Bug 1626319 - DH ciphers disabled errors are encountered on basic mount & unmount with ssl enabled setup
Summary: DH ciphers disabled errors are encountered on basic mount & unmount with ssl ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: GlusterFS
Classification: Community
Component: protocol
Version: mainline
Hardware: x86_64
OS: Linux
low
low
Target Milestone: ---
Assignee: bugs@gluster.org
QA Contact:
URL:
Whiteboard: ssl
Depends On: 1398237
Blocks: 1632563
TreeView+ depends on / blocked
 
Reported: 2018-09-07 03:45 UTC by Amar Tumballi
Modified: 2018-10-23 15:18 UTC (History)
10 users (show)

Fixed In Version: glusterfs-5.0
Clone Of: 1398237
Environment:
Last Closed: 2018-10-23 15:18:28 UTC
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Embargoed:

Attachments (Terms of Use)

Description Amar Tumballi 2018-09-07 03:45:26 UTC 
+++ This bug was initially created as a clone of Bug #1398237 +++

Description of problem:
With ssl enabled set up when we are doing any cifs mount or windows mount with basic IO we are encountering continuous cipher error messages as below

[2016-11-24 09:37:07.174449] E [socket.c:4102:socket_init] 0-samba-official-client-3: failed to open /etc/ssl/dhparam.pem, DH ciphers are disabled

Version-Release number of selected component (if applicable):
samba-4.4.6-2.el7rhgs.x86_64
glusterfs-cli-3.8.4-5.el7rhgs.x86_64

How reproducible:
1/1

Steps to Reproduce:
1.WIth SSL enabled setup of a 4 node cluster
2.Do a cifs mount
3.Do a windows mount
4.Copy paste data into the share

Actual results:

[2016-11-24 09:37:07.174449] E [socket.c:4102:socket_init] 0-samba-official-client-3: failed to open /etc/ssl/dhparam.pem, DH ciphers are disabled

Expected results:
Should not get any error messages

Additional info:


--- Additional comment from SATHEESARAN on 2016-11-25 01:03:05 EST ---

This is not the real functional issue.

Diffie-Hellman algorithm makes use of the largest prime number that is provided by openssl package earlier. openssl no longer ships this prime number for security reasons, though one can generate the largest prime number and store it in dhparam.pem.

These logs indicate that there are no prime numbers available. TLS will not be using Diffie-Hellman algorithm and uses some other secured algorithm.

So this error message is benign and could be safely ignored.

I would rather ask for change in log-level of this message so that it could be moved from 'ERROR' to 'INFO', that would help users not to get worried about these messages.
Comment 1 Worker Ant 2018-09-07 03:47:33 UTC 
REVIEW: https://review.gluster.org/21108 (Modify log message 'DH ciphers are disabled' from ERROR to INFO) posted (#2) for review on master by Amar Tumballi
Comment 2 Worker Ant 2018-09-10 05:13:29 UTC 
COMMIT: https://review.gluster.org/21108 committed in master by "Amar Tumballi" <amarts> with a commit message- Modify log message 'DH ciphers are disabled' from ERROR to INFO

Per the latest comment in bz#1398237 this message is confusing for users
because it suggests an error where none exists.

Fixes: bz#1626319

Change-Id: I2f05999da157b11e225bf3d95edb597e964f9923
Signed-off-by: Omar Kohl <omarkohl>
Comment 3 Shyamsundar 2018-10-23 15:18:28 UTC 
This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-5.0, please open a new bug report.

glusterfs-5.0 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution.

[1] https://lists.gluster.org/pipermail/announce/2018-October/000115.html
[2] https://www.gluster.org/pipermail/gluster-users/
Note You need to log in before you can comment on or make changes to this bug.