[Gluster-users] SSL ciphers

Melkor Lord melkor.lord at gmail.com
Sat Mar 21 16:32:45 UTC 2015


On Thu, Mar 19, 2015 at 8:46 PM, Jeff Darcy <jdarcy at redhat.com> wrote:

> > socket.c:2915
> > > priv->ssl_meth = (SSL_METHOD *)TLSv1_method();
> >
> > I'm really glad to hear that :-)
>
>
> FWIW, using TLSv1_2_method instead doesn't immediately seem to break.
> Unfortunately, every possible piece of code for 3.7 got merged one
> second before the feature-freeze deadline today, and that generated a
> lot of wreckage.  I'll have to wait for that to clear before I can do
> a meaningful test of this one-line change.
>

Oh dear! I'm not familiar with SSL API calls but given what you wrote
above, I just realized that GlusterFS indeed supports TLS but "v1" only as
you mention a "TLSv1_2_method()".

I dug a bit on the matter and I'm a quite puzzled here. In OpenSSL, there's
a SSLv23_METHOD which selects which is more appropriate but I see nothing
equivalent for TLS! Each version have its dedicated function call like
TLSv1_METHOD, TLSv1_1_METHOD and TLSv1_2_METHOD!

I really wonder why they didn't include a generic method which would
negociate the best protocol version between client and server :-(

Anyways, I'll recompile the Ubuntu packages from the PPA applying a small
patch to change "TLSv1_method()" to "TLSv1_2_method()" to see if it works
in my case.

Thank you very much for pointing out the interesting bits and helping
figure out things. Have fun debugging :-)

-- 
Unix _IS_ user friendly, it's just selective about who its friends are.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.gluster.org/pipermail/gluster-users/attachments/20150321/4775b26b/attachment.html>


More information about the Gluster-users mailing list