Bug 1157661

+++ This bug was initially created as a clone of Bug #1155328 +++
+++                                                           +++
+++ Use this bug to get the fix included in release-3.5.      +++

This is related to the so-called POODLE attack.

    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566

To summarize, POODLE involves a downgrade from TLS to SSLv3, combined with CBC cipher modes.  Users can avoid the downgrade by using an SSL library that supports TLS_FALLBACK_SCSV, as recent versions of OpenSSL do.  For users unable to pursue that strategy, disabling CBC cipher modes is a potential workaround.

   gluster volume set SOMEVOLUME ssl.cipherlist $something

Unfortunately, calculating $something is not trivial.  The "openssl ciphers" command does not have a built-in "CBC" group to exclude, nor does it support wildcards.  Therefore, it is necessary to create a list of cipher modes that meet other criteria (e.g. "HIGH:!SSLv2") and manually delete "CBC" entries to create a new list.

For users unwilling to calculate their own cipher lists, the default cipher list in the GlusterFS TLS code should be changed to exclude CBC modes in addition to other (current) restrictions ensuring optimal security.  In the very rare case that this might cause a communication failure due to lack of compatible cipher modes between servers and clients (which would require a very unlikely combination of GlusterFS and OpenSSL versions), we should also document how to calculate and apply their own cipher list without making themselves vulnerable to POODLE.

--- Additional comment from Anand Avati on 2014-10-22 00:17:59 CEST ---

REVIEW: http://review.gluster.org/8962 (socket: disallow CBC cipher modes) posted (#1) for review on master by Jeff Darcy (jdarcy)

--- Additional comment from Anand Avati on 2014-10-27 12:40:59 CET ---

COMMIT: http://review.gluster.org/8962 committed in master by Vijay Bellur (vbellur) 
------
commit 378a0a19d95e552220d71b13be685f4772c576cd
Author: Jeff Darcy <jdarcy>
Date:   Tue Oct 21 16:54:48 2014 -0400

    socket: disallow CBC cipher modes
    
    This is related to CVE-2014-3566 a.k.a. POODLE.
    
    	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
    
    POODLE is specific to CBC cipher modes in SSLv3.  Because there is no
    way to prevent SSLv3 fallback on a system with an unpatched version of
    OpenSSL, users of such systems can only be protected by disallowing CBC
    modes.  The default cipher-mode specification in our code has been
    changed accordingly.  Users can still set their own cipher modes if they
    wish.  To support them, the ssl-authz.t test script provides an example
    of how to combine the CBC exclusion with other criteria in a script.
    
    Change-Id: Ib1fa547082fbb7de9df94ffd182b1800d6e354e5
    BUG: 1155328
    Signed-off-by: Jeff Darcy <jdarcy>
    Reviewed-on: http://review.gluster.org/8962
    Tested-by: Gluster Build System <jenkins.com>
    Reviewed-by: Kaleb KEITHLEY <kkeithle>
    Reviewed-by: Vijay Bellur <vbellur>