rpms / fence-agents

Clone
Source Code
GIT

Blame SOURCES/bz1199970-fence_ilo_support_tls10.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   e4ffb11d62554fd8be251dfece169440359348c0
  2.   SOURCES
  3.   bz1199970-fence_ilo_support_tls10.patch
Blob History Raw
e4ffb1 
From 9a6bb12b2c8aaf9d30d0d228bf0b4d93e06e1153 Mon Sep 17 00:00:00 2001
e4ffb1 
From: Marek 'marx' Grac <mgrac@redhat.com>
e4ffb1 
Date: Wed, 25 Mar 2015 18:22:08 +0100
e4ffb1 
Subject: [PATCH 4/5] fence_ilo: Add support for TLS1.0
e4ffb1
e4ffb1 
HP iLO2 firmware 2.27 has broken implementation of TLS and SSLv3 is disabled by default.
e4ffb1 
gnutls (3.4.x) has support to disable proper negotiation and use only TLS1.0 that works well.
e4ffb1
e4ffb1 
Option --tls1.0 (tls1.0 on stdin) was added to enable this feature and fence_ilo(2) works
e4ffb1 
correctly also with this firmware.
e4ffb1
e4ffb1 
Resolves: rhbz#1199970
e4ffb1 
---
e4ffb1 
 fence/agents/ilo/fence_ilo.py      |  2 +-
e4ffb1 
 fence/agents/lib/fencing.py.py     | 16 +++++++++++++++-
e4ffb1 
 tests/data/metadata/fence_ilo.xml  |  7 ++++++-
e4ffb1 
 tests/data/metadata/fence_ilo2.xml |  7 ++++++-
e4ffb1 
 4 files changed, 28 insertions(+), 4 deletions(-)
e4ffb1
e4ffb1 
diff --git a/fence/agents/ilo/fence_ilo.py b/fence/agents/ilo/fence_ilo.py
e4ffb1 
index 965aabf..047040b 100644
e4ffb1 
--- a/fence/agents/ilo/fence_ilo.py
e4ffb1 
+++ b/fence/agents/ilo/fence_ilo.py
e4ffb1 
@@ -65,7 +65,7 @@ def define_new_opts():
e4ffb1 
 		"order" : 1}
e4ffb1
e4ffb1 
 def main():
e4ffb1 
-	device_opt = ["ipaddr", "login", "passwd", "ssl", "notls", "ribcl"]
e4ffb1 
+	device_opt = ["ipaddr", "login", "passwd", "ssl", "notls", "tls1.0", "ribcl"]
e4ffb1
e4ffb1 
 	atexit.register(atexit_handler)
e4ffb1
e4ffb1 
diff --git a/fence/agents/lib/fencing.py.py b/fence/agents/lib/fencing.py.py
e4ffb1 
index 7209d5e..f893082 100644
e4ffb1 
--- a/fence/agents/lib/fencing.py.py
e4ffb1 
+++ b/fence/agents/lib/fencing.py.py
e4ffb1 
@@ -203,7 +203,19 @@ all_opt = {
e4ffb1 
 				"                                        "
e4ffb1 
 				"This should only be used for devices that do not support TLS1.0 and up.",
e4ffb1 
 		"required" : "0",
e4ffb1 
-		"shortdesc" : "Disable TLS negotiation",
e4ffb1 
+		"shortdesc" : "Disable TLS negotiation, force SSL 3.0",
e4ffb1 
+		"order" : 1},
e4ffb1 
+	"tls1.0" : {
e4ffb1 
+		"getopt" : "",
e4ffb1 
+		"longopt" : "tls1.0",
e4ffb1 
+		"help" : "--tls1.0                       "
e4ffb1 
+				"Disable TLS negotiation and force TLS1.0\n"
e4ffb1 
+				"                                        "
e4ffb1 
+				"This should only be used for devices that\n"
e4ffb1 
+				"                                        "
e4ffb1 
+				"do not support TLS1.1 and up.",
e4ffb1 
+		"required" : "0",
e4ffb1 
+		"shortdesc" : "Disable TLS negotiaton, force TLS 1.0",
e4ffb1 
 		"order" : 1},
e4ffb1 
 	"port" : {
e4ffb1 
 		"getopt" : "n:",
e4ffb1 
@@ -995,6 +1007,8 @@ def fence_login(options, re_login_string=r"(login\s*: )|(Login Name:  )|(usernam
e4ffb1
e4ffb1 
