Bug 1285014
| Summary: | RHEL5 version of openssl included with glusterfs-3.7.1-16.el5.x86_64 is incompatible with newer versions | ||
|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Gluster Storage | Reporter: | Harold Miller <hamiller> |
| Component: | distribution | Assignee: | Sreenath G <sgirijan> |
| Status: | CLOSED DEFERRED | QA Contact: | Rahul Hinduja <rhinduja> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rhgs-3.1 | CC: | annair, bhubbard, chrisw, csaba, kkeithle, mmahudha, ndevos, nlevinki, rcyriac, rgowdapp, rhs-bugs, storage-qa-internal, vmalkoti |
| Target Milestone: | --- | Keywords: | ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-12 07:34:06 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Harold Miller
2015-11-24 16:40:36 UTC
I think you need to configure the SSL ciphers/priority/something to a lower grade of security. See tests/features/ssl-authz.t in the upstream glusterfs sources for some ideas on how to do that. What is it that's really being asked for? Help configuring ciphers that will work with RHEL6 and RHEL7 openssl? Packaging a newer version of openssl with RHGS? Getting the customer to update to RHGS 3.1.x/glusterfs-3.7.5? I believe what is being asked for is to reduce the security of RHGS so a rhel5 openssl client can connect. Either that or package and ship a new version of openssl for rhel5 and ship it with the rhel5 gluster client bits.
We can simulate a connection from rhel6 and see the following.
# openssl s_client -connect ceph2.hq.gsslab.rdu.redhat.com:49153 -cert /etc/ssl/glusterfs.pem -key /etc/ssl/glusterfs.key 2>&1|gawk '/Protocol/||/Cipher/'
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
# openssl ciphers -v |grep ^AES256-GCM-SHA384
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
But on rhel5...
# openssl s_client -connect ceph2.hq.gsslab.rdu.redhat.com:49153 -cert /etc/ssl/glusterfs.pem -key /etc/ssl/glusterfs.key
CONNECTED(00000003)
1551:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
# openssl ciphers -v |gawk '/TLSv1.2/||/AES256-GCM-SHA384/'
#
rhel5 doesn't have either of these so, in order for it to connect, you'd need to reduce the security of the connection and possibly expose the server to things like "Poodle"
I tried the following on the server but it didn't seem to make a difference. # gluster v set testvol4 ssl.cipher-list ADH-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA volume set: success I also tried ssl.cipher-list: ALL. This was after reading the tests/features/ssl-authz.t mentioned by Niels in comment #3 RHGS glusterfs client has stopped shipping for RHEL-5 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |