Bug 1247153

Summary:	SSL improvements: ECDH, DH, CRL, and accessible options
Product:	[Community] GlusterFS	Reporter:	manu <manu>
Component:	transport	Assignee:	manu <manu>
Status:	CLOSED CURRENTRELEASE	QA Contact:
Severity:	medium	Docs Contact:
Priority:	high
Version:	3.7.3	CC:	bugs, gluster-bugs, rkavunga, ueberall
Target Milestone:	---	Keywords:	Triaged
Target Release:	---
Hardware:	All
OS:	All
Whiteboard:
Fixed In Version:	glusterfs-3.7.4	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:	1247152	Environment:
Last Closed:	2015-09-09 09:38:39 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description manu@netbsd.org 2015-07-27 13:13:22 UTC

+++ This bug was initially created as a clone of Bug #1247152 +++

rpc-transport/socket SSL lacks many features
- ECDH support, with admin-configurable curve
- DH support, with admin-supplied DH parameters
- CRL support
- location for private key, certificate and CA are not configurable
- The default cipher list is too explicit and should just exclude weak ciphers

Comment 1 Anand Avati 2015-07-27 13:28:08 UTC

REVIEW: http://review.gluster.org/11763 (SSL improvements: ECDH, DH, CRL, and accessible options) posted (#3) for review on release-3.7 by Emmanuel Dreyfus (manu)

Comment 2 Anand Avati 2015-07-29 08:17:45 UTC

REVIEW: http://review.gluster.org/11763 (SSL improvements: ECDH, DH, CRL, and accessible options) posted (#4) for review on release-3.7 by Emmanuel Dreyfus (manu)

Comment 3 Anand Avati 2015-07-30 12:03:16 UTC

REVIEW: http://review.gluster.org/11763 (SSL improvements: ECDH, DH, CRL, and accessible options) posted (#5) for review on release-3.7 by Emmanuel Dreyfus (manu)

Comment 4 Anand Avati 2015-07-30 18:34:27 UTC

REVIEW: http://review.gluster.org/11763 (SSL improvements: ECDH, DH, CRL, and accessible options) posted (#6) for review on release-3.7 by Emmanuel Dreyfus (manu)

Comment 5 Anand Avati 2015-08-05 11:52:28 UTC

COMMIT: http://review.gluster.org/11763 committed in release-3.7 by Kaleb KEITHLEY (kkeithle) 
------
commit ca5b466dcabc8432f68f2cf7a24fae770ad1c0cf
Author: Emmanuel Dreyfus <manu>
Date:   Thu Jul 30 14:02:43 2015 +0200

    SSL improvements: ECDH, DH, CRL, and accessible options
    
    - Introduce ssl.dh-param option to specify a file containinf DH parameters.
      If it is provided, EDH ciphers are available.
    
    - Introduce ssl.ec-curve option to specify an elliptic curve name. If
      unspecified, ECDH ciphers are available using the prime256v1 curve.
    
    - Introduce ssl.crl-path option to specify the directory where the
      CRL hash file can be found. Setting to NULL disable CRL checking,
      just like the default.
    
    - Make all ssl.* options accessible through gluster volume set.
    
    - In default cipher list, exclude weak ciphers instead of listing
      the strong ones.
    
    - Enforce server cipher preference.
    
    - introduce RPC_SET_OPT macro to factor repetitive code in glusterd-volgen.c
    
    - Add ssl-ciphers.t test to check all the features touched by this change.
    
    Backport of I7bfd433df6bbf176f4a58e770e06bcdbe22a101a
    
    Change-Id: I2947eabe76ae0487ecad52a60befb7de473fc90c
    BUG: 1247153
    Signed-off-by: Emmanuel Dreyfus <manu>@
    Reviewed-on: http://review.gluster.org/11763
    Tested-by: NetBSD Build System <jenkins.org>
    Reviewed-by: Jeff Darcy <jdarcy>

Comment 6 Anand Avati 2015-08-05 15:23:51 UTC

REVIEW: http://review.gluster.org/11842 (SSL improvements: do not fail if certificate purpose is set) posted (#1) for review on release-3.7 by Emmanuel Dreyfus (manu)

Comment 7 Anand Avati 2015-08-24 06:20:17 UTC

COMMIT: http://review.gluster.org/11842 committed in release-3.7 by Kaleb KEITHLEY (kkeithle) 
------
commit e121b7462a6f1a732b3c081f9b8b1e3552ecbbdd
Author: Emmanuel Dreyfus <manu>
Date:   Wed Aug 5 17:22:22 2015 +0200

    SSL improvements: do not fail if certificate purpose is set
    
    Since glusterfs shares the same settings for client-side
    and server-side of SSL, we need to ignore any certificate
    usage specification (SSL client vs SSL server), otherwise
    SSL connexions will fail with 'unsupported cerritifcate"
    
    Backport of I7ef60271718d2d894176515aa530ff106127bceb
    
    BUG: 1247153
    Change-Id: I04e2f50dafd84d6eee15010f045016c91a0e1aac
    Signed-off-by: Emmanuel Dreyfus <manu>
    Reviewed-on: http://review.gluster.org/11842
    Tested-by: Gluster Build System <jenkins.com>
    Tested-by: NetBSD Build System <jenkins.org>
    Reviewed-by: Kaleb KEITHLEY <kkeithle>
    Reviewed-by: Jeff Darcy <jdarcy>

Comment 8 Kaushal 2015-09-09 09:38:39 UTC

This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-3.7.4, please open a new bug report.

glusterfs-3.7.4 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution.

[1] http://thread.gmane.org/gmane.comp.file-systems.gluster.devel/12496
[2] http://thread.gmane.org/gmane.comp.file-systems.gluster.user