rpms / fence-agents

Clone
Source Code
GIT

Blame SOURCES/bz1199970-fence_ilo_support_tls10.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   aeba56bfb087439795e70a9fc4dfc120cf25fd52
  2.   SOURCES
  3.   bz1199970-fence_ilo_support_tls10.patch
Blob History Raw
42c953 
From 9a6bb12b2c8aaf9d30d0d228bf0b4d93e06e1153 Mon Sep 17 00:00:00 2001
42c953 
From: Marek 'marx' Grac <mgrac@redhat.com>
42c953 
Date: Wed, 25 Mar 2015 18:22:08 +0100
42c953 
Subject: [PATCH 4/5] fence_ilo: Add support for TLS1.0
42c953
42c953 
HP iLO2 firmware 2.27 has broken implementation of TLS and SSLv3 is disabled by default.
42c953 
gnutls (3.4.x) has support to disable proper negotiation and use only TLS1.0 that works well.
42c953
42c953 
Option --tls1.0 (tls1.0 on stdin) was added to enable this feature and fence_ilo(2) works
42c953 
correctly also with this firmware.
42c953
42c953 
Resolves: rhbz#1199970
42c953 
---
42c953 
 fence/agents/ilo/fence_ilo.py      |  2 +-
42c953 
 fence/agents/lib/fencing.py.py     | 16 +++++++++++++++-
42c953 
 tests/data/metadata/fence_ilo.xml  |  7 ++++++-
42c953 
 tests/data/metadata/fence_ilo2.xml |  7 ++++++-
42c953 
 4 files changed, 28 insertions(+), 4 deletions(-)
42c953
42c953 
diff --git a/fence/agents/ilo/fence_ilo.py b/fence/agents/ilo/fence_ilo.py
42c953 
index 965aabf..047040b 100644
42c953 
--- a/fence/agents/ilo/fence_ilo.py
42c953 
+++ b/fence/agents/ilo/fence_ilo.py
42c953 
@@ -65,7 +65,7 @@ def define_new_opts():
42c953 
 		"order" : 1}
42c953
42c953 
 def main():
42c953 
-	device_opt = ["ipaddr", "login", "passwd", "ssl", "notls", "ribcl"]
42c953 
+	device_opt = ["ipaddr", "login", "passwd", "ssl", "notls", "tls1.0", "ribcl"]
42c953
42c953 
 	atexit.register(atexit_handler)
42c953
42c953 
diff --git a/fence/agents/lib/fencing.py.py b/fence/agents/lib/fencing.py.py
42c953 
index 7209d5e..f893082 100644
42c953 
--- a/fence/agents/lib/fencing.py.py
42c953 
+++ b/fence/agents/lib/fencing.py.py
42c953 
@@ -203,7 +203,19 @@ all_opt = {
42c953 
 				"                                        "
42c953 
 				"This should only be used for devices that do not support TLS1.0 and up.",
42c953 
 		"required" : "0",
42c953 
-		"shortdesc" : "Disable TLS negotiation",
42c953 
+		"shortdesc" : "Disable TLS negotiation, force SSL 3.0",
42c953 
+		"order" : 1},
42c953 
+	"tls1.0" : {
42c953 
+		"getopt" : "",
42c953 
+		"longopt" : "tls1.0",
42c953 
+		"help" : "--tls1.0                       "
42c953 
+				"Disable TLS negotiation and force TLS1.0\n"
42c953 
+				"                                        "
42c953 
+				"This should only be used for devices that\n"
42c953 
+				"                                        "
42c953 
+				"do not support TLS1.1 and up.",
42c953 
+		"required" : "0",
42c953 
+		"shortdesc" : "Disable TLS negotiaton, force TLS 1.0",
42c953 
 		"order" : 1},
42c953 
 	"port" : {
42c953 
 		"getopt" : "n:",
42c953 
@@ -995,6 +1007,8 @@ def fence_login(options, re_login_string=r"(login\s*: )|(Login Name:  )|(usernam
42c953
42c953 
