Description of problem: We provide RHEL5 client but the openssl is not compatible with newer (RHEL6,7) servers. Is there a work-around or updated version of openssl available? Version-Release number of selected component (if applicable): Red Hat Enterprise Linux Server release 5.8, glusterfs-3.7.1-16.el5.x86_64, openssh-clients-4.3p2-82.el5.x86_64, openssl-0.9.8e-36.el5_11.i686 How reproducible: Every time Steps to Reproduce: mount glusterfs volumes from a rhel5 client served from a rhel7 RHS server with ssl on IO enabled Actual results: Fails Expected results: Should work Additional info:Server - Red Hat Enterprise Linux Server release 7.1, glusterfs-3.7.1-16.el7rhgs.x86_64 , openssh-server-6.6.1p1-12.el7_1.x86_64, openssl-1.0.1e-42.el7_1.9.x86_64
I think you need to configure the SSL ciphers/priority/something to a lower grade of security. See tests/features/ssl-authz.t in the upstream glusterfs sources for some ideas on how to do that.
What is it that's really being asked for? Help configuring ciphers that will work with RHEL6 and RHEL7 openssl? Packaging a newer version of openssl with RHGS? Getting the customer to update to RHGS 3.1.x/glusterfs-3.7.5?
I believe what is being asked for is to reduce the security of RHGS so a rhel5 openssl client can connect. Either that or package and ship a new version of openssl for rhel5 and ship it with the rhel5 gluster client bits. We can simulate a connection from rhel6 and see the following. # openssl s_client -connect ceph2.hq.gsslab.rdu.redhat.com:49153 -cert /etc/ssl/glusterfs.pem -key /etc/ssl/glusterfs.key 2>&1|gawk '/Protocol/||/Cipher/' New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384 Protocol : TLSv1.2 Cipher : AES256-GCM-SHA384 # openssl ciphers -v |grep ^AES256-GCM-SHA384 AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD But on rhel5... # openssl s_client -connect ceph2.hq.gsslab.rdu.redhat.com:49153 -cert /etc/ssl/glusterfs.pem -key /etc/ssl/glusterfs.key CONNECTED(00000003) 1551:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: # openssl ciphers -v |gawk '/TLSv1.2/||/AES256-GCM-SHA384/' # rhel5 doesn't have either of these so, in order for it to connect, you'd need to reduce the security of the connection and possibly expose the server to things like "Poodle"
I tried the following on the server but it didn't seem to make a difference. # gluster v set testvol4 ssl.cipher-list ADH-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA volume set: success I also tried ssl.cipher-list: ALL. This was after reading the tests/features/ssl-authz.t mentioned by Niels in comment #3
RHGS glusterfs client has stopped shipping for RHEL-5
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days