[Bugs] [Bug 1626319] New: DH ciphers disabled errors are encountered on basic mount & unmount with ssl enabled setup

bugzilla at redhat.com bugzilla at redhat.com
Fri Sep 7 03:45:26 UTC 2018 

https://bugzilla.redhat.com/show_bug.cgi?id=1626319

            Bug ID: 1626319
           Summary: DH ciphers disabled errors are encountered on basic
                    mount & unmount with ssl enabled setup
           Product: GlusterFS
           Version: mainline
         Component: protocol
          Keywords: ZStream
          Severity: low
          Priority: low
          Assignee: bugs at gluster.org
          Reporter: atumball at redhat.com
                CC: amukherj at redhat.com, bugs at gluster.org,
                    moagrawa at redhat.com, nh2-redhatbugzilla at deditus.de,
                    rhinduja at redhat.com, rhs-bugs at redhat.com,
                    sasundar at redhat.com, storage-qa-internal at redhat.com,
                    vbellur at redhat.com, vdas at redhat.com
        Depends On: 1398237



+++ This bug was initially created as a clone of Bug #1398237 +++

Description of problem:
With ssl enabled set up when we are doing any cifs mount or windows mount with
basic IO we are encountering continuous cipher error messages as below

[2016-11-24 09:37:07.174449] E [socket.c:4102:socket_init]
0-samba-official-client-3: failed to open /etc/ssl/dhparam.pem, DH ciphers are
disabled

Version-Release number of selected component (if applicable):
samba-4.4.6-2.el7rhgs.x86_64
glusterfs-cli-3.8.4-5.el7rhgs.x86_64

How reproducible:
1/1

Steps to Reproduce:
1.WIth SSL enabled setup of a 4 node cluster
2.Do a cifs mount
3.Do a windows mount
4.Copy paste data into the share

Actual results:

[2016-11-24 09:37:07.174449] E [socket.c:4102:socket_init]
0-samba-official-client-3: failed to open /etc/ssl/dhparam.pem, DH ciphers are
disabled

Expected results:
Should not get any error messages

Additional info:


--- Additional comment from SATHEESARAN on 2016-11-25 01:03:05 EST ---

This is not the real functional issue.

Diffie-Hellman algorithm makes use of the largest prime number that is provided
by openssl package earlier. openssl no longer ships this prime number for
security reasons, though one can generate the largest prime number and store it
in dhparam.pem.

These logs indicate that there are no prime numbers available. TLS will not be
using Diffie-Hellman algorithm and uses some other secured algorithm.

So this error message is benign and could be safely ignored.

I would rather ask for change in log-level of this message so that it could be
moved from 'ERROR' to 'INFO', that would help users not to get worried about
these messages.


Referenced Bugs:

https://bugzilla.redhat.com/show_bug.cgi?id=1398237
[Bug 1398237] DH ciphers disabled errors are encountered on basic mount &
unmount with ssl enabled setup
-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.

More information about the Bugs mailing list