summaryrefslogtreecommitdiffstats
path: root/rpc/rpc-transport/socket
diff options
context:
space:
mode:
authorMohit Agrawal <moagrawa@redhat.com>2018-03-14 09:37:52 +0530
committerJeff Darcy <jeff@pl.atyp.us>2018-03-19 19:00:03 +0000
commitcf06dd544004701ef43fa81c5b7a95353d5c1d65 (patch)
tree7f52598cb402269c781d020686886bf28c481232 /rpc/rpc-transport/socket
parentde52876407040a8cae9656ede9f66084d4cb45ac (diff)
glusterd: TLS verification fails while using intermediate CA
Problem: TLS verification fails while using intermediate CA if mgmt SSL is enabled. Solution: There are two main issue of TLS verification failing 1) not calling ssl_api to set cert_depth 2) The current code does not allow to set certificate depth while MGMT SSL is enabled. After apply this patch to set certificate depth user need to set parameter option transport.socket.ssl-cert-depth <depth> in /var/lib/glusterd/secure_acccess instead to set in /etc/glusterfs/glusterd.vol. At the time of set secure_mgmt in ctx we will check the value of cert-depth and save the value of cert-depth in ctx.If user does not provide any value in cert-depth in that case it will consider default value is 1 BUG: 1555154 Change-Id: I89e9a9e1026e37efb5c20f9ec62b1989ef644f35 Signed-off-by: Mohit Agrawal <moagrawa@redhat.com>
Diffstat (limited to 'rpc/rpc-transport/socket')
-rw-r--r--rpc/rpc-transport/socket/src/socket.c12
1 files changed, 8 insertions, 4 deletions
diff --git a/rpc/rpc-transport/socket/src/socket.c b/rpc/rpc-transport/socket/src/socket.c
index e05b6f88799..a3917040069 100644
--- a/rpc/rpc-transport/socket/src/socket.c
+++ b/rpc/rpc-transport/socket/src/socket.c
@@ -4489,7 +4489,13 @@ socket_init (rpc_transport_t *this)
"using %s polling thread",
priv->own_thread ? "private" : "system");
- if (!dict_get_int32 (this->options, SSL_CERT_DEPTH_OPT, &cert_depth)) {
+ if (!priv->mgmt_ssl) {
+ if (!dict_get_int32 (this->options, SSL_CERT_DEPTH_OPT, &cert_depth)) {
+ gf_log (this->name, GF_LOG_INFO,
+ "using certificate depth %d", cert_depth);
+ }
+ } else {
+ cert_depth = this->ctx->ssl_cert_depth;
gf_log (this->name, GF_LOG_INFO,
"using certificate depth %d", cert_depth);
}
@@ -4628,9 +4634,7 @@ socket_init (rpc_transport_t *this)
goto err;
}
-#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
- SSL_CTX_set_verify_depth(ctx, cert_depth);
-#endif
+ SSL_CTX_set_verify_depth(priv->ssl_ctx, cert_depth);
if (crl_path) {
#ifdef X509_V_FLAG_CRL_CHECK_ALL