 			if options.has_key("--notls"):
e4ffb1 
 				gnutls_opts = "--priority \"NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:-VERS-TLS1.0:+VERS-SSL3.0\""
e4ffb1 
+			elif options.has_key("--tls1.0"):
e4ffb1 
+				gnutls_opts = "--priority \"NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:+VERS-TLS1.0:%LATEST_RECORD_VERSION\""
e4ffb1
e4ffb1 
 			# --ssl is same as the --ssl-secure
e4ffb1 
 			if options.has_key("--ssl-insecure"):
e4ffb1 
diff --git a/tests/data/metadata/fence_ilo.xml b/tests/data/metadata/fence_ilo.xml
e4ffb1 
index 25d9d54..ae7fe9c 100644
e4ffb1 
--- a/tests/data/metadata/fence_ilo.xml
e4ffb1 
+++ b/tests/data/metadata/fence_ilo.xml
e4ffb1 
@@ -12,7 +12,7 @@
e4ffb1 
 	<parameter name="notls" unique="0" required="0">
e4ffb1 
 		<getopt mixed="-t, --notls" />
e4ffb1 
 		<content type="boolean"  />
e4ffb1 
-		<shortdesc lang="en">Disable TLS negotiation</shortdesc>
e4ffb1 
+		<shortdesc lang="en">Disable TLS negotiation, force SSL 3.0</shortdesc>
e4ffb1 
 	</parameter>
e4ffb1 
 	<parameter name="ribcl" unique="0" required="0">
e4ffb1 
 		<getopt mixed="-r, --ribcl-version=[version]" />
e4ffb1 
@@ -49,6 +49,11 @@
e4ffb1 
 		<content type="string"  />
e4ffb1 
 		<shortdesc lang="en">Script to retrieve password</shortdesc>
e4ffb1 
 	</parameter>
e4ffb1 
+	<parameter name="tls1.0" unique="0" required="0">
e4ffb1 
+		<getopt mixed="--tls1.0" />
e4ffb1 
+		<content type="boolean"  />
e4ffb1 
+		<shortdesc lang="en">Disable TLS negotiaton, force TLS 1.0</shortdesc>
e4ffb1 
+	</parameter>
e4ffb1 
 	<parameter name="passwd" unique="0" required="0">
e4ffb1 
 		<getopt mixed="-p, --password=[password]" />
e4ffb1 
 		<content type="string"  />
e4ffb1 
diff --git a/tests/data/metadata/fence_ilo2.xml b/tests/data/metadata/fence_ilo2.xml
e4ffb1 
index 47e8e28..19a31a1 100644
e4ffb1 
--- a/tests/data/metadata/fence_ilo2.xml
e4ffb1 
+++ b/tests/data/metadata/fence_ilo2.xml
e4ffb1 
@@ -12,7 +12,7 @@
e4ffb1 
 	<parameter name="notls" unique="0" required="0">
e4ffb1 
 		<getopt mixed="-t, --notls" />
e4ffb1 
 		<content type="boolean"  />
e4ffb1 
-		<shortdesc lang="en">Disable TLS negotiation</shortdesc>
e4ffb1 
+		<shortdesc lang="en">Disable TLS negotiation, force SSL 3.0</shortdesc>
e4ffb1 
 	</parameter>
e4ffb1 
 	<parameter name="ribcl" unique="0" required="0">
e4ffb1 
 		<getopt mixed="-r, --ribcl-version=[version]" />
e4ffb1 
@@ -49,6 +49,11 @@
e4ffb1 
 		<content type="string"  />
e4ffb1 
 		<shortdesc lang="en">Script to retrieve password</shortdesc>
e4ffb1 
 	</parameter>
e4ffb1 
+	<parameter name="tls1.0" unique="0" required="0">
e4ffb1 
+		<getopt mixed="--tls1.0" />
e4ffb1 
+		<content type="boolean"  />
e4ffb1 
+		<shortdesc lang="en">Disable TLS negotiaton, force TLS 1.0</shortdesc>
e4ffb1 
+	</parameter>
e4ffb1 
 	<parameter name="passwd" unique="0" required="0">
e4ffb1 
 		<getopt mixed="-p, --password=[password]" />
e4ffb1 
 		<content type="string"  />
e4ffb1 
--
e4ffb1 
1.9.3
e4ffb1

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation