rpc-transport/socket SSL lacks many features - ECDH support, with admin-configurable curve - DH support, with admin-supplied DH parameters - CRL support - location for private key, certificate and CA are not configurable - The default cipher list is too explicit and should just exclude weak ciphers
REVIEW: http://review.gluster.org/11735 (SSL improvements: ECDH, DH, CRL, and accessible options) posted (#7) for review on master by Emmanuel Dreyfus (manu)
REVIEW: http://review.gluster.org/11735 (SSL improvements: ECDH, DH, CRL, and accessible options) posted (#8) for review on master by Emmanuel Dreyfus (manu)
REVIEW: http://review.gluster.org/11735 (SSL improvements: ECDH, DH, CRL, and accessible options) posted (#9) for review on master by Emmanuel Dreyfus (manu)
COMMIT: http://review.gluster.org/11735 committed in master by Kaleb KEITHLEY (kkeithle) ------ commit 28fc199d5dc92a69eb2b899bbea23548dc14a39b Author: Emmanuel Dreyfus <manu> Date: Thu Jul 30 13:54:51 2015 +0200 SSL improvements: ECDH, DH, CRL, and accessible options - Introduce ssl.dh-param option to specify a file containinf DH parameters. If it is provided, EDH ciphers are available. - Introduce ssl.ec-curve option to specify an elliptic curve name. If unspecified, ECDH ciphers are available using the prime256v1 curve. - Introduce ssl.crl-path option to specify the directory where the CRL hash file can be found. Setting to NULL disable CRL checking, just like the default. - Make all ssl.* options accessible through gluster volume set. - In default cipher list, exclude weak ciphers instead of listing the strong ones. - Enforce server cipher preference. - introduce RPC_SET_OPT macro to factor repetitive code in glusterd-volgen.c - Add ssl-ciphers.t test to check all the features touched by this change. Change-Id: I7bfd433df6bbf176f4a58e770e06bcdbe22a101a BUG: 1247152 Signed-off-by: Emmanuel Dreyfus <manu> Reviewed-on: http://review.gluster.org/11735 Tested-by: NetBSD Build System <jenkins.org> Reviewed-by: Kaushal M <kaushal> Tested-by: Gluster Build System <jenkins.com> Reviewed-by: Jeff Darcy <jdarcy>
REVIEW: http://review.gluster.org/11840 (SSL improvements: do not fail if certificate purpose is set) posted (#1) for review on master by Emmanuel Dreyfus (manu)
REVIEW: http://review.gluster.org/11840 (SSL improvements: do not fail if certificate purpose is set) posted (#2) for review on master by Emmanuel Dreyfus (manu)
This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-3.8.0, please open a new bug report. glusterfs-3.8.0 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution. [1] http://blog.gluster.org/2016/06/glusterfs-3-8-released/ [2] http://thread.gmane.org/gmane.comp.file-systems.gluster.user