diff options
| author | Emmanuel Dreyfus <manu@netbsd.org> | 2015-07-30 14:02:43 +0200 |
|---|---|---|
| committer | Kaleb KEITHLEY <kkeithle@redhat.com> | 2015-08-05 04:52:04 -0700 |
| commit | ca5b466dcabc8432f68f2cf7a24fae770ad1c0cf (patch) | |
| tree | cb4fa38309b164a05d714f1f56d94d1af85e8521 /tests/features/openssl.cnf.in | |
| parent | 998a63357cb186953d0eedf5a06bc4ac5594674d (diff) | |
SSL improvements: ECDH, DH, CRL, and accessible options
- Introduce ssl.dh-param option to specify a file containinf DH parameters.
If it is provided, EDH ciphers are available.
- Introduce ssl.ec-curve option to specify an elliptic curve name. If
unspecified, ECDH ciphers are available using the prime256v1 curve.
- Introduce ssl.crl-path option to specify the directory where the
CRL hash file can be found. Setting to NULL disable CRL checking,
just like the default.
- Make all ssl.* options accessible through gluster volume set.
- In default cipher list, exclude weak ciphers instead of listing
the strong ones.
- Enforce server cipher preference.
- introduce RPC_SET_OPT macro to factor repetitive code in glusterd-volgen.c
- Add ssl-ciphers.t test to check all the features touched by this change.
Backport of I7bfd433df6bbf176f4a58e770e06bcdbe22a101a
Change-Id: I2947eabe76ae0487ecad52a60befb7de473fc90c
BUG: 1247153
Signed-off-by: Emmanuel Dreyfus <manu@netbsd.org>@
Reviewed-on: http://review.gluster.org/11763
Tested-by: NetBSD Build System <jenkins@build.gluster.org>
Reviewed-by: Jeff Darcy <jdarcy@redhat.com>
Diffstat (limited to 'tests/features/openssl.cnf.in')
| -rw-r--r-- | tests/features/openssl.cnf.in | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/tests/features/openssl.cnf.in b/tests/features/openssl.cnf.in new file mode 100644 index 00000000000..1fce34b11b9 --- /dev/null +++ b/tests/features/openssl.cnf.in @@ -0,0 +1,41 @@ +[ req ] +distinguished_name = req_distinguished_name +x509_extensions = v3_ca +[ req_distinguished_name ] +commonName = Common Name +commonName_max = 64 +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true +[ ca ] +default_ca = CA_default +[ CA_default ] +dir = @TMPDIR@ +certs = $dir/certs +crl_dir = $dir/crl +database = $dir/index.txt +unique_subjecta = no +new_certs_dir = $dir/newcerts +certificate = $dir/ca.crt +serial = $dir/serial +crl = $dir/crl.pem +private_key = $dir/self.key +x509_extensions = usr_cert +name_opt = ca_default +cert_opt = ca_default +default_days = 365 +default_crl_days = 30 +crl_extensions = crl_ext +default_md = sha256 +preserve = no +policy = policy_test +[ policy_test ] +commonName = supplied +[ usr_cert ] +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +crlDistributionPoints = URI:file://@TMPDIR@/crl.pem +[ crl_ext ] +authorityKeyIdentifier = keyid:always,issuer:always |