+++ This bug was initially created as a clone of Bug #1247152 +++ rpc-transport/socket SSL lacks many features - ECDH support, with admin-configurable curve - DH support, with admin-supplied DH parameters - CRL support - location for private key, certificate and CA are not configurable - The default cipher list is too explicit and should just exclude weak ciphers
REVIEW: http://review.gluster.org/11763 (SSL improvements: ECDH, DH, CRL, and accessible options) posted (#3) for review on release-3.7 by Emmanuel Dreyfus (manu)
REVIEW: http://review.gluster.org/11763 (SSL improvements: ECDH, DH, CRL, and accessible options) posted (#4) for review on release-3.7 by Emmanuel Dreyfus (manu)
REVIEW: http://review.gluster.org/11763 (SSL improvements: ECDH, DH, CRL, and accessible options) posted (#5) for review on release-3.7 by Emmanuel Dreyfus (manu)
REVIEW: http://review.gluster.org/11763 (SSL improvements: ECDH, DH, CRL, and accessible options) posted (#6) for review on release-3.7 by Emmanuel Dreyfus (manu)
COMMIT: http://review.gluster.org/11763 committed in release-3.7 by Kaleb KEITHLEY (kkeithle) ------ commit ca5b466dcabc8432f68f2cf7a24fae770ad1c0cf Author: Emmanuel Dreyfus <manu> Date: Thu Jul 30 14:02:43 2015 +0200 SSL improvements: ECDH, DH, CRL, and accessible options - Introduce ssl.dh-param option to specify a file containinf DH parameters. If it is provided, EDH ciphers are available. - Introduce ssl.ec-curve option to specify an elliptic curve name. If unspecified, ECDH ciphers are available using the prime256v1 curve. - Introduce ssl.crl-path option to specify the directory where the CRL hash file can be found. Setting to NULL disable CRL checking, just like the default. - Make all ssl.* options accessible through gluster volume set. - In default cipher list, exclude weak ciphers instead of listing the strong ones. - Enforce server cipher preference. - introduce RPC_SET_OPT macro to factor repetitive code in glusterd-volgen.c - Add ssl-ciphers.t test to check all the features touched by this change. Backport of I7bfd433df6bbf176f4a58e770e06bcdbe22a101a Change-Id: I2947eabe76ae0487ecad52a60befb7de473fc90c BUG: 1247153 Signed-off-by: Emmanuel Dreyfus <manu>@ Reviewed-on: http://review.gluster.org/11763 Tested-by: NetBSD Build System <jenkins.org> Reviewed-by: Jeff Darcy <jdarcy>
REVIEW: http://review.gluster.org/11842 (SSL improvements: do not fail if certificate purpose is set) posted (#1) for review on release-3.7 by Emmanuel Dreyfus (manu)
COMMIT: http://review.gluster.org/11842 committed in release-3.7 by Kaleb KEITHLEY (kkeithle) ------ commit e121b7462a6f1a732b3c081f9b8b1e3552ecbbdd Author: Emmanuel Dreyfus <manu> Date: Wed Aug 5 17:22:22 2015 +0200 SSL improvements: do not fail if certificate purpose is set Since glusterfs shares the same settings for client-side and server-side of SSL, we need to ignore any certificate usage specification (SSL client vs SSL server), otherwise SSL connexions will fail with 'unsupported cerritifcate" Backport of I7ef60271718d2d894176515aa530ff106127bceb BUG: 1247153 Change-Id: I04e2f50dafd84d6eee15010f045016c91a0e1aac Signed-off-by: Emmanuel Dreyfus <manu> Reviewed-on: http://review.gluster.org/11842 Tested-by: Gluster Build System <jenkins.com> Tested-by: NetBSD Build System <jenkins.org> Reviewed-by: Kaleb KEITHLEY <kkeithle> Reviewed-by: Jeff Darcy <jdarcy>
This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-3.7.4, please open a new bug report. glusterfs-3.7.4 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution. [1] http://thread.gmane.org/gmane.comp.file-systems.gluster.devel/12496 [2] http://thread.gmane.org/gmane.comp.file-systems.gluster.user