From 1c01d3cc11458cb9b08c172cefdb4f43986ab712 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Dec 15 2020 09:07:44 +0000 Subject: import pcs-0.9.169-3.el7_9.1 --- diff --git a/SOURCES/bz1870551-1-Explicitly-close-TCP-connections-after-use.patch b/SOURCES/bz1870551-1-Explicitly-close-TCP-connections-after-use.patch new file mode 100644 index 0000000..a7e3747 --- /dev/null +++ b/SOURCES/bz1870551-1-Explicitly-close-TCP-connections-after-use.patch @@ -0,0 +1,29 @@ +From 4c1631fc239d2f0b8323b48e5fa95b0dc6f75f40 Mon Sep 17 00:00:00 2001 +From: Ondrej Mular +Date: Wed, 7 Oct 2020 08:31:59 +0200 +Subject: [PATCH 1/2] Explicitly close TCP connections after use + +--- + pcsd/pcs.rb | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/pcsd/pcs.rb b/pcsd/pcs.rb +index 12eb3eb1..c59de37b 100644 +--- a/pcsd/pcs.rb ++++ b/pcsd/pcs.rb +@@ -515,8 +515,11 @@ def send_request( + }) + req.compose_header('Expect', '') + return_code = req.perform ++ response_code = req.response_code ++ response_body = req.response_body ++ req.cleanup + if return_code == :ok +- return req.response_code, req.response_body ++ return response_code, response_body + else + if is_proxy_set(ENV) + $logger.warn( +-- +2.21.0 + diff --git a/SOURCES/bz1888479-1-add-support-for-loading-a-DH-key-from-a-file.patch b/SOURCES/bz1888479-1-add-support-for-loading-a-DH-key-from-a-file.patch new file mode 100644 index 0000000..1ebb223 --- /dev/null +++ b/SOURCES/bz1888479-1-add-support-for-loading-a-DH-key-from-a-file.patch @@ -0,0 +1,97 @@ +From f3cd02e668f94c294d685edb24a051e2451589f1 Mon Sep 17 00:00:00 2001 +From: Tomas Jelinek +Date: Fri, 23 Oct 2020 16:37:56 +0200 +Subject: [PATCH 2/2] add support for loading a DH key from a file + +--- + pcsd/pcsd.conf | 6 +++++- + pcsd/rfc7919-ffdhe2048.pem | 8 ++++++++ + pcsd/settings.rb | 1 + + pcsd/ssl.rb | 20 ++++++++++++++++++-- + 4 files changed, 32 insertions(+), 3 deletions(-) + create mode 100644 pcsd/rfc7919-ffdhe2048.pem + +diff --git a/pcsd/pcsd.conf b/pcsd/pcsd.conf +index 73d8b0ce..9f522353 100644 +--- a/pcsd/pcsd.conf ++++ b/pcsd/pcsd.conf +@@ -31,7 +31,11 @@ PCSD_SESSION_LIFETIME=3600 + # set SSL ciphers + #PCSD_SSL_CIPHERS='DEFAULT:!RC4:!3DES:@STRENGTH' + +-# set length (in bits) of DH key for key exchange ++# set a DH key for key exchange, this overrides PCSD_SSL_DH_KEX_BITS ++# set to an empty string to disable this option and generate a random DH key ++#PCSD_SSL_DH_KEX_FILE=/usr/lib/pcsd/rfc7919-ffdhe2048.pem ++ ++# set length (in bits) of a DH key for key exchange + #PCSD_SSL_DH_KEX_BITS=1024 + + # Reject client initiated SSL/TLS renegotiation. Set this to true to make pcsd +diff --git a/pcsd/rfc7919-ffdhe2048.pem b/pcsd/rfc7919-ffdhe2048.pem +new file mode 100644 +index 00000000..9b182b72 +--- /dev/null ++++ b/pcsd/rfc7919-ffdhe2048.pem +@@ -0,0 +1,8 @@ ++-----BEGIN DH PARAMETERS----- ++MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz +++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a ++87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 ++YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi ++7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD ++ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== ++-----END