From 83c09b75a8fbc3a46fc0e76f805e061e949678f1 Mon Sep 17 00:00:00 2001
From: Jeff Darcy <jdarcy@redhat.com>
Date: Thu, 3 Jul 2014 13:27:13 +0000
Subject: socket: add certificate-depth and cipher-list options for SSL

Change-Id: I82757f8461807301a4a4f28c4f5bf7f0ee315113
BUG: 1114604
Signed-off-by: Jeff Darcy <jdarcy@redhat.com>
Reviewed-on: http://review.gluster.org/8040
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Rajesh Joseph <rjoseph@redhat.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
---
 rpc/rpc-transport/socket/src/socket.c | 29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

(limited to 'rpc')

diff --git a/rpc/rpc-transport/socket/src/socket.c b/rpc/rpc-transport/socket/src/socket.c
index 61c9f60ff7f..ccef2f605cc 100644
--- a/rpc/rpc-transport/socket/src/socket.c
+++ b/rpc/rpc-transport/socket/src/socket.c
@@ -3480,6 +3480,9 @@ socket_init (rpc_transport_t *this)
         uint32_t          keepalive = 0;
         uint32_t          backlog = 0;
 	int               session_id = 0;
+        int32_t           cert_depth = 1;
+        char             *cipher_list = "HIGH:-SSLv2";
+        int               ret;
 
         if (this->private) {
                 gf_log_callingfn (this->name, GF_LOG_ERROR,
@@ -3672,14 +3675,22 @@ socket_init (rpc_transport_t *this)
                "using %s polling thread",
 	       priv->own_thread ? "private" : "system");
 
+        if (!dict_get_int32 (this->options, "ssl-cert-depth", &cert_depth)) {
+                gf_log (this->name, GF_LOG_INFO,
+                        "using certificate depth %d", cert_depth);
+        }
+        if (!dict_get_str (this->options, "ssl-cipher-list", &cipher_list)) {
+                gf_log (this->name, GF_LOG_INFO,
+                        "using cipher list %s", cipher_list);
+        }
+
 	if (priv->use_ssl) {
 		SSL_library_init();
 		SSL_load_error_strings();
 		priv->ssl_meth = (SSL_METHOD *)TLSv1_method();
 		priv->ssl_ctx = SSL_CTX_new(priv->ssl_meth);
 
-                if (SSL_CTX_set_cipher_list(priv->ssl_ctx,
-                                            "HIGH:-SSLv2") == 0) {
+                if (SSL_CTX_set_cipher_list(priv->ssl_ctx, cipher_list) == 0) {
                         gf_log(this->name,GF_LOG_ERROR,
                                "failed to find any valid ciphers");
                         goto err;
@@ -3708,7 +3719,7 @@ socket_init (rpc_transport_t *this)
 		}
 
 #if (OPENSSL_VERSION_NUMBER < 0x00905100L)
-		SSL_CTX_set_verify_depth(ctx,1);
+		SSL_CTX_set_verify_depth(ctx,cert_depth);
 #endif
 
 		priv->ssl_session_id = ++session_id;
@@ -3865,5 +3876,17 @@ struct volume_options options[] = {
 	{ .key   = {OWN_THREAD_OPT},
 	  .type  = GF_OPTION_TYPE_BOOL
 	},
+        { .key = {"ssl-cert-depth"},
+          .type = GF_OPTION_TYPE_INT,
+          .description = "Maximum certificate-chain depth.  If zero, the "
+                         "peer's certificate itself must be in the local "
+                         "certificate list.  Otherwise, there may be up to N "
+                         "signing certificates between the peer's and the "
+                         "local list.  Ignored if SSL is not enabled."
+        },
+        { .key = {"ssl-cipher-list"},
+          .type = GF_OPTION_TYPE_STR,
+          .description = "Allowed SSL ciphers  Ignored if SSL is not enabled."
+        },
         { .key = {NULL} }
 };
-- 
cgit