From e121b7462a6f1a732b3c081f9b8b1e3552ecbbdd Mon Sep 17 00:00:00 2001 From: Emmanuel Dreyfus Date: Wed, 5 Aug 2015 17:22:22 +0200 Subject: SSL improvements: do not fail if certificate purpose is set Since glusterfs shares the same settings for client-side and server-side of SSL, we need to ignore any certificate usage specification (SSL client vs SSL server), otherwise SSL connexions will fail with 'unsupported cerritifcate" Backport of I7ef60271718d2d894176515aa530ff106127bceb BUG: 1247153 Change-Id: I04e2f50dafd84d6eee15010f045016c91a0e1aac Signed-off-by: Emmanuel Dreyfus Reviewed-on: http://review.gluster.org/11842 Tested-by: Gluster Build System Tested-by: NetBSD Build System Reviewed-by: Kaleb KEITHLEY Reviewed-by: Jeff Darcy --- rpc/rpc-transport/socket/src/socket.c | 8 ++++++++ rpc/rpc-transport/socket/src/socket.h | 1 + 2 files changed, 9 insertions(+) (limited to 'rpc') diff --git a/rpc/rpc-transport/socket/src/socket.c b/rpc/rpc-transport/socket/src/socket.c index 2860d397d59..bcc73016382 100644 --- a/rpc/rpc-transport/socket/src/socket.c +++ b/rpc/rpc-transport/socket/src/socket.c @@ -4115,6 +4115,14 @@ socket_init (rpc_transport_t *this) sizeof(priv->ssl_session_id)); SSL_CTX_set_verify(priv->ssl_ctx,SSL_VERIFY_PEER,0); + + /* + * Since glusterfs shares the same settings for client-side + * and server-side of SSL, we need to ignore any certificate + * usage specification (SSL client vs SSL server), otherwise + * SSL connexions will fail with 'unsupported cerritifcate" + */ + SSL_CTX_set_purpose(priv->ssl_ctx, X509_PURPOSE_ANY); } if (priv->own_thread) { diff --git a/rpc/rpc-transport/socket/src/socket.h b/rpc/rpc-transport/socket/src/socket.h index 57676ac2cc7..238c1457e4d 100644 --- a/rpc/rpc-transport/socket/src/socket.h +++ b/rpc/rpc-transport/socket/src/socket.h @@ -13,6 +13,7 @@ #include #include +#include #ifdef ERR_R_DH_LIB #include #endif -- cgit