From bf7645a4f554fd21b63156940ecd20ebd1fe9c15 Mon Sep 17 00:00:00 2001
From: daniceexi <wxp@cn.ibm.com>
Date: Thu, 12 Feb 2015 20:19:00 -0500
Subject: [PATCH] Continue the fix to avoid sslv3 in xcatd. In this commit, all
 the calling to [openssl s_client] in xcat code which used to connect to xcatd
 will add arguments [-no_ssl3 -no_ssl2] to avoid the using of sslv2/3

---
 xCAT-server/share/xcat/netboot/add-on/statelite/rc.localdisk  | 4 ++--
 xCAT-server/share/xcat/netboot/add-on/statelite/rc.statelite  | 2 +-
 .../xcat/netboot/add-on/statelite/rc.statelite.ppc.redhat     | 2 +-
 xCAT/postscripts/getcredentials.awk                           | 2 +-
 xCAT/postscripts/getpostscript.awk                            | 2 +-
 xCAT/postscripts/startsyncfiles.awk                           | 2 +-
 6 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/xCAT-server/share/xcat/netboot/add-on/statelite/rc.localdisk b/xCAT-server/share/xcat/netboot/add-on/statelite/rc.localdisk
index 84244eb9c..3cce58804 100755
--- a/xCAT-server/share/xcat/netboot/add-on/statelite/rc.localdisk
+++ b/xCAT-server/share/xcat/netboot/add-on/statelite/rc.localdisk
@@ -68,9 +68,9 @@ xCATCmd () {
 # $2 is the command
     ARCH=`uname -m`
     if [ x$ARCH = x"ppc64" -a x$OS = x"rh" ]; then
-        echo "<xcatrequest>\n<command>${2}</command>\n</xcatrequest>" | /usr/sbin/chroot ${MNTDIR} /usr/bin/openssl s_client -quiet -connect ${1} -rand /bin/nice 2>/dev/null
+        echo "<xcatrequest>\n<command>${2}</command>\n</xcatrequest>" | /usr/sbin/chroot ${MNTDIR} /usr/bin/openssl s_client -quiet -no_ssl3 -no_ssl2 -connect ${1} -rand /bin/nice 2>/dev/null
     else
-        echo "<xcatrequest>\n<command>${2}</command>\n</xcatrequest>" | LD_LIBRARY_PATH=${MNTDIR}/lib64:${MNTDIR}/usr/lib64 ${MNTDIR}/usr/bin/openssl s_client -quiet -connect ${1} -rand /bin/nice 2>/dev/null
+        echo "<xcatrequest>\n<command>${2}</command>\n</xcatrequest>" | LD_LIBRARY_PATH=${MNTDIR}/lib64:${MNTDIR}/usr/lib64 ${MNTDIR}/usr/bin/openssl s_client -quiet -no_ssl3 -no_ssl2 -connect ${1} -rand /bin/nice 2>/dev/null
     fi
 }
 
diff --git a/xCAT-server/share/xcat/netboot/add-on/statelite/rc.statelite b/xCAT-server/share/xcat/netboot/add-on/statelite/rc.statelite
index 6989fb57d..1fc3f2222 100755
--- a/xCAT-server/share/xcat/netboot/add-on/statelite/rc.statelite
+++ b/xCAT-server/share/xcat/netboot/add-on/statelite/rc.statelite
@@ -128,7 +128,7 @@ GetSyncInfo () {
 xCATCmd () {
 # $1 is the xCAT server
 # $2 is the command
-	echo "<xcatrequest>\n<command>${2}</command>\n</xcatrequest>" | LD_LIBRARY_PATH=${MNTDIR}/lib64:${MNTDIR}/usr/lib64 ${MNTDIR}/usr/bin/openssl s_client -quiet -connect ${1} -rand /bin/nice 2>/dev/null
+	echo "<xcatrequest>\n<command>${2}</command>\n</xcatrequest>" | LD_LIBRARY_PATH=${MNTDIR}/lib64:${MNTDIR}/usr/lib64 ${MNTDIR}/usr/bin/openssl s_client -quiet -no_ssl3 -no_ssl2 -connect ${1} -rand /bin/nice 2>/dev/null
 
 }
 
diff --git a/xCAT-server/share/xcat/netboot/add-on/statelite/rc.statelite.ppc.redhat b/xCAT-server/share/xcat/netboot/add-on/statelite/rc.statelite.ppc.redhat
index 0e1ef8027..2ea270de6 100755
--- a/xCAT-server/share/xcat/netboot/add-on/statelite/rc.statelite.ppc.redhat
+++ b/xCAT-server/share/xcat/netboot/add-on/statelite/rc.statelite.ppc.redhat
@@ -128,7 +128,7 @@ GetSyncInfo () {
 xCATCmd () {
 # $1 is the xCAT server
 # $2 is the command
-	echo "<xcatrequest>\n<command>${2}</command>\n</xcatrequest>" | /usr/sbin/chroot ${MNTDIR} /usr/bin/openssl s_client -quiet -connect ${1} -rand /bin/nice 2>/dev/null
+	echo "<xcatrequest>\n<command>${2}</command>\n</xcatrequest>" | /usr/sbin/chroot ${MNTDIR} /usr/bin/openssl s_client -quiet -no_ssl3 -no_ssl2 -connect ${1} -rand /bin/nice 2>/dev/null
 
 }
 
diff --git a/xCAT/postscripts/getcredentials.awk b/xCAT/postscripts/getcredentials.awk
index 5ffb85d2b..0701204fa 100755
--- a/xCAT/postscripts/getcredentials.awk
+++ b/xCAT/postscripts/getcredentials.awk
@@ -1,7 +1,7 @@
 #!/usr/bin/awk -f
 BEGIN {
         if ((ENVIRON["USEOPENSSLFORXCAT"