|
 |
9f5ccc |
From 2b859d1a5499a215c8c37472d4fc7d7e4d70dac6 Mon Sep 17 00:00:00 2001
|
|
|
9f5ccc |
From: Mohit Agrawal <moagrawal@redhat.com>
|
|
|
9f5ccc |
Date: Tue, 31 Mar 2020 16:45:35 +0530
|
|
|
9f5ccc |
Subject: [PATCH 360/362] rpc: Make ssl log more useful
|
|
|
9f5ccc |
|
|
|
9f5ccc |
Currently, ssl_setup_connection_params throws 4 messages for every
|
|
|
9f5ccc |
rpc connection that irritates a user while reading the logs. The same
|
|
|
9f5ccc |
info we can print in a single log with peerinfo to make it more
|
|
|
9f5ccc |
useful.ssl_setup_connection_params try to load dh_param even user
|
|
|
9f5ccc |
has not configured it and if a dh_param file is not available it throws
|
|
|
9f5ccc |
a failure message.To avoid the message load dh_param only while the user
|
|
|
9f5ccc |
has configured it.
|
|
|
9f5ccc |
|
|
|
9f5ccc |
> Change-Id: I9ddb57f86a3fa3e519180cb5d88828e59fe0e487
|
|
|
9f5ccc |
> Fixes: #1141
|
|
|
9f5ccc |
> Signed-off-by: Mohit Agrawal <moagrawal@redhat.com>
|
|
|
9f5ccc |
> Cherry pick from commit 80dd8cceab3b860bf1bc2945c8e2d8d0b3913e48
|
|
|
9f5ccc |
> Reviewed on upstream link https://review.gluster.org/#/c/glusterfs/+/24270/
|
|
|
9f5ccc |
|
|
|
9f5ccc |
BUG: 1812824
|
|
|
9f5ccc |
Change-Id: I9ddb57f86a3fa3e519180cb5d88828e59fe0e487
|
|
|
9f5ccc |
Signed-off-by: Mohit Agrawal <moagrawa@redhat.com>
|
|
|
9f5ccc |
Reviewed-on: https://code.engineering.redhat.com/gerrit/196371
|
|
|
9f5ccc |
Tested-by: RHGS Build Bot <nigelb@redhat.com>
|
|
|
9f5ccc |
Reviewed-by: Sunil Kumar Heggodu Gopala Acharya <sheggodu@redhat.com>
|
|
|
9f5ccc |
---
|
|
|
9f5ccc |
rpc/rpc-transport/socket/src/socket.c | 46 ++++++++++++++++++++---------------
|
|
|
9f5ccc |
1 file changed, 26 insertions(+), 20 deletions(-)
|
|
|
9f5ccc |
|
|
|
9f5ccc |
diff --git a/rpc/rpc-transport/socket/src/socket.c b/rpc/rpc-transport/socket/src/socket.c
|
|
|
9f5ccc |
index f54ca83..65845ea 100644
|
|
|
9f5ccc |
--- a/rpc/rpc-transport/socket/src/socket.c
|
|
|
9f5ccc |
+++ b/rpc/rpc-transport/socket/src/socket.c
|
|
|
9f5ccc |
@@ -4240,6 +4240,7 @@ ssl_setup_connection_params(rpc_transport_t *this)
|
|
|
9f5ccc |
char *cipher_list = DEFAULT_CIPHER_LIST;
|
|
|
9f5ccc |
char *dh_param = DEFAULT_DH_PARAM;
|
|
|
9f5ccc |
char *ec_curve = DEFAULT_EC_CURVE;
|
|
|
9f5ccc |
+ gf_boolean_t dh_flag = _gf_false;
|
|
|
9f5ccc |
|
|
|
9f5ccc |
priv = this->private;
|
|
|
9f5ccc |
|
|
|
9f5ccc |
@@ -4248,6 +4249,10 @@ ssl_setup_connection_params(rpc_transport_t *this)
|
|
|
9f5ccc |
return 0;
|
|
|
9f5ccc |
}
|
|
|
9f5ccc |
|
|
|
9f5ccc |
+ if (!priv->ssl_enabled && !priv->mgmt_ssl) {
|
|
|
9f5ccc |
+ return 0;
|
|
|
9f5ccc |
+ }
|
|
|
9f5ccc |
+
|
|
|
9f5ccc |
priv->ssl_own_cert = DEFAULT_CERT_PATH;
|
|
|
9f5ccc |
if (dict_get_str(this->options, SSL_OWN_CERT_OPT, &optstr) == 0) {
|
|
|
9f5ccc |
if (!priv->ssl_enabled) {
|
|
|
9f5ccc |
@@ -4294,27 +4299,25 @@ ssl_setup_connection_params(rpc_transport_t *this)
|
|
|
9f5ccc |
priv->crl_path = gf_strdup(optstr);
|
|
|
9f5ccc |
}
|
|
|
9f5ccc |
|
|
|
