Bug 1285014 - RHEL5 version of openssl included with glusterfs-3.7.1-16.el5.x86_64 is incompatible with newer versions [NEEDINFO]
RHEL5 version of openssl included with glusterfs-3.7.1-16.el5.x86_64 is incom...
Status: NEW
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: distribution (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Sreenath G
Rahul Hinduja
: ZStream
Depends On:
  Show dependency treegraph
Reported: 2015-11-24 11:40 EST by Harold Miller
Modified: 2018-01-13 13:27 EST (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
hamiller: needinfo? (annair)

Attachments (Terms of Use)

  None (edit)
Description Harold Miller 2015-11-24 11:40:36 EST
Description of problem: We provide RHEL5 client but the openssl is not compatible with newer (RHEL6,7) servers. Is there a work-around or updated version of openssl available?

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux Server release 5.8, glusterfs-3.7.1-16.el5.x86_64, openssh-clients-4.3p2-82.el5.x86_64, openssl-0.9.8e-36.el5_11.i686 

How reproducible: Every time

Steps to Reproduce:
mount glusterfs volumes from a rhel5 client served from a rhel7 RHS server with ssl on IO enabled

Actual results: Fails

Expected results: Should work

Additional info:Server - Red Hat Enterprise Linux Server release 7.1, glusterfs-3.7.1-16.el7rhgs.x86_64 , openssh-server-6.6.1p1-12.el7_1.x86_64, openssl-1.0.1e-42.el7_1.9.x86_64
Comment 3 Niels de Vos 2015-12-01 10:13:07 EST
I think you need to configure the SSL ciphers/priority/something to a
lower grade of security. See tests/features/ssl-authz.t in the upstream
glusterfs sources for some ideas on how to do that.
Comment 4 Kaleb KEITHLEY 2015-12-01 17:10:10 EST
What is it that's really being asked for?

Help configuring ciphers that will work with RHEL6 and RHEL7 openssl?

Packaging a newer version of openssl with RHGS?

Getting the customer to update to RHGS 3.1.x/glusterfs-3.7.5?
Comment 5 Brad Hubbard 2015-12-02 00:07:55 EST
I believe what is being asked for is to reduce the security of RHGS so a rhel5 openssl client can connect. Either that or package and ship a new version of openssl for rhel5 and ship it with the rhel5 gluster client bits.

We can simulate a connection from rhel6 and see the following.

# openssl s_client -connect ceph2.hq.gsslab.rdu.redhat.com:49153 -cert /etc/ssl/glusterfs.pem -key /etc/ssl/glusterfs.key 2>&1|gawk '/Protocol/||/Cipher/'                                                                     
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384

# openssl ciphers -v |grep ^AES256-GCM-SHA384
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD

But on rhel5...

# openssl s_client -connect ceph2.hq.gsslab.rdu.redhat.com:49153 -cert /etc/ssl/glusterfs.pem -key /etc/ssl/glusterfs.key
1551:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

# openssl ciphers -v |gawk '/TLSv1.2/||/AES256-GCM-SHA384/'

rhel5 doesn't have either of these so, in order for it to connect, you'd need to reduce the security of the connection and possibly expose the server to things like "Poodle"
Comment 6 Brad Hubbard 2015-12-02 00:55:51 EST
I tried the following on the server but it didn't seem to make a difference.

# gluster v set testvol4 ssl.cipher-list ADH-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA
volume set: success

I also tried ssl.cipher-list: ALL.

This was after reading the tests/features/ssl-authz.t mentioned by Niels in comment #3

Note You need to log in before you can comment on or make changes to this bug.