SSL improvements: do not fail if certificate purpose is set

Since glusterfs shares the same settings for client-side
and server-side of SSL, we need to ignore any certificate
usage specification (SSL client vs SSL server), otherwise
SSL connexions will fail with 'unsupported cerritifcate"

BUG: 1247152
Change-Id: I7ef60271718d2d894176515aa530ff106127bceb
Signed-off-by: Emmanuel Dreyfus <manu@netbsd.org>
Reviewed-on: http://review.gluster.org/11840
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Kaleb KEITHLEY <kkeithle@redhat.com>
Reviewed-by: Jeff Darcy <jdarcy@redhat.com>

2 files changed, 9 insertions, 0 deletions

diff --git a/rpc/rpc-transport/socket/src/socket.c b/rpc/rpc-transport/socket/src/socket.c
index 52b3e4bebd4..b0b1b99db10 100644
--- a/rpc/rpc-transport/socket/src/socket.c
+++ b/rpc/rpc-transport/socket/src/socket.c
@@ -4110,6 +4110,14 @@ socket_init (rpc_transport_t *this)
 					       sizeof(priv->ssl_session_id));
 
 		SSL_CTX_set_verify(priv->ssl_ctx,SSL_VERIFY_PEER,0);
+
+                /*
+                 * Since glusterfs shares the same settings for client-side
+                 * and server-side of SSL, we need to ignore any certificate
+                 * usage specification (SSL client vs SSL server), otherwise
+                 * SSL connexions will fail with 'unsupported cerritifcate"
+                 */
+                SSL_CTX_set_purpose(priv->ssl_ctx, X509_PURPOSE_ANY);
 	}
 
         if (priv->own_thread) {
diff --git a/rpc/rpc-transport/socket/src/socket.h b/rpc/rpc-transport/socket/src/socket.h
index e30d2ece992..6fc845ac286 100644
--- a/rpc/rpc-transport/socket/src/socket.h
+++ b/rpc/rpc-transport/socket/src/socket.h
@@ -13,6 +13,7 @@
 
 #include <openssl/ssl.h>
 #include <openssl/err.h>
+#include <openssl/x509v3.h>
 
 #include "event.h"
 #include "rpc-transport.h"