->use_ssl) {
+ if (priv->ssl_enabled || priv->mgmt_ssl) {
SSL_library_init();
SSL_load_error_strings();
priv->ssl_meth = (SSL_METHOD *)TLSv1_method();
diff --git a/rpc/rpc-transport/socket/src/socket.h b/rpc/rpc-transport/socket/src/socket.h
index e0b412fcce1..33c936938eb 100644
--- a/rpc/rpc-transport/socket/src/socket.h
+++ b/rpc/rpc-transport/socket/src/socket.h
@@ -217,7 +217,9 @@ typedef struct {
int keepaliveintvl;
uint32_t backlog;
gf_boolean_t read_fail_log;
- gf_boolean_t ssl_enabled;
+ gf_boolean_t ssl_enabled; /* outbound I/O */
+ gf_boolean_t mgmt_ssl; /* outbound mgmt */
+ mgmt_ssl_t srvr_ssl;
gf_boolean_t use_ssl;
SSL_METHOD *ssl_meth;
SSL_CTX *ssl_ctx;