Bug 1555154 - glusterd: TLS verification fails when using intermediate CA instead of self-signed certificates
Summary: glusterd: TLS verification fails when using intermediate CA instead of self-s...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: GlusterFS
Classification: Community
Component: core
Version: mainline
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Mohit Agrawal
QA Contact:
URL:
Whiteboard: ssl
Depends On:
Blocks: 1446046
TreeView+ depends on / blocked
 
Reported: 2018-03-14 04:11 UTC by Mohit Agrawal
Modified: 2018-10-03 12:08 UTC (History)
14 users (show)

Fixed In Version: glusterfs-v4.1.0
Clone Of: 1446046
Environment:
Last Closed: 2018-06-20 18:02:26 UTC
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Embargoed:

Attachments (Terms of Use)

Comment 1 Atin Mukherjee 2018-03-14 09:23:40 UTC 
Please add a public description of the bug.
Comment 2 Mohit Agrawal 2018-03-14 09:33:57 UTC 
TLS verification fails when using common CA instead of self-signed certificates.

Version-Release number of selected component (if applicable):
glusterfs-server-3.8.4-18

How reproducible:
always

Steps to Reproduce:
1. Sign root CA
2. Sign intermediate CA with rootCA key
3. sign cert for all gluster nodes with intermediateCA key
4. signed certs for all gluster nodes to be saved as glusterfs.pem in /etc/ssl
5. intermediateCA cert on all gluster nodes to be saved as glusterfs.ca in /etc/ssl
6. copy rootCA cert on all gluster nodes in /etc/pki/ca-trust/source/anchors
7. run command, to trust rootCA 
   ~]# update-ca-trust
8. touch /var/lib/glusterd/secure-access
9. vi /etc/glusterfs/glusterd.vol and add following option, to verify upto rootCA

   option transport.socket.ssl-cert-depth 2


Regards
Mohit Agrawal
Comment 3 Worker Ant 2018-03-19 19:00:31 UTC 
COMMIT: https://review.gluster.org/19708 committed in master by "Jeff Darcy" <jeff.us> with a commit message- glusterd: TLS verification fails while using intermediate CA

Problem: TLS verification fails while using intermediate CA
         if mgmt SSL is enabled.

Solution: There are two main issue of TLS verification failing
          1) not calling ssl_api to set cert_depth
          2) The current code does not allow to set certificate depth
             while MGMT SSL is enabled.
          After apply this patch to set certificate depth user
          need to set parameter option transport.socket.ssl-cert-depth <depth>
          in /var/lib/glusterd/secure_acccess instead to set in
          /etc/glusterfs/glusterd.vol. At the time of set secure_mgmt in ctx
          we will check the value of cert-depth and save the value of cert-depth
          in ctx.If user does not provide any value in cert-depth in that case
          it will consider default value is 1

BUG: 1555154
Change-Id: I89e9a9e1026e37efb5c20f9ec62b1989ef644f35
Signed-off-by: Mohit Agrawal <moagrawa>
Comment 4 Shyamsundar 2018-06-20 18:02:26 UTC 
This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-v4.1.0, please open a new bug report.

glusterfs-v4.1.0 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution.

[1] http://lists.gluster.org/pipermail/announce/2018-June/000102.html
[2] https://www.gluster.org/pipermail/gluster-users/
Note You need to log in before you can comment on or make changes to this bug.