10 files changed, 66 insertions, 6 deletions

diff --git a/api/src/glfs-mgmt.c b/api/src/glfs-mgmt.c
index f709b54d49e..229caa98777 100644
--- a/api/src/glfs-mgmt.c
+++ b/api/src/glfs-mgmt.c
@@ -1040,6 +1040,7 @@ glfs_mgmt_init (struct glfs *fs)
 
         if (sys_access (SECURE_ACCESS_FILE, F_OK) == 0) {
                 ctx->secure_mgmt = 1;
+                ctx->ssl_cert_depth = glusterfs_read_secure_access_file ();
         }
 
 	rpc = rpc_clnt_new (options, THIS, THIS->name, 8);
diff --git a/cli/src/cli.c b/cli/src/cli.c
index 930182c65b7..b58f211d3dd 100644
--- a/cli/src/cli.c
+++ b/cli/src/cli.c
@@ -439,6 +439,7 @@ parse_cmdline (int argc, char *argv[], struct cli_state *state)
         /* Do this first so that an option can override. */
         if (sys_access (SECURE_ACCESS_FILE, F_OK) == 0) {
                 state->ctx->secure_mgmt = 1;
+                state->ctx->ssl_cert_depth = glusterfs_read_secure_access_file ();
         }
 
         if (state->argc > GEO_REP_CMD_CONFIG_INDEX &&
diff --git a/glusterfsd/src/glusterfsd-mgmt.c b/glusterfsd/src/glusterfsd-mgmt.c
index bf55a0770b4..d2b39494e51 100644
--- a/glusterfsd/src/glusterfsd-mgmt.c
+++ b/glusterfsd/src/glusterfsd-mgmt.c
@@ -2650,6 +2650,8 @@ glusterfs_mgmt_init (glusterfs_ctx_t *ctx)
                         goto out;
 
                 }
+
+                ctx->ssl_cert_depth = glusterfs_read_secure_access_file ();
         }
 
         rpc = rpc_clnt_new (options, THIS, THIS->name, 8);
diff --git a/glusterfsd/src/glusterfsd.c b/glusterfsd/src/glusterfsd.c
index 0cc46c78943..ef06ddfed31 100644
--- a/glusterfsd/src/glusterfsd.c
+++ b/glusterfsd/src/glusterfsd.c
@@ -1951,6 +1951,7 @@ parse_cmdline (int argc, char *argv[], glusterfs_ctx_t *ctx)
         /* Do this before argp_parse so it can be overridden. */
         if (sys_access (SECURE_ACCESS_FILE, F_OK) == 0) {
                 cmd_args->secure_mgmt = 1;
+                ctx->ssl_cert_depth = glusterfs_read_secure_access_file ();
         }
 
         argp_parse (&argp, argc, argv, ARGP_IN_ORDER, NULL, cmd_args);
diff --git a/heal/src/glfs-heal.c b/heal/src/glfs-heal.c
index 10d00e6d737..e86c76cde49 100644
--- a/heal/src/glfs-heal.c
+++ b/heal/src/glfs-heal.c
@@ -1661,6 +1661,7 @@ main (int argc, char **argv)
 
         if (sys_access(SECURE_ACCESS_FILE, F_OK) == 0) {
                 fs->ctx->secure_mgmt = 1;
+                fs->ctx->ssl_cert_depth = glusterfs_read_secure_access_file ();
         }
 
         ret = glfs_set_volfile_server (fs, "unix", DEFAULT_GLUSTERD_SOCKFILE, 0);
diff --git a/libglusterfs/src/glusterfs.h b/libglusterfs/src/glusterfs.h
index 6b0df533e69..250d8e69a4f 100644
--- a/libglusterfs/src/glusterfs.h
+++ b/libglusterfs/src/glusterfs.h
@@ -593,6 +593,11 @@ struct _glusterfs_ctx {
          */
         int                secure_mgmt;
 
+        /* The option is use to set cert_depth while management connection
+           use SSL
+         */
+        int                ssl_cert_depth;
+
         /*
          * Should *our* server/inbound connections use SSL?  This is only true
          * if we're glusterd and secure_mgmt is set, or if we're glusterfsd
@@ -700,4 +705,5 @@ int glusterfs_graph_parent_up (glusterfs_graph_t *graph);
 void
 gf_free_mig_locks (lock_migration_info_t *locks);
 
+int glusterfs_read_secure_access_file (void);
 #endif /* _GLUSTERFS_H */
diff --git a/libglusterfs/src/graph.c b/libglusterfs/src/graph.c
index db80e21272a..d36cf7b3da5 100644
--- a/libglusterfs/src/graph.c
+++ b/libglusterfs/src/graph.c
@@ -16,7 +16,7 @@
 #include "defaults.h"
 #include <unistd.h>
 #include "syscall.h"
-
+#include <regex.h>
 #include "libglusterfs-messages.h"
 
 #if 0
@@ -68,7 +68,47 @@ _gf_dump_details (int argc, char **argv)
 }
 #endif
 
+int
+glusterfs_read_secure_access_file (void)
+{
+        FILE *fp = NULL;
+        char  line[100] = {0,};
+        int   cert_depth = 1;   /* Default SSL CERT DEPTH */
+        regex_t regcmpl;
+        char *key = {"^option transport.socket.ssl-cert-depth"};
+        char  keyval[50] = {0,};
+        int start = 0, end = 0, copy_len = 0;
+        regmatch_t result[1] = {{0} };
+
+        fp = fopen (SECURE_ACCESS_FILE, "r");
+        if (!fp)
+                goto out;
 
+        /* Check if any line matches with key */
+        while (fgets(line, sizeof(line), fp) != NULL) {
+                if (regcomp (&regcmpl, key, REG_EXTENDED)) {
+                        goto out;
+                }
+                if (!regexec (&regcmpl, line, 1, result, 0)) {
+                        start = result[0].rm_so;
+                        end  = result[0].rm_eo;
+                        copy_len = end - start;
+                        strcpy (keyval, line+copy_len);
+                        if (keyval[0]) {
+                                cert_depth = atoi(keyval);
+                                if (cert_depth == 0)
+                                        cert_depth = 1; /* Default SSL CERT DEPTH */
+                                break;
+                        }
+                }
+                regfree(&regcmpl);
+        }
+
+out:
+        if (fp)
+                fclose (fp);
+        return cert_depth;
+}
 
 int
 glusterfs_xlator_link (xlator_t *pxl, xlator_t *cxl)
diff --git a/libglusterfs/src/libglusterfs.sym b/libglusterfs/src/libglusterfs.sym
index df97a7fd89a..6340bc8a3a2 100644
--- a/libglusterfs/src/libglusterfs.sym
+++ b/libglusterfs/src/libglusterfs.sym
@@ -733,6 +733,7 @@ glusterfs_graph_deactivate
 glusterfs_graph_destroy
 glusterfs_graph_destroy_residual
 glusterfs_graph_prepare
+glusterfs_read_secure_access_file
 glusterfs_graph_print_file
 glusterfs_graph_set_first
 glusterfs_is_local_pathinfo
@@ -1107,4 +1108,4 @@ use_spinlocks
 dump_options
 glusterfs_leaseid_buf_get
 gf_replace_old_iatt_in_dict
-gf_replace_new_iatt_in_dict
\ No newline at end of file
+gf_replace_new_iatt_in_dict
diff --git a/rpc/rpc-transport/socket/src/socket.c b/rpc/rpc-transport/socket/src/socket.c
index e05b6f88799..a3917040069 100644
--- a/rpc/rpc-transport/socket/src/socket.c
+++ b/rpc/rpc-transport/socket/src/socket.c
@@ -4489,7 +4489,13 @@ socket_init (rpc_transport_t *this)
                "using %s polling thread",
                priv->own_thread ? "private" : "system");
 
-        if (!dict_get_int32 (this->options, SSL_CERT_DEPTH_OPT, &cert_depth)) {
+        if (!priv->mgmt_ssl) {
+                if (!dict_get_int32 (this->options, SSL_CERT_DEPTH_OPT, &cert_depth)) {
+                        gf_log (this->name, GF_LOG_INFO,
+                                "using certificate depth %d", cert_depth);
+                }
+        } else {
+                cert_depth = this->ctx->ssl_cert_depth;
                 gf_log (this->name, GF_LOG_INFO,
                         "using certificate depth %d", cert_depth);
         }
@@ -4628,9 +4634,7 @@ socket_init (rpc_transport_t *this)
                         goto err;
                 }
 
-#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
-                SSL_CTX_set_verify_depth(ctx, cert_depth);
-#endif
+                SSL_CTX_set_verify_depth(priv->ssl_ctx, cert_depth);
 
                 if (crl_path) {
 #ifdef X509_V_FLAG_CRL_CHECK_ALL
diff --git a/xlators/mgmt/glusterd/src/glusterd-handler.c b/xlators/mgmt/glusterd/src/glusterd-handler.c
index 2505fcff4de..26115a26b35 100644
--- a/xlators/mgmt/glusterd/src/glusterd-handler.c
+++ b/xlators/mgmt/glusterd/src/glusterd-handler.c
@@ -3475,6 +3475,9 @@ glusterd_friend_rpc_create (xlator_t *this, glusterd_peerinfo_t *peerinfo,
                                 "failed to set ssl-enabled in dict");
                         goto out;
                 }
+
+                this->ctx->ssl_cert_depth = glusterfs_read_secure_access_file ();
+
         }
 
         ret = glusterd_rpc_create (&peerinfo->rpc, options,