1 files changed, 63 insertions, 19 deletions

diff --git a/rpc/rpc-transport/socket/src/socket.c b/rpc/rpc-transport/socket/src/socket.c
index a295e6a9bab..ed8b473be23 100644
--- a/rpc/rpc-transport/socket/src/socket.c
+++ b/rpc/rpc-transport/socket/src/socket.c
@@ -1154,7 +1154,7 @@ __socket_reset(rpc_transport_t *this)
         SSL_free(priv->ssl_ssl);
         priv->ssl_ssl = NULL;
     }
-    if (priv->use_ssl && priv->ssl_ctx) {
+    if (priv->ssl_ctx) {
         SSL_CTX_free(priv->ssl_ctx);
         priv->ssl_ctx = NULL;
     }
@@ -2950,6 +2950,13 @@ socket_event_handler(int fd, int idx, int gen, void *data, int poll_in,
         socket_dump_info(sa, priv->is_server, priv->use_ssl, priv->sock,
                          this->name, "disconnecting from");
 
+        /* Dump the SSL error stack to clear any errors that may otherwise
+         * resurface in the future.
+         */
+        if (priv->use_ssl && priv->ssl_ssl) {
+            ssl_dump_error_stack(this->name);
+        }
+
         /* Logging has happened already in earlier cases */
         gf_log("transport", ((ret >= 0) ? GF_LOG_INFO : GF_LOG_DEBUG),
                "EPOLLERR - disconnecting (sock:%d) (%s)", priv->sock,
@@ -4161,6 +4168,34 @@ static void __attribute__((destructor)) fini_openssl_mt(void)
     ERR_free_strings();
 }
 
+/* The function returns 0 if AES bit is enabled on the CPU */
+static int
+ssl_check_aes_bit(void)
+{
+    FILE *fp = fopen("/proc/cpuinfo", "r");
+    int ret = 1;
+    size_t len = 0;
+    char *line = NULL;
+    char *match = NULL;
+
+    GF_ASSERT(fp != NULL);
+
+    while (getline(&line, &len, fp) > 0) {
+        if (!strncmp(line, "flags", 5)) {
+            match = strstr(line, " aes");
+            if ((match != NULL) && ((match[4] == ' ') || (match[4] == 0))) {
+                ret = 0;
+                break;
+            }
+        }
+    }
+
+    free(line);
+    fclose(fp);
+
+    return ret;
+}
+
 static int
 ssl_setup_connection_params(rpc_transport_t *this)
 {
@@ -4171,6 +4206,7 @@ ssl_setup_connection_params(rpc_transport_t *this)
     char *cipher_list = DEFAULT_CIPHER_LIST;
     char *dh_param = DEFAULT_DH_PARAM;
     char *ec_curve = DEFAULT_EC_CURVE;
+    gf_boolean_t dh_flag = _gf_false;
 
     priv = this->private;
 
@@ -4179,6 +4215,14 @@ ssl_setup_connection_params(rpc_transport_t *this)
         return 0;
     }
 
+    if (!priv->ssl_enabled && !priv->mgmt_ssl) {
+        return 0;
+    }
+
+    if (!ssl_check_aes_bit()) {
+        cipher_list = "AES128:" DEFAULT_CIPHER_LIST;
+    }
+
     priv->ssl_own_cert = DEFAULT_CERT_PATH;
     if (dict_get_str_sizen(this->options, SSL_OWN_CERT_OPT, &optstr) == 0) {
         if (!priv->ssl_enabled) {
@@ -4225,28 +4269,25 @@ ssl_setup_connection_params(rpc_transport_t *this)
             priv->crl_path = gf_strdup(optstr);
     }
 
-    gf_log(this->name, priv->ssl_enabled ? GF_LOG_INFO : GF_LOG_DEBUG,
-           "SSL support on the I/O path is %s",
-           priv->ssl_enabled ? "ENABLED" : "NOT enabled");
-    gf_log(this->name, priv->mgmt_ssl ? GF_LOG_INFO : GF_LOG_DEBUG,
-           "SSL support for glusterd is %s",
-           priv->mgmt_ssl ? "ENABLED" : "NOT enabled");
-
     if (!priv->mgmt_ssl) {
         if (!dict_get_int32_sizen(this->options, SSL_CERT_DEPTH_OPT,
                                   &cert_depth)) {
-            gf_log(this->name, GF_LOG_INFO, "using certificate depth %d",
-                   cert_depth);
         }
     } else {
         cert_depth = this->ctx->ssl_cert_depth;
-        gf_log(this->name, GF_LOG_INFO, "using certificate depth %d",
-               cert_depth);
     }
+    gf_log(this->name, priv->ssl_enabled ? GF_LOG_INFO : GF_LOG_DEBUG,
+           "SSL support for MGMT is %s IO path is %s certificate depth is %d "
+           "for peer %s",
+           (priv->mgmt_ssl ? "ENABLED" : "NOT enabled"),
+           (priv->ssl_enabled ? "ENABLED" : "NOT enabled"), cert_depth,
+           this->peerinfo.identifier);
+
     if (!dict_get_str_sizen(this->options, SSL_CIPHER_LIST_OPT, &cipher_list)) {
         gf_log(this->name, GF_LOG_INFO, "using cipher list %s", cipher_list);
     }
     if (!dict_get_str_sizen(this->options, SSL_DH_PARAM_OPT, &dh_param)) {
+        dh_flag = _gf_true;
         gf_log(this->name, GF_LOG_INFO, "using DH parameters %s", dh_param);
     }
     if (!dict_get_str_sizen(this->options, SSL_EC_CURVE_OPT, &ec_curve)) {
@@ -4281,12 +4322,15 @@ ssl_setup_connection_params(rpc_transport_t *this)
 #ifdef SSL_OP_NO_COMPRESSION
         SSL_CTX_set_options(priv->ssl_ctx, SSL_OP_NO_COMPRESSION);
 #endif
-
-        if ((bio = BIO_new_file(dh_param, "r")) == NULL) {
-            gf_log(this->name, GF_LOG_INFO,
-                   "failed to open %s, "
-                   "DH ciphers are disabled",
-                   dh_param);
+        /* Upload file to bio wrapper only if dh param is configured
+         */
+        if (dh_flag) {
+            if ((bio = BIO_new_file(dh_param, "r")) == NULL) {
+                gf_log(this->name, GF_LOG_ERROR,
+                       "failed to open %s, "
+                       "DH ciphers are disabled",
+                       dh_param);
+            }
         }
 
         if (bio != NULL) {
@@ -4603,7 +4647,7 @@ fini(rpc_transport_t *this)
             SSL_free(priv->ssl_ssl);
             priv->ssl_ssl = NULL;
         }
-        if (priv->use_ssl && priv->ssl_ctx) {
+        if (priv->ssl_ctx) {
             SSL_CTX_free(priv->ssl_ctx);
             priv->ssl_ctx = NULL;
         }