From 9a6bb12b2c8aaf9d30d0d228bf0b4d93e06e1153 Mon Sep 17 00:00:00 2001 From: Marek 'marx' Grac Date: Wed, 25 Mar 2015 18:22:08 +0100 Subject: [PATCH 4/5] fence_ilo: Add support for TLS1.0 HP iLO2 firmware 2.27 has broken implementation of TLS and SSLv3 is disabled by default. gnutls (3.4.x) has support to disable proper negotiation and use only TLS1.0 that works well. Option --tls1.0 (tls1.0 on stdin) was added to enable this feature and fence_ilo(2) works correctly also with this firmware. Resolves: rhbz#1199970 --- fence/agents/ilo/fence_ilo.py | 2 +- fence/agents/lib/fencing.py.py | 16 +++++++++++++++- tests/data/metadata/fence_ilo.xml | 7 ++++++- tests/data/metadata/fence_ilo2.xml | 7 ++++++- 4 files changed, 28 insertions(+), 4 deletions(-) diff --git a/fence/agents/ilo/fence_ilo.py b/fence/agents/ilo/fence_ilo.py index 965aabf..047040b 100644 --- a/fence/agents/ilo/fence_ilo.py +++ b/fence/agents/ilo/fence_ilo.py @@ -65,7 +65,7 @@ def define_new_opts(): "order" : 1} def main(): - device_opt = ["ipaddr", "login", "passwd", "ssl", "notls", "ribcl"] + device_opt = ["ipaddr", "login", "passwd", "ssl", "notls", "tls1.0", "ribcl"] atexit.register(atexit_handler) diff --git a/fence/agents/lib/fencing.py.py b/fence/agents/lib/fencing.py.py index 7209d5e..f893082 100644 --- a/fence/agents/lib/fencing.py.py +++ b/fence/agents/lib/fencing.py.py @@ -203,7 +203,19 @@ all_opt = { " " "This should only be used for devices that do not support TLS1.0 and up.", "required" : "0", - "shortdesc" : "Disable TLS negotiation", + "shortdesc" : "Disable TLS negotiation, force SSL 3.0", + "order" : 1}, + "tls1.0" : { + "getopt" : "", + "longopt" : "tls1.0", + "help" : "--tls1.0 " + "Disable TLS negotiation and force TLS1.0\n" + " " + "This should only be used for devices that\n" + " " + "do not support TLS1.1 and up.", + "required" : "0", + "shortdesc" : "Disable TLS negotiaton, force TLS 1.0", "order" : 1}, "port" : { "getopt" : "n:", @@ -995,6 +1007,8 @@ def fence_login(options, re_login_string=r"(login\s*: )|(Login Name: )|(usernam if options.has_key("--notls"): gnutls_opts = "--priority \"NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:-VERS-TLS1.0:+VERS-SSL3.0\"" + elif options.has_key("--tls1.0"): + gnutls_opts = "--priority \"NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:+VERS-TLS1.0:%LATEST_RECORD_VERSION\"" # --ssl is same as the --ssl-secure if options.has_key("--ssl-insecure"): diff --git a/tests/data/metadata/fence_ilo.xml b/tests/data/metadata/fence_ilo.xml index 25d9d54..ae7fe9c 100644 --- a/tests/data/metadata/fence_ilo.xml +++ b/tests/data/metadata/fence_ilo.xml @@ -12,7 +12,7 @@ - Disable TLS negotiation + Disable TLS negotiation, force SSL 3.0 @@ -49,6 +49,11 @@ Script to retrieve password + + + + Disable TLS negotiaton, force TLS 1.0 + diff --git a/tests/data/metadata/fence_ilo2.xml b/tests/data/metadata/fence_ilo2.xml index 47e8e28..19a31a1 100644 --- a/tests/data/metadata/fence_ilo2.xml +++ b/tests/data/metadata/fence_ilo2.xml @@ -12,7 +12,7 @@ - Disable TLS negotiation + Disable TLS negotiation, force SSL 3.0 @@ -49,6 +49,11 @@ Script to retrieve password + + + + Disable TLS negotiaton, force TLS 1.0 + -- 1.9.3