diff options
author | Emmanuel Dreyfus <manu@netbsd.org> | 2015-07-30 14:02:43 +0200 |
---|---|---|
committer | Kaleb KEITHLEY <kkeithle@redhat.com> | 2015-08-05 04:52:04 -0700 |
commit | ca5b466dcabc8432f68f2cf7a24fae770ad1c0cf (patch) | |
tree | cb4fa38309b164a05d714f1f56d94d1af85e8521 /xlators/mgmt/glusterd/src/glusterd-volume-set.c | |
parent | 998a63357cb186953d0eedf5a06bc4ac5594674d (diff) |
SSL improvements: ECDH, DH, CRL, and accessible options
- Introduce ssl.dh-param option to specify a file containinf DH parameters.
If it is provided, EDH ciphers are available.
- Introduce ssl.ec-curve option to specify an elliptic curve name. If
unspecified, ECDH ciphers are available using the prime256v1 curve.
- Introduce ssl.crl-path option to specify the directory where the
CRL hash file can be found. Setting to NULL disable CRL checking,
just like the default.
- Make all ssl.* options accessible through gluster volume set.
- In default cipher list, exclude weak ciphers instead of listing
the strong ones.
- Enforce server cipher preference.
- introduce RPC_SET_OPT macro to factor repetitive code in glusterd-volgen.c
- Add ssl-ciphers.t test to check all the features touched by this change.
Backport of I7bfd433df6bbf176f4a58e770e06bcdbe22a101a
Change-Id: I2947eabe76ae0487ecad52a60befb7de473fc90c
BUG: 1247153
Signed-off-by: Emmanuel Dreyfus <manu@netbsd.org>@
Reviewed-on: http://review.gluster.org/11763
Tested-by: NetBSD Build System <jenkins@build.gluster.org>
Reviewed-by: Jeff Darcy <jdarcy@redhat.com>
Diffstat (limited to 'xlators/mgmt/glusterd/src/glusterd-volume-set.c')
-rw-r--r-- | xlators/mgmt/glusterd/src/glusterd-volume-set.c | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/xlators/mgmt/glusterd/src/glusterd-volume-set.c b/xlators/mgmt/glusterd/src/glusterd-volume-set.c index ed60ac3cbcd..75c2e00c2d2 100644 --- a/xlators/mgmt/glusterd/src/glusterd-volume-set.c +++ b/xlators/mgmt/glusterd/src/glusterd-volume-set.c @@ -1082,6 +1082,26 @@ struct volopt_map_entry glusterd_volopt_map[] = { }, /* Generic transport options */ + { .key = SSL_OWN_CERT_OPT, + .voltype = "rpc-transport/socket", + .option = "!ssl-own-cert", + .op_version = GD_OP_VERSION_3_7_4, + }, + { .key = SSL_PRIVATE_KEY_OPT, + .voltype = "rpc-transport/socket", + .option = "!ssl-private-key", + .op_version = GD_OP_VERSION_3_7_4, + }, + { .key = SSL_CA_LIST_OPT, + .voltype = "rpc-transport/socket", + .option = "!ssl-ca-list", + .op_version = GD_OP_VERSION_3_7_4, + }, + { .key = SSL_CRL_PATH_OPT, + .voltype = "rpc-transport/socket", + .option = "!ssl-crl-path", + .op_version = GD_OP_VERSION_3_7_4, + }, { .key = SSL_CERT_DEPTH_OPT, .voltype = "rpc-transport/socket", .option = "!ssl-cert-depth", @@ -1092,6 +1112,16 @@ struct volopt_map_entry glusterd_volopt_map[] = { .option = "!ssl-cipher-list", .op_version = GD_OP_VERSION_3_6_0, }, + { .key = SSL_DH_PARAM_OPT, + .voltype = "rpc-transport/socket", + .option = "!ssl-dh-param", + .op_version = GD_OP_VERSION_3_7_4, + }, + { .key = SSL_EC_CURVE_OPT, + .voltype = "rpc-transport/socket", + .option = "!ssl-ec-curve", + .op_version = GD_OP_VERSION_3_7_4, + }, /* Performance xlators enable/disbable options */ { .key = "performance.write-behind", |