DH PARAMETERS----- +diff --git a/pcsd/settings.rb b/pcsd/settings.rb +index 3edc02b7..e7ff410d 100644 +--- a/pcsd/settings.rb ++++ b/pcsd/settings.rb +@@ -6,6 +6,7 @@ PCSD_DEFAULT_PORT = 2224 + CRT_FILE = PCSD_VAR_LOCATION + 'pcsd.crt' + KEY_FILE = PCSD_VAR_LOCATION + 'pcsd.key' + COOKIE_FILE = PCSD_VAR_LOCATION + 'pcsd.cookiesecret' ++DH_KEY_FILE = PCSD_EXEC_LOCATION + 'rfc7919-ffdhe2048.pem' + + PENGINE = "/usr/libexec/pacemaker/pengine" + CIB_BINARY = '/usr/libexec/pacemaker/cib' +diff --git a/pcsd/ssl.rb b/pcsd/ssl.rb +index de356e46..5acbac37 100644 +--- a/pcsd/ssl.rb ++++ b/pcsd/ssl.rb +@@ -157,7 +157,23 @@ dh_key_bits = 0 + if ENV['PCSD_SSL_DH_KEX_BITS'] + dh_key_bits = Integer(ENV['PCSD_SSL_DH_KEX_BITS']) rescue 0 + end +-if dh_key_bits > 0 ++dh_key_file = DH_KEY_FILE ++if ENV['PCSD_SSL_DH_KEX_FILE'] ++ dh_key_file = ENV['PCSD_SSL_DH_KEX_FILE'] ++end ++ ++dh_key = nil ++if not dh_key_file.empty?() ++ $logger.info "Using '#{dh_key_file}' as a DH key..." ++ begin ++ dh_key = OpenSSL::PKey::DH.new(File.read(dh_key_file)) ++ dh_key.generate_key! ++ $logger.info "DH key loaded" ++ rescue => e ++ $logger.error "Unable to read DH key file: #{e}" ++ exit 1 ++ end ++elsif dh_key_bits > 0 + $logger.info "Generating #{dh_key_bits}bits long DH key..." + dh_key = OpenSSL::PKey::DH.generate(dh_key_bits) + $logger.info "DH key created" +@@ -187,7 +203,7 @@ webrick_options = { + :SSLCertName => [[ "CN", server_name ]], + :SSLOptions => get_ssl_options(), + } +-if dh_key_bits > 0 ++if not dh_key.nil?() + webrick_options[:SSLTmpDhCallback] = lambda {|ctx, is_export, keylen| dh_key } + end + +-- +2.21.0 + diff --git a/SPECS/pcs.spec b/SPECS/pcs.spec index d6d54f1..357a3f8 100644 --- a/SPECS/pcs.spec +++ b/SPECS/pcs.spec @@ -1,6 +1,6 @@ Name: pcs Version: 0.9.169 -Release: 3%{?dist} +Release: 3%{?dist}.1 License: GPLv2 URL: https://github.com/ClusterLabs/pcs Group: System Environment/Base @@ -64,6 +64,8 @@ Patch99: bz1459503-01-OSP-workarounds-not-compatible-wi.patch Patch100: change-cman-to-rhel6-in-messages.patch Patch101: show-only-warning-when-crm_mon-xml-is-invalid.patch Patch102: bz1820813-01-use-subprocess32-instead-of-subprocess.patch +Patch103: bz1870551-1-Explicitly-close-TCP-connections-after-use.patch +Patch104: bz1888479-1-add-support-for-loading-a-DH-key-from-a-file.patch # git for patches BuildRequires: git @@ -200,6 +202,8 @@ UpdateTimestamps -p1 %{PATCH99} UpdateTimestamps -p1 %{PATCH100} UpdateTimestamps -p1 %{PATCH101} UpdateTimestamps -p1 %{PATCH102} +UpdateTimestamps -p1 %{PATCH103} +UpdateTimestamps -p1 %{PATCH104} cp -f %SOURCE1 pcsd/public/images @@ -512,6 +516,12 @@ run_all_tests %doc pyagentx_README.md %changelog +* Fri Nov 13 2020 Ivan Devat - 0.9.169-3.el7_3.1 +- Explicitly close libcurl connections to prevent stalled TCP connections in CLOSE-WAIT state +- Added support for loading DH keys from a file +- Resolves: rhbz#1870551 rhbz#1888479 + + * Tue Jun 18 2020 Ivan Devat - 0.9.169-3 - Added option: pcs resource [safe-]disable --simulate` has a new option `--brief` to print only a list of affected resources - Fixed race-condition when removing multiple resources from web UI