Bug 1555154

Summary: glusterd: TLS verification fails when using intermediate CA instead of self-signed certificates
Product: [Community] GlusterFS Reporter: Mohit Agrawal <moagrawa>
Component: coreAssignee: Mohit Agrawal <moagrawa>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: mainlineCC: amukherj, atumball, bmekala, dwojslaw, moagrawa, nbalacha, rcyriac, rhinduja, rhs-bugs, sheggodu, sisharma, storage-qa-internal, vbellur, yjog
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: ssl
Fixed In Version: glusterfs-v4.1.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1446046 Environment:
Last Closed: 2018-06-20 18:02:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1446046    

Comment 1 Atin Mukherjee 2018-03-14 09:23:40 UTC 
Please add a public description of the bug.
Comment 2 Mohit Agrawal 2018-03-14 09:33:57 UTC 
TLS verification fails when using common CA instead of self-signed certificates.

Version-Release number of selected component (if applicable):
glusterfs-server-3.8.4-18

How reproducible:
always

Steps to Reproduce:
1. Sign root CA
2. Sign intermediate CA with rootCA key
3. sign cert for all gluster nodes with intermediateCA key
4. signed certs for all gluster nodes to be saved as glusterfs.pem in /etc/ssl
5. intermediateCA cert on all gluster nodes to be saved as glusterfs.ca in /etc/ssl
6. copy rootCA cert on all gluster nodes in /etc/pki/ca-trust/source/anchors
7. run command, to trust rootCA 
   ~]# update-ca-trust
8. touch /var/lib/glusterd/secure-access
9. vi /etc/glusterfs/glusterd.vol and add following option, to verify upto rootCA

   option transport.socket.ssl-cert-depth 2


Regards
Mohit Agrawal
Comment 3 Worker Ant 2018-03-19 19:00:31 UTC 
COMMIT: https://review.gluster.org/19708 committed in master by "Jeff Darcy" <jeff.us> with a commit message- glusterd: TLS verification fails while using intermediate CA

Problem: TLS verification fails while using intermediate CA
         if mgmt SSL is enabled.

Solution: There are two main issue of TLS verification failing
          1) not calling ssl_api to set cert_depth
          2) The current code does not allow to set certificate depth
             while MGMT SSL is enabled.
          After apply this patch to set certificate depth user
          need to set parameter option transport.socket.ssl-cert-depth <depth>
          in /var/lib/glusterd/secure_acccess instead to set in
          /etc/glusterfs/glusterd.vol. At the time of set secure_mgmt in ctx
          we will check the value of cert-depth and save the value of cert-depth
          in ctx.If user does not provide any value in cert-depth in that case
          it will consider default value is 1

BUG: 1555154
Change-Id: I89e9a9e1026e37efb5c20f9ec62b1989ef644f35
Signed-off-by: Mohit Agrawal <moagrawa>
Comment 4 Shyamsundar 2018-06-20 18:02:26 UTC 
This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-v4.1.0, please open a new bug report.

glusterfs-v4.1.0 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution.

[1] http://lists.gluster.org/pipermail/announce/2018-June/000102.html
[2] https://www.gluster.org/pipermail/gluster-users/