Red Hat Bugzilla – Bug 1285014
RHEL5 version of openssl included with glusterfs-3.7.1-16.el5.x86_64 is incompatible with newer versions
Last modified: 2018-03-14 13:14:55 EDT
Description of problem: We provide RHEL5 client but the openssl is not compatible with newer (RHEL6,7) servers. Is there a work-around or updated version of openssl available?
Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux Server release 5.8, glusterfs-3.7.1-16.el5.x86_64, openssh-clients-4.3p2-82.el5.x86_64, openssl-0.9.8e-36.el5_11.i686
How reproducible: Every time
Steps to Reproduce:
mount glusterfs volumes from a rhel5 client served from a rhel7 RHS server with ssl on IO enabled
Actual results: Fails
Expected results: Should work
Additional info:Server - Red Hat Enterprise Linux Server release 7.1, glusterfs-3.7.1-16.el7rhgs.x86_64 , openssh-server-6.6.1p1-12.el7_1.x86_64, openssl-1.0.1e-42.el7_1.9.x86_64
I think you need to configure the SSL ciphers/priority/something to a
lower grade of security. See tests/features/ssl-authz.t in the upstream
glusterfs sources for some ideas on how to do that.
What is it that's really being asked for?
Help configuring ciphers that will work with RHEL6 and RHEL7 openssl?
Packaging a newer version of openssl with RHGS?
Getting the customer to update to RHGS 3.1.x/glusterfs-3.7.5?
I believe what is being asked for is to reduce the security of RHGS so a rhel5 openssl client can connect. Either that or package and ship a new version of openssl for rhel5 and ship it with the rhel5 gluster client bits.
We can simulate a connection from rhel6 and see the following.
# openssl s_client -connect ceph2.hq.gsslab.rdu.redhat.com:49153 -cert /etc/ssl/glusterfs.pem -key /etc/ssl/glusterfs.key 2>&1|gawk '/Protocol/||/Cipher/'
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
# openssl ciphers -v |grep ^AES256-GCM-SHA384
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
But on rhel5...
# openssl s_client -connect ceph2.hq.gsslab.rdu.redhat.com:49153 -cert /etc/ssl/glusterfs.pem -key /etc/ssl/glusterfs.key
1551:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
# openssl ciphers -v |gawk '/TLSv1.2/||/AES256-GCM-SHA384/'
rhel5 doesn't have either of these so, in order for it to connect, you'd need to reduce the security of the connection and possibly expose the server to things like "Poodle"
I tried the following on the server but it didn't seem to make a difference.
# gluster v set testvol4 ssl.cipher-list ADH-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA
volume set: success
I also tried ssl.cipher-list: ALL.
This was after reading the tests/features/ssl-authz.t mentioned by Niels in comment #3