9f5ccc |
- gf_log(this->name, priv->ssl_enabled ? GF_LOG_INFO : GF_LOG_DEBUG,
|
|
|
9f5ccc |
- "SSL support on the I/O path is %s",
|
|
|
9f5ccc |
- priv->ssl_enabled ? "ENABLED" : "NOT enabled");
|
|
|
9f5ccc |
- gf_log(this->name, priv->mgmt_ssl ? GF_LOG_INFO : GF_LOG_DEBUG,
|
|
|
9f5ccc |
- "SSL support for glusterd is %s",
|
|
|
9f5ccc |
- priv->mgmt_ssl ? "ENABLED" : "NOT enabled");
|
|
|
9f5ccc |
-
|
|
|
9f5ccc |
if (!priv->mgmt_ssl) {
|
|
|
9f5ccc |
- if (!dict_get_int32(this->options, SSL_CERT_DEPTH_OPT, &cert_depth)) {
|
|
|
9f5ccc |
- gf_log(this->name, GF_LOG_INFO, "using certificate depth %d",
|
|
|
9f5ccc |
- cert_depth);
|
|
|
9f5ccc |
+ if (!dict_get_int32_sizen(this->options, SSL_CERT_DEPTH_OPT,
|
|
|
9f5ccc |
+ &cert_depth)) {
|
|
|
9f5ccc |
}
|
|
|
9f5ccc |
} else {
|
|
|
9f5ccc |
cert_depth = this->ctx->ssl_cert_depth;
|
|
|
9f5ccc |
- gf_log(this->name, GF_LOG_INFO, "using certificate depth %d",
|
|
|
9f5ccc |
- cert_depth);
|
|
|
9f5ccc |
}
|
|
|
9f5ccc |
- if (!dict_get_str(this->options, SSL_CIPHER_LIST_OPT, &cipher_list)) {
|
|
|
9f5ccc |
+ gf_log(this->name, priv->ssl_enabled ? GF_LOG_INFO : GF_LOG_DEBUG,
|
|
|
9f5ccc |
+ "SSL support for MGMT is %s IO path is %s certificate depth is %d "
|
|
|
9f5ccc |
+ "for peer %s",
|
|
|
9f5ccc |
+ (priv->mgmt_ssl ? "ENABLED" : "NOT enabled"),
|
|
|
9f5ccc |
+ (priv->ssl_enabled ? "ENABLED" : "NOT enabled"), cert_depth,
|
|
|
9f5ccc |
+ this->peerinfo.identifier);
|
|
|
9f5ccc |
+
|
|
|
9f5ccc |
+ if (!dict_get_str_sizen(this->options, SSL_CIPHER_LIST_OPT, &cipher_list)) {
|
|
|
9f5ccc |
gf_log(this->name, GF_LOG_INFO, "using cipher list %s", cipher_list);
|
|
|
9f5ccc |
}
|
|
|
9f5ccc |
- if (!dict_get_str(this->options, SSL_DH_PARAM_OPT, &dh_param)) {
|
|
|
9f5ccc |
+ if (!dict_get_str_sizen(this->options, SSL_DH_PARAM_OPT, &dh_param)) {
|
|
|
9f5ccc |
+ dh_flag = _gf_true;
|
|
|
9f5ccc |
gf_log(this->name, GF_LOG_INFO, "using DH parameters %s", dh_param);
|
|
|
9f5ccc |
}
|
|
|
9f5ccc |
if (!dict_get_str(this->options, SSL_EC_CURVE_OPT, &ec_curve)) {
|
|
|
9f5ccc |
@@ -4349,12 +4352,15 @@ ssl_setup_connection_params(rpc_transport_t *this)
|
|
|
9f5ccc |
#ifdef SSL_OP_NO_COMPRESSION
|
|
|
9f5ccc |
SSL_CTX_set_options(priv->ssl_ctx, SSL_OP_NO_COMPRESSION);
|
|
|
9f5ccc |
#endif
|
|
|
9f5ccc |
-
|
|
|
9f5ccc |
- if ((bio = BIO_new_file(dh_param, "r")) == NULL) {
|
|
|
9f5ccc |
- gf_log(this->name, GF_LOG_INFO,
|
|
|
9f5ccc |
- "failed to open %s, "
|
|
|
9f5ccc |
- "DH ciphers are disabled",
|
|
|
9f5ccc |
- dh_param);
|
|
|
9f5ccc |
+ /* Upload file to bio wrapper only if dh param is configured
|
|
|
9f5ccc |
+ */
|
|
|
9f5ccc |
+ if (dh_flag) {
|
|
|
9f5ccc |
+ if ((bio = BIO_new_file(dh_param, "r")) == NULL) {
|
|
|
9f5ccc |
+ gf_log(this->name, GF_LOG_ERROR,
|
|
|
9f5ccc |
+ "failed to open %s, "
|
|
|
9f5ccc |
+ "DH ciphers are disabled",
|
|
|
9f5ccc |
+ dh_param);
|
|
|
9f5ccc |
+ }
|
|
|
9f5ccc |
}
|
|
|
9f5ccc |
|
|
|
9f5ccc |
if (bio != NULL) {
|
|
|
9f5ccc |
--
|
|
|
9f5ccc |
1.8.3.1
|
|
|
9f5ccc |
|