 			if options.has_key("--notls"):
42c953 
 				gnutls_opts = "--priority \"NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:-VERS-TLS1.0:+VERS-SSL3.0\""
42c953 
+			elif options.has_key("--tls1.0"):
42c953 
+				gnutls_opts = "--priority \"NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:+VERS-TLS1.0:%LATEST_RECORD_VERSION\""
42c953
42c953 
 			# --ssl is same as the --ssl-secure
42c953 
 			if options.has_key("--ssl-insecure"):
42c953 
diff --git a/tests/data/metadata/fence_ilo.xml b/tests/data/metadata/fence_ilo.xml
42c953 
index 25d9d54..ae7fe9c 100644
42c953 
--- a/tests/data/metadata/fence_ilo.xml
42c953 
+++ b/tests/data/metadata/fence_ilo.xml
42c953 
@@ -12,7 +12,7 @@
42c953 
 	<parameter name="notls" unique="0" required="0">
42c953 
 		<getopt mixed="-t, --notls" />
42c953 
 		<content type="boolean"  />
42c953 
-		<shortdesc lang="en">Disable TLS negotiation</shortdesc>
42c953 
+		<shortdesc lang="en">Disable TLS negotiation, force SSL 3.0</shortdesc>
42c953 
 	</parameter>
42c953 
 	<parameter name="ribcl" unique="0" required="0">
42c953 
 		<getopt mixed="-r, --ribcl-version=[version]" />
42c953 
@@ -49,6 +49,11 @@
42c953 
 		<content type="string"  />
42c953 
 		<shortdesc lang="en">Script to retrieve password</shortdesc>
42c953 
 	</parameter>
42c953 
+	<parameter name="tls1.0" unique="0" required="0">
42c953 
+		<getopt mixed="--tls1.0" />
42c953 
+		<content type="boolean"  />
42c953 
+		<shortdesc lang="en">Disable TLS negotiaton, force TLS 1.0</shortdesc>
42c953 
+	</parameter>
42c953 
 	<parameter name="passwd" unique="0" required="0">
42c953 
 		<getopt mixed="-p, --password=[password]" />
42c953 
 		<content type="string"  />
42c953 
diff --git a/tests/data/metadata/fence_ilo2.xml b/tests/data/metadata/fence_ilo2.xml
42c953 
index 47e8e28..19a31a1 100644
42c953 
--- a/tests/data/metadata/fence_ilo2.xml
42c953 
+++ b/tests/data/metadata/fence_ilo2.xml
42c953 
@@ -12,7 +12,7 @@
42c953 
 	<parameter name="notls" unique="0" required="0">
42c953 
 		<getopt mixed="-t, --notls" />
42c953 
 		<content type="boolean"  />
42c953 
-		<shortdesc lang="en">Disable TLS negotiation</shortdesc>
42c953 
+		<shortdesc lang="en">Disable TLS negotiation, force SSL 3.0</shortdesc>
42c953 
 	</parameter>
42c953 
 	<parameter name="ribcl" unique="0" required="0">
42c953 
 		<getopt mixed="-r, --ribcl-version=[version]" />
42c953 
@@ -49,6 +49,11 @@
42c953 
 		<content type="string"  />
42c953 
 		<shortdesc lang="en">Script to retrieve password</shortdesc>
42c953 
 	</parameter>
42c953 
+	<parameter name="tls1.0" unique="0" required="0">
42c953 
+		<getopt mixed="--tls1.0" />
42c953 
+		<content type="boolean"  />
42c953 
+		<shortdesc lang="en">Disable TLS negotiaton, force TLS 1.0</shortdesc>
42c953 
+	</parameter>
42c953 
 	<parameter name="passwd" unique="0" required="0">
42c953 
 		<getopt mixed="-p, --password=[password]" />
42c953 
 		<content type="string"  />
42c953 
--
42c953 
1.9.3
42c953

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation