Add default value for attribute site.xcatsslversion=TLSv1 to avoid using sslv3 which might cause POODLE Attach

2015-02-12 09:42:41 -05:00 · 2015-02-12 09:42:41 -05:00 · b2eb57d072
commit b2eb57d072
parent d41512f24c
3 changed files with 24 additions and 0 deletions
--- a/perl-xCAT/xCAT/Client.pm
+++ b/perl-xCAT/xCAT/Client.pm
@ -237,6 +237,10 @@ if (ref($request) eq 'HASH') { # the request is an array, not pure XML
     }
  }
  my $client;
+  my %sslargs;
+  if (defined($ENV{'XCATSSLVER'})) {
+    $sslargs{SSL_version} = $ENV{'XCATSSLVER'};
+  }
  if (-r $keyfile and -r $certfile and -r $cafile) {
    $client = IO::Socket::SSL->start_SSL($pclient,
    SSL_key_file => $keyfile,
@ -245,6 +249,7 @@ if (ref($request) eq 'HASH') { # the request is an array, not pure XML
    SSL_verify_mode => SSL_VERIFY_PEER,
    SSL_use_cert => 1,
    Timeout => 0,
+    %sslargs,
   );
  } else {
    $client =  IO::Socket::SSL->start_SSL($pclient,
--- a/xCAT-client/xCAT-client.spec
+++ b/xCAT-client/xCAT-client.spec
@ -294,6 +294,14 @@ export XCATROOT PATH MANPATH
 export PERL_BADLANG=0
 EOF

+# export XCATSSLVER for sles11. Others OS can work without this setting.
+if [ -r /etc/SuSE-release ]; then
+  ver=`grep 'VERSION' /etc/SuSE-release | awk -F= '{print $2}' | sed 's/ //g'`
+  if [ "$ver" = "11" ]; then
+    echo 'export XCATSSLVER=TLSv1' >> /etc/profile.d/xcat.sh
+  fi
+fi
+
 cat << EOF > /etc/profile.d/xcat.csh
 setenv XCATROOT "$RPM_INSTALL_PREFIX0"
 setenv PATH \${XCATROOT}/bin:\${XCATROOT}/sbin:\${XCATROOT}/share/xcat/tools:\${PATH}
--- a/xCAT-server/sbin/xcatconfig
+++ b/xCAT-server/sbin/xcatconfig
@ -1250,6 +1250,7 @@ sub initDB
        $chtabcmds .= "$::XCATROOT/sbin/chtab key=cleanupxcatpost site.value=no;";
        $chtabcmds .= "$::XCATROOT/sbin/chtab key=dhcplease site.value=43200;";
        $chtabcmds .= "$::XCATROOT/sbin/chtab key=auditnosyslog site.value=0;";
+        $chtabcmds .= "$::XCATROOT/sbin/chtab key=xcatsslversion site.value=TLSv1;";
        #$chtabcmds .= "$::XCATROOT/sbin/chtab key=useflowcontrol site.value=yes;"; # need to fix 4031

        if ($::osname eq 'AIX')
@ -1504,6 +1505,16 @@ sub initDB
            }
        }

+        # add default value to site.xcatsslversion
+        $cmds = "$::XCATROOT/sbin/chtab key=xcatsslversion site.value=TLSv1;";
+        $outref = xCAT::Utils->runcmd("$cmds", 0);
+        if ($::RUNCMD_RC != 0)
+        {
+            xCAT::MsgUtils->message('E',"Could not add default value for site.xcatsslversion.");
+        }
+
+
+
   } 
   # remove xcatserver,xcatclient
   # from the postscripts. They are now called by servicenode