summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--api/src/glfs-mgmt.c1
-rw-r--r--cli/src/cli.c1
-rw-r--r--glusterfsd/src/glusterfsd-mgmt.c2
-rw-r--r--glusterfsd/src/glusterfsd.c1
-rw-r--r--heal/src/glfs-heal.c1
-rw-r--r--libglusterfs/src/glusterfs.h6
-rw-r--r--libglusterfs/src/graph.c42
-rw-r--r--libglusterfs/src/libglusterfs.sym3
-rw-r--r--rpc/rpc-transport/socket/src/socket.c12
-rw-r--r--xlators/mgmt/glusterd/src/glusterd-handler.c3
10 files changed, 66 insertions, 6 deletions
diff --git a/api/src/glfs-mgmt.c b/api/src/glfs-mgmt.c
index f709b54..229caa9 100644
--- a/api/src/glfs-mgmt.c
+++ b/api/src/glfs-mgmt.c
@@ -1040,6 +1040,7 @@ glfs_mgmt_init (struct glfs *fs)
if (sys_access (SECURE_ACCESS_FILE, F_OK) == 0) {
ctx->secure_mgmt = 1;
+ ctx->ssl_cert_depth = glusterfs_read_secure_access_file ();
}
rpc = rpc_clnt_new (options, THIS, THIS->name, 8);
diff --git a/cli/src/cli.c b/cli/src/cli.c
index 930182c..b58f211 100644
--- a/cli/src/cli.c
+++ b/cli/src/cli.c
@@ -439,6 +439,7 @@ parse_cmdline (int argc, char *argv[], struct cli_state *state)
/* Do this first so that an option can override. */
if (sys_access (SECURE_ACCESS_FILE, F_OK) == 0) {
state->ctx->secure_mgmt = 1;
+ state->ctx->ssl_cert_depth = glusterfs_read_secure_access_file ();
}
if (state->argc > GEO_REP_CMD_CONFIG_INDEX &&
diff --git a/glusterfsd/src/glusterfsd-mgmt.c b/glusterfsd/src/glusterfsd-mgmt.c
index bf55a07..d2b3949 100644
--- a/glusterfsd/src/glusterfsd-mgmt.c
+++ b/glusterfsd/src/glusterfsd-mgmt.c
@@ -2650,6 +2650,8 @@ glusterfs_mgmt_init (glusterfs_ctx_t *ctx)
goto out;
}
+
+ ctx->ssl_cert_depth = glusterfs_read_secure_access_file ();
}
rpc = rpc_clnt_new (options, THIS, THIS->name, 8);
diff --git a/glusterfsd/src/glusterfsd.c b/glusterfsd/src/glusterfsd.c
index 0cc46c7..ef06ddf 100644
--- a/glusterfsd/src/glusterfsd.c
+++ b/glusterfsd/src/glusterfsd.c
@@ -1951,6 +1951,7 @@ parse_cmdline (int argc, char *argv[], glusterfs_ctx_t *ctx)
/* Do this before argp_parse so it can be overridden. */
if (sys_access (SECURE_ACCESS_FILE, F_OK) == 0) {
cmd_args->secure_mgmt = 1;
+ ctx->ssl_cert_depth = glusterfs_read_secure_access_file ();
}
argp_parse (&argp, argc, argv, ARGP_IN_ORDER, NULL, cmd_args);
diff --git a/heal/src/glfs-heal.c b/heal/src/glfs-heal.c
index 10d00e6..e86c76c 100644
--- a/heal/src/glfs-heal.c
+++ b/heal/src/glfs-heal.c
@@ -1661,6 +1661,7 @@ main (int argc, char **argv)
if (sys_access(SECURE_ACCESS_FILE, F_OK) == 0) {
fs->ctx->secure_mgmt = 1;
+ fs->ctx->ssl_cert_depth = glusterfs_read_secure_access_file ();
}
ret = glfs_set_volfile_server (fs, "unix", DEFAULT_GLUSTERD_SOCKFILE, 0);
diff --git a/libglusterfs/src/glusterfs.h b/libglusterfs/src/glusterfs.h
index 6b0df53..250d8e6 100644
--- a/libglusterfs/src/glusterfs.h
+++ b/libglusterfs/src/glusterfs.h
@@ -593,6 +593,11 @@ struct _glusterfs_ctx {
*/
int secure_mgmt;
+ /* The option is use to set cert_depth while management connection
+ use SSL
+ */
+ int ssl_cert_depth;
+
/*
* Should *our* server/inbound connections use SSL? This is only true
* if we're glusterd and secure_mgmt is set, or if we're glusterfsd
@@ -700,4 +705,5 @@ int glusterfs_graph_parent_up (glusterfs_graph_t *graph);
void
gf_free_mig_locks (lock_migration_info_t *locks);
+int glusterfs_read_secure_access_file (void);
#endif /* _GLUSTERFS_H */
diff --git a/libglusterfs/src/graph.c b/libglusterfs/src/graph.c
index db80e21..d36cf7b 100644
--- a/libglusterfs/src/graph.c
+++ b/libglusterfs/src/graph.c
@@ -16,7 +16,7 @@
#include "defaults.h"
#include <unistd.h>
#include "syscall.h"
-
+#include <regex.h>
#include "libglusterfs-messages.h"
#if 0
@@ -68,7 +68,47 @@ _gf_dump_details (int argc, char **argv)
}
#endif
+int
+glusterfs_read_secure_access_file (void)
+{
+ FILE *fp = NULL;
+ char line[100] = {0,};
+ int cert_depth = 1; /* Default SSL CERT DEPTH */
+ regex_t regcmpl;
+ char *key = {"^option transport.socket.ssl-cert-depth"};
+ char keyval[50] = {0,};
+ int start = 0, end = 0, copy_len = 0;
+ regmatch_t result[1] = {{0} };
+
+ fp = fopen (SECURE_ACCESS_FILE, "r");
+ if (!fp)
+ goto out;
+ /* Check if any line matches with key */
+ while (fgets(line, sizeof(line), fp) != NULL) {
+ if (regcomp (&regcmpl, key, REG_EXTENDED)) {
+ goto out;
+ }
+ if (!regexec (&regcmpl, line, 1, result, 0)) {
+ start = result[0].rm_so;
+ end = result[0].rm_eo;
+ copy_len = end - start;
+ strcpy (keyval, line+copy_len);
+ if (keyval[0]) {
+ cert_depth = atoi(keyval);
+ if (cert_depth == 0)
+ cert_depth = 1; /* Default SSL CERT DEPTH */
+ break;
+ }
+ }
+ regfree(&regcmpl);
+ }
+
+out:
+ if (fp)
+ fclose (fp);
+ return cert_depth;
+}
int
glusterfs_xlator_link (xlator_t *pxl, xlator_t *cxl)
diff --git a/libglusterfs/src/libglusterfs.sym b/libglusterfs/src/libglusterfs.sym
index df97a7f..6340bc8 100644
--- a/libglusterfs/src/libglusterfs.sym
+++ b/libglusterfs/src/libglusterfs.sym
@@ -733,6 +733,7 @@ glusterfs_graph_deactivate
glusterfs_graph_destroy
glusterfs_graph_destroy_residual
glusterfs_graph_prepare
+glusterfs_read_secure_access_file
glusterfs_graph_print_file
glusterfs_graph_set_first
glusterfs_is_local_pathinfo
@@ -1107,4 +1108,4 @@ use_spinlocks
dump_options
glusterfs_leaseid_buf_get
gf_replace_old_iatt_in_dict
-gf_replace_new_iatt_in_dict \ No newline at end of file
+gf_replace_new_iatt_in_dict
diff --git a/rpc/rpc-transport/socket/src/socket.c b/rpc/rpc-transport/socket/src/socket.c
index e05b6f8..a391704 100644
--- a/rpc/rpc-transport/socket/src/socket.c
+++ b/rpc/rpc-transport/socket/src/socket.c
@@ -4489,7 +4489,13 @@ socket_init (rpc_transport_t *this)
"using %s polling thread",
priv->own_thread ? "private" : "system");
- if (!dict_get_int32 (this->options, SSL_CERT_DEPTH_OPT, &cert_depth)) {
+ if (!priv->mgmt_ssl) {
+ if (!dict_get_int32 (this->options, SSL_CERT_DEPTH_OPT, &cert_depth)) {
+ gf_log (this->name, GF_LOG_INFO,
+ "using certificate depth %d", cert_depth);
+ }
+ } else {
+ cert_depth = this->ctx->ssl_cert_depth;
gf_log (this->name, GF_LOG_INFO,
"using certificate depth %d", cert_depth);
}
@@ -4628,9 +4634,7 @@ socket_init (rpc_transport_t *this)
goto err;
}
-#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
- SSL_CTX_set_verify_depth(ctx, cert_depth);
-#endif
+ SSL_CTX_set_verify_depth(priv->ssl_ctx, cert_depth);
if (crl_path) {
#ifdef X509_V_FLAG_CRL_CHECK_ALL
diff --git a/xlators/mgmt/glusterd/src/glusterd-handler.c b/xlators/mgmt/glusterd/src/glusterd-handler.c
index 2505fcf..26115a2 100644
--- a/xlators/mgmt/glusterd/src/glusterd-handler.c
+++ b/xlators/mgmt/glusterd/src/glusterd-handler.c
@@ -3475,6 +3475,9 @@ glusterd_friend_rpc_create (xlator_t *this, glusterd_peerinfo_t *peerinfo,
"failed to set ssl-enabled in dict");
goto out;
}
+
+ this->ctx->ssl_cert_depth = glusterfs_read_secure_access_file ();
+
}
ret = glusterd_rpc_create (&peerinfo->rpc, options,