Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1626319

Summary:	DH ciphers disabled errors are encountered on basic mount & unmount with ssl enabled setup
Product:	[Community] GlusterFS	Reporter:	Amar Tumballi <atumball>
Component:	protocol	Assignee:	bugs <bugs>
Status:	CLOSED CURRENTRELEASE	QA Contact:
Severity:	low	Docs Contact:
Priority:	low
Version:	mainline	CC:	amukherj, bugs, moagrawa, nh2-redhatbugzilla, rhinduja, rhs-bugs, sasundar, storage-qa-internal, vbellur, vdas
Target Milestone:	---	Keywords:	ZStream
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:	ssl
Fixed In Version:	glusterfs-5.0	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:	1398237	Environment:
Last Closed:	2018-10-23 15:18:28 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1398237
Bug Blocks:	1632563

Description Amar Tumballi 2018-09-07 03:45:26 UTC

+++ This bug was initially created as a clone of Bug #1398237 +++

Description of problem:
With ssl enabled set up when we are doing any cifs mount or windows mount with basic IO we are encountering continuous cipher error messages as below

[2016-11-24 09:37:07.174449] E [socket.c:4102:socket_init] 0-samba-official-client-3: failed to open /etc/ssl/dhparam.pem, DH ciphers are disabled

Version-Release number of selected component (if applicable):
samba-4.4.6-2.el7rhgs.x86_64
glusterfs-cli-3.8.4-5.el7rhgs.x86_64

How reproducible:
1/1

Steps to Reproduce:
1.WIth SSL enabled setup of a 4 node cluster
2.Do a cifs mount
3.Do a windows mount
4.Copy paste data into the share

Actual results:

[2016-11-24 09:37:07.174449] E [socket.c:4102:socket_init] 0-samba-official-client-3: failed to open /etc/ssl/dhparam.pem, DH ciphers are disabled

Expected results:
Should not get any error messages

Additional info:


--- Additional comment from SATHEESARAN on 2016-11-25 01:03:05 EST ---

This is not the real functional issue.

Diffie-Hellman algorithm makes use of the largest prime number that is provided by openssl package earlier. openssl no longer ships this prime number for security reasons, though one can generate the largest prime number and store it in dhparam.pem.

These logs indicate that there are no prime numbers available. TLS will not be using Diffie-Hellman algorithm and uses some other secured algorithm.

So this error message is benign and could be safely ignored.

I would rather ask for change in log-level of this message so that it could be moved from 'ERROR' to 'INFO', that would help users not to get worried about these messages.

Comment 1 Worker Ant 2018-09-07 03:47:33 UTC

REVIEW: https://review.gluster.org/21108 (Modify log message 'DH ciphers are disabled' from ERROR to INFO) posted (#2) for review on master by Amar Tumballi

Comment 2 Worker Ant 2018-09-10 05:13:29 UTC

COMMIT: https://review.gluster.org/21108 committed in master by "Amar Tumballi" <amarts> with a commit message- Modify log message 'DH ciphers are disabled' from ERROR to INFO

Per the latest comment in bz#1398237 this message is confusing for users
because it suggests an error where none exists.

Fixes: bz#1626319

Change-Id: I2f05999da157b11e225bf3d95edb597e964f9923
Signed-off-by: Omar Kohl <omarkohl>

Comment 3 Shyamsundar 2018-10-23 15:18:28 UTC

This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-5.0, please open a new bug report.

glusterfs-5.0 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution.

[1] https://lists.gluster.org/pipermail/announce/2018-October/000115.html
[2] https://www.gluster.org/pipermail/gluster-users/