diff options
| author | Jeff Darcy <jdarcy@redhat.com> | 2014-07-03 13:27:13 +0000 |
|---|---|---|
| committer | Vijay Bellur <vbellur@redhat.com> | 2014-07-04 04:18:00 -0700 |
| commit | 83c09b75a8fbc3a46fc0e76f805e061e949678f1 (patch) | |
| tree | 75c91aef9f8af0aa2ea33e192ce6d029fb5c69e9 /rpc | |
| parent | 9a50211cdb3d6decac140a31a035bd6e145f5f2f (diff) | |
socket: add certificate-depth and cipher-list options for SSL
Change-Id: I82757f8461807301a4a4f28c4f5bf7f0ee315113
BUG: 1114604
Signed-off-by: Jeff Darcy <jdarcy@redhat.com>
Reviewed-on: http://review.gluster.org/8040
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Rajesh Joseph <rjoseph@redhat.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
Diffstat (limited to 'rpc')
| -rw-r--r-- | rpc/rpc-transport/socket/src/socket.c | 29 |
1 files changed, 26 insertions, 3 deletions
diff --git a/rpc/rpc-transport/socket/src/socket.c b/rpc/rpc-transport/socket/src/socket.c index 61c9f60ff7f..ccef2f605cc 100644 --- a/rpc/rpc-transport/socket/src/socket.c +++ b/rpc/rpc-transport/socket/src/socket.c @@ -3480,6 +3480,9 @@ socket_init (rpc_transport_t *this) uint32_t keepalive = 0; uint32_t backlog = 0; int session_id = 0; + int32_t cert_depth = 1; + char *cipher_list = "HIGH:-SSLv2"; + int ret; if (this->private) { gf_log_callingfn (this->name, GF_LOG_ERROR, @@ -3672,14 +3675,22 @@ socket_init (rpc_transport_t *this) "using %s polling thread", priv->own_thread ? "private" : "system"); + if (!dict_get_int32 (this->options, "ssl-cert-depth", &cert_depth)) { + gf_log (this->name, GF_LOG_INFO, + "using certificate depth %d", cert_depth); + } + if (!dict_get_str (this->options, "ssl-cipher-list", &cipher_list)) { + gf_log (this->name, GF_LOG_INFO, + "using cipher list %s", cipher_list); + } + if (priv->use_ssl) { SSL_library_init(); SSL_load_error_strings(); priv->ssl_meth = (SSL_METHOD *)TLSv1_method(); priv->ssl_ctx = SSL_CTX_new(priv->ssl_meth); - if (SSL_CTX_set_cipher_list(priv->ssl_ctx, - "HIGH:-SSLv2") == 0) { + if (SSL_CTX_set_cipher_list(priv->ssl_ctx, cipher_list) == 0) { gf_log(this->name,GF_LOG_ERROR, "failed to find any valid ciphers"); goto err; @@ -3708,7 +3719,7 @@ socket_init (rpc_transport_t *this) } #if (OPENSSL_VERSION_NUMBER < 0x00905100L) - SSL_CTX_set_verify_depth(ctx,1); + SSL_CTX_set_verify_depth(ctx,cert_depth); #endif priv->ssl_session_id = ++session_id; @@ -3865,5 +3876,17 @@ struct volume_options options[] = { { .key = {OWN_THREAD_OPT}, .type = GF_OPTION_TYPE_BOOL }, + { .key = {"ssl-cert-depth"}, + .type = GF_OPTION_TYPE_INT, + .description = "Maximum certificate-chain depth. If zero, the " + "peer's certificate itself must be in the local " + "certificate list. Otherwise, there may be up to N " + "signing certificates between the peer's and the " + "local list. Ignored if SSL is not enabled." + }, + { .key = {"ssl-cipher-list"}, + .type = GF_OPTION_TYPE_STR, + .description = "Allowed SSL ciphers Ignored if SSL is not enabled." + }, { .key = {NULL} } }; |