diff options
Diffstat (limited to 'rpc/rpc-transport')
-rw-r--r-- | rpc/rpc-transport/socket/src/socket.c | 82 |
1 files changed, 63 insertions, 19 deletions
diff --git a/rpc/rpc-transport/socket/src/socket.c b/rpc/rpc-transport/socket/src/socket.c index a295e6a9bab..ed8b473be23 100644 --- a/rpc/rpc-transport/socket/src/socket.c +++ b/rpc/rpc-transport/socket/src/socket.c @@ -1154,7 +1154,7 @@ __socket_reset(rpc_transport_t *this) SSL_free(priv->ssl_ssl); priv->ssl_ssl = NULL; } - if (priv->use_ssl && priv->ssl_ctx) { + if (priv->ssl_ctx) { SSL_CTX_free(priv->ssl_ctx); priv->ssl_ctx = NULL; } @@ -2950,6 +2950,13 @@ socket_event_handler(int fd, int idx, int gen, void *data, int poll_in, socket_dump_info(sa, priv->is_server, priv->use_ssl, priv->sock, this->name, "disconnecting from"); + /* Dump the SSL error stack to clear any errors that may otherwise + * resurface in the future. + */ + if (priv->use_ssl && priv->ssl_ssl) { + ssl_dump_error_stack(this->name); + } + /* Logging has happened already in earlier cases */ gf_log("transport", ((ret >= 0) ? GF_LOG_INFO : GF_LOG_DEBUG), "EPOLLERR - disconnecting (sock:%d) (%s)", priv->sock, @@ -4161,6 +4168,34 @@ static void __attribute__((destructor)) fini_openssl_mt(void) ERR_free_strings(); } +/* The function returns 0 if AES bit is enabled on the CPU */ +static int +ssl_check_aes_bit(void) +{ + FILE *fp = fopen("/proc/cpuinfo", "r"); + int ret = 1; + size_t len = 0; + char *line = NULL; + char *match = NULL; + + GF_ASSERT(fp != NULL); + + while (getline(&line, &len, fp) > 0) { + if (!strncmp(line, "flags", 5)) { + match = strstr(line, " aes"); + if ((match != NULL) && ((match[4] == ' ') || (match[4] == 0))) { + ret = 0; + break; + } + } + } + + free(line); + fclose(fp); + + return ret; +} + static int ssl_setup_connection_params(rpc_transport_t *this) { @@ -4171,6 +4206,7 @@ ssl_setup_connection_params(rpc_transport_t *this) char *cipher_list = DEFAULT_CIPHER_LIST; char *dh_param = DEFAULT_DH_PARAM; char *ec_curve = DEFAULT_EC_CURVE; + gf_boolean_t dh_flag = _gf_false; priv = this->private; @@ -4179,6 +4215,14 @@ ssl_setup_connection_params(rpc_transport_t *this) return 0; } + if (!priv->ssl_enabled && !priv->mgmt_ssl) { + return 0; + } + + if (!ssl_check_aes_bit()) { + cipher_list = "AES128:" DEFAULT_CIPHER_LIST; + } + priv->ssl_own_cert = DEFAULT_CERT_PATH; if (dict_get_str_sizen(this->options, SSL_OWN_CERT_OPT, &optstr) == 0) { if (!priv->ssl_enabled) { @@ -4225,28 +4269,25 @@ ssl_setup_connection_params(rpc_transport_t *this) priv->crl_path = gf_strdup(optstr); } - gf_log(this->name, priv->ssl_enabled ? GF_LOG_INFO : GF_LOG_DEBUG, - "SSL support on the I/O path is %s", - priv->ssl_enabled ? "ENABLED" : "NOT enabled"); - gf_log(this->name, priv->mgmt_ssl ? GF_LOG_INFO : GF_LOG_DEBUG, - "SSL support for glusterd is %s", - priv->mgmt_ssl ? "ENABLED" : "NOT enabled"); - if (!priv->mgmt_ssl) { if (!dict_get_int32_sizen(this->options, SSL_CERT_DEPTH_OPT, &cert_depth)) { - gf_log(this->name, GF_LOG_INFO, "using certificate depth %d", - cert_depth); } } else { cert_depth = this->ctx->ssl_cert_depth; - gf_log(this->name, GF_LOG_INFO, "using certificate depth %d", - cert_depth); } + gf_log(this->name, priv->ssl_enabled ? GF_LOG_INFO : GF_LOG_DEBUG, + "SSL support for MGMT is %s IO path is %s certificate depth is %d " + "for peer %s", + (priv->mgmt_ssl ? "ENABLED" : "NOT enabled"), + (priv->ssl_enabled ? "ENABLED" : "NOT enabled"), cert_depth, + this->peerinfo.identifier); + if (!dict_get_str_sizen(this->options, SSL_CIPHER_LIST_OPT, &cipher_list)) { gf_log(this->name, GF_LOG_INFO, "using cipher list %s", cipher_list); } if (!dict_get_str_sizen(this->options, SSL_DH_PARAM_OPT, &dh_param)) { + dh_flag = _gf_true; gf_log(this->name, GF_LOG_INFO, "using DH parameters %s", dh_param); } if (!dict_get_str_sizen(this->options, SSL_EC_CURVE_OPT, &ec_curve)) { @@ -4281,12 +4322,15 @@ ssl_setup_connection_params(rpc_transport_t *this) #ifdef SSL_OP_NO_COMPRESSION SSL_CTX_set_options(priv->ssl_ctx, SSL_OP_NO_COMPRESSION); #endif - - if ((bio = BIO_new_file(dh_param, "r")) == NULL) { - gf_log(this->name, GF_LOG_INFO, - "failed to open %s, " - "DH ciphers are disabled", - dh_param); + /* Upload file to bio wrapper only if dh param is configured + */ + if (dh_flag) { + if ((bio = BIO_new_file(dh_param, "r")) == NULL) { + gf_log(this->name, GF_LOG_ERROR, + "failed to open %s, " + "DH ciphers are disabled", + dh_param); + } } if (bio != NULL) { @@ -4603,7 +4647,7 @@ fini(rpc_transport_t *this) SSL_free(priv->ssl_ssl); priv->ssl_ssl = NULL; } - if (priv->use_ssl && priv->ssl_ctx) { + if (priv->ssl_ctx) { SSL_CTX_free(priv->ssl_ctx); priv->ssl_ctx = NULL; } |