rpms / fence-agents

Clone
Source Code
GIT

Files

  1.   d5f3d82ffd93fa911db4954db0a729a07869064a
  2.   SOURCES
  3.   bz1199970-fence_ilo_support_tls10.patch
Blob Blame History Raw 
From 9a6bb12b2c8aaf9d30d0d228bf0b4d93e06e1153 Mon Sep 17 00:00:00 2001
From: Marek 'marx' Grac <mgrac@redhat.com>
Date: Wed, 25 Mar 2015 18:22:08 +0100
Subject: [PATCH 4/5] fence_ilo: Add support for TLS1.0

HP iLO2 firmware 2.27 has broken implementation of TLS and SSLv3 is disabled by default.
gnutls (3.4.x) has support to disable proper negotiation and use only TLS1.0 that works well.

Option --tls1.0 (tls1.0 on stdin) was added to enable this feature and fence_ilo(2) works
correctly also with this firmware.

Resolves: rhbz#1199970
---
 fence/agents/ilo/fence_ilo.py      |  2 +-
 fence/agents/lib/fencing.py.py     | 16 +++++++++++++++-
 tests/data/metadata/fence_ilo.xml  |  7 ++++++-
 tests/data/metadata/fence_ilo2.xml |  7 ++++++-
 4 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/fence/agents/ilo/fence_ilo.py b/fence/agents/ilo/fence_ilo.py
index 965aabf..047040b 100644
--- a/fence/agents/ilo/fence_ilo.py
+++ b/fence/agents/ilo/fence_ilo.py
@@ -65,7 +65,7 @@ def define_new_opts():
 		"order" : 1}
 
 def main():
-	device_opt = ["ipaddr", "login", "passwd", "ssl", "notls", "ribcl"]
+	device_opt = ["ipaddr", "login", "passwd", "ssl", "notls", "tls1.0", "ribcl"]
 
 	atexit.register(atexit_handler)
 
diff --git a/fence/agents/lib/fencing.py.py b/fence/agents/lib/fencing.py.py
index 7209d5e..f893082 100644
--- a/fence/agents/lib/fencing.py.py
+++ b/fence/agents/lib/fencing.py.py
@@ -203,7 +203,19 @@ all_opt = {
 				"                                        "
 				"This should only be used for devices that do not support TLS1.0 and up.",
 		"required" : "0",
-		"shortdesc" : "Disable TLS negotiation",
+		"shortdesc" : "Disable TLS negotiation, force SSL 3.0",
+		"order" : 1},
+	"tls1.0" : {
+		"getopt" : "",
+		"longopt" : "tls1.0",
+		"help" : "--tls1.0                       "
+				"Disable TLS negotiation and force TLS1.0\n"
+				"                                        "
+				"This should only be used for devices that\n"
+				"                                        "
+				"do not support TLS1.1 and up.",
+		"required" : "0",
+		"shortdesc" : "Disable TLS negotiaton, force TLS 1.0",
 		"order" : 1},
 	"port" : {
 		"getopt" : "n:",
@@ -995,6 +1007,8 @@ def fence_login(options, re_login_string=r"(login\s*: )|(Login Name:  )|(usernam
 
 			if options.has_key("--notls"):
 				gnutls_opts = "--priority \"NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:-VERS-TLS1.0:+VERS-SSL3.0\""
+			elif options.has_key("--tls1.0"):
+				gnutls_opts = "--priority \"NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:+VERS-TLS1.0:%LATEST_RECORD_VERSION\""
 
 			# --ssl is same as the --ssl-secure
 			if options.has_key("--ssl-insecure"):
diff --git a/tests/data/metadata/fence_ilo.xml b/tests/data/metadata/fence_ilo.xml
index 25d9d54..ae7fe9c 100644
--- a/tests/data/metadata/fence_ilo.xml
+++ b/tests/data/metadata/fence_ilo.xml
@@ -12,7 +12,7 @@
 	<parameter name="notls" unique="0" required="0">
 		<getopt mixed="-t, --notls" />
 		<content type="boolean"  />
-		<shortdesc lang="en">Disable TLS negotiation</shortdesc>
+		<shortdesc lang="en">Disable TLS negotiation, force SSL 3.0</shortdesc>
 	</parameter>
 	<parameter name="ribcl" unique="0" required="0">
 		<getopt mixed="-r, --ribcl-version=[version]" />
@@ -49,6 +49,11 @@
 		<content type="string"  />
 		<shortdesc lang="en">Script to retrieve password</shortdesc>
 	</parameter>
+	<parameter name="tls1.0" unique="0" required="0">
+		<getopt mixed="--tls1.0" />
+		<content type="boolean"  />
+		<shortdesc lang="en">Disable TLS negotiaton, force TLS 1.0</shortdesc>
+	</parameter>
 	<parameter name="passwd" unique="0" required="0">
 		<getopt mixed="-p, --password=[password]" />
 		<content type="string"  />
diff --git a/tests/data/metadata/fence_ilo2.xml b/tests/data/metadata/fence_ilo2.xml
index 47e8e28..19a31a1 100644
--- a/tests/data/metadata/fence_ilo2.xml
+++ b/tests/data/metadata/fence_ilo2.xml
@@ -12,7 +12,7 @@
 	<parameter name="notls" unique="0" required="0">
 		<getopt mixed="-t, --notls" />
 		<content type="boolean"  />
-		<shortdesc lang="en">Disable TLS negotiation</shortdesc>
+		<shortdesc lang="en">Disable TLS negotiation, force SSL 3.0</shortdesc>
 	</parameter>
 	<parameter name="ribcl" unique="0" required="0">
 		<getopt mixed="-r, --ribcl-version=[version]" />
@@ -49,6 +49,11 @@
 		<content type="string"  />
 		<shortdesc lang="en">Script to retrieve password</shortdesc>
 	</parameter>
+	<parameter name="tls1.0" unique="0" required="0">
+		<getopt mixed="--tls1.0" />
+		<content type="boolean"  />
+		<shortdesc lang="en">Disable TLS negotiaton, force TLS 1.0</shortdesc>
+	</parameter>
 	<parameter name="passwd" unique="0" required="0">
 		<getopt mixed="-p, --password=[password]" />
 		<content type="string"  />
-- 
1.9.3

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation