Bug 1398237

Summary: DH ciphers disabled errors are encountered on basic mount & unmount with ssl enabled setup
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Vivek Das <vdas>
Component: coreAssignee: Mohit Agrawal <moagrawa>
Status: CLOSED WONTFIX QA Contact: Rahul Hinduja <rhinduja>
Severity: low Docs Contact:
Priority: unspecified    
Version: rhgs-3.2CC: amukherj, nh2-redhatbugzilla, rhs-bugs, sasundar, storage-qa-internal, vbellur
Target Milestone: ---Keywords: ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: ssl
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1626319 1632563 (view as bug list) Environment:
Last Closed: 2018-02-06 06:14:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1626319    

Description Vivek Das 2016-11-24 10:33:29 UTC 
Description of problem:
With ssl enabled set up when we are doing any cifs mount or windows mount with basic IO we are encountering continuous cipher error messages as below

[2016-11-24 09:37:07.174449] E [socket.c:4102:socket_init] 0-samba-official-client-3: failed to open /etc/ssl/dhparam.pem, DH ciphers are disabled

Version-Release number of selected component (if applicable):
samba-4.4.6-2.el7rhgs.x86_64
glusterfs-cli-3.8.4-5.el7rhgs.x86_64

How reproducible:
1/1

Steps to Reproduce:
1.WIth SSL enabled setup of a 4 node cluster
2.Do a cifs mount
3.Do a windows mount
4.Copy paste data into the share

Actual results:

[2016-11-24 09:37:07.174449] E [socket.c:4102:socket_init] 0-samba-official-client-3: failed to open /etc/ssl/dhparam.pem, DH ciphers are disabled

Expected results:
Should not get any error messages

Additional info:
Comment 2 SATHEESARAN 2016-11-25 06:03:05 UTC 
This is not the real functional issue.

Diffie-Hellman algorithm makes use of the largest prime number that is provided by openssl package earlier. openssl no longer ships this prime number for security reasons, though one can generate the largest prime number and store it in dhparam.pem.

These logs indicate that there are no prime numbers available. TLS will not be using Diffie-Hellman algorithm and uses some other secured algorithm.

So this error message is benign and could be safely ignored.

I would rather ask for change in log-level of this message so that it could be moved from 'ERROR' to 'INFO', that would help users not to get worried about these messages.
Comment 9 Worker Ant 2018-09-07 03:47:29 UTC 
REVISION POSTED: https://review.gluster.org/21108 (Modify log message 'DH ciphers are disabled' from ERROR to INFO) posted (#2) for review on master by Amar Tumballi