summaryrefslogtreecommitdiffstats
path: root/rpc/rpc-transport/socket
diff options
context:
space:
mode:
authorJeff Darcy <jdarcy@redhat.com>2014-07-03 13:27:13 +0000
committerVijay Bellur <vbellur@redhat.com>2014-07-04 04:18:00 -0700
commit83c09b75a8fbc3a46fc0e76f805e061e949678f1 (patch)
tree75c91aef9f8af0aa2ea33e192ce6d029fb5c69e9 /rpc/rpc-transport/socket
parent9a50211cdb3d6decac140a31a035bd6e145f5f2f (diff)
socket: add certificate-depth and cipher-list options for SSL
Change-Id: I82757f8461807301a4a4f28c4f5bf7f0ee315113 BUG: 1114604 Signed-off-by: Jeff Darcy <jdarcy@redhat.com> Reviewed-on: http://review.gluster.org/8040 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Rajesh Joseph <rjoseph@redhat.com> Reviewed-by: Vijay Bellur <vbellur@redhat.com>
Diffstat (limited to 'rpc/rpc-transport/socket')
-rw-r--r--rpc/rpc-transport/socket/src/socket.c29
1 files changed, 26 insertions, 3 deletions
diff --git a/rpc/rpc-transport/socket/src/socket.c b/rpc/rpc-transport/socket/src/socket.c
index 61c9f60ff7f..ccef2f605cc 100644
--- a/rpc/rpc-transport/socket/src/socket.c
+++ b/rpc/rpc-transport/socket/src/socket.c
@@ -3480,6 +3480,9 @@ socket_init (rpc_transport_t *this)
uint32_t keepalive = 0;
uint32_t backlog = 0;
int session_id = 0;
+ int32_t cert_depth = 1;
+ char *cipher_list = "HIGH:-SSLv2";
+ int ret;
if (this->private) {
gf_log_callingfn (this->name, GF_LOG_ERROR,
@@ -3672,14 +3675,22 @@ socket_init (rpc_transport_t *this)
"using %s polling thread",
priv->own_thread ? "private" : "system");
+ if (!dict_get_int32 (this->options, "ssl-cert-depth", &cert_depth)) {
+ gf_log (this->name, GF_LOG_INFO,
+ "using certificate depth %d", cert_depth);
+ }
+ if (!dict_get_str (this->options, "ssl-cipher-list", &cipher_list)) {
+ gf_log (this->name, GF_LOG_INFO,
+ "using cipher list %s", cipher_list);
+ }
+
if (priv->use_ssl) {
SSL_library_init();
SSL_load_error_strings();
priv->ssl_meth = (SSL_METHOD *)TLSv1_method();
priv->ssl_ctx = SSL_CTX_new(priv->ssl_meth);
- if (SSL_CTX_set_cipher_list(priv->ssl_ctx,
- "HIGH:-SSLv2") == 0) {
+ if (SSL_CTX_set_cipher_list(priv->ssl_ctx, cipher_list) == 0) {
gf_log(this->name,GF_LOG_ERROR,
"failed to find any valid ciphers");
goto err;
@@ -3708,7 +3719,7 @@ socket_init (rpc_transport_t *this)
}
#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
- SSL_CTX_set_verify_depth(ctx,1);
+ SSL_CTX_set_verify_depth(ctx,cert_depth);
#endif
priv->ssl_session_id = ++session_id;
@@ -3865,5 +3876,17 @@ struct volume_options options[] = {
{ .key = {OWN_THREAD_OPT},
.type = GF_OPTION_TYPE_BOOL
},
+ { .key = {"ssl-cert-depth"},
+ .type = GF_OPTION_TYPE_INT,
+ .description = "Maximum certificate-chain depth. If zero, the "
+ "peer's certificate itself must be in the local "
+ "certificate list. Otherwise, there may be up to N "
+ "signing certificates between the peer's and the "
+ "local list. Ignored if SSL is not enabled."
+ },
+ { .key = {"ssl-cipher-list"},
+ .type = GF_OPTION_TYPE_STR,
+ .description = "Allowed SSL ciphers Ignored if SSL is not enabled."
+ },
{ .key = {NULL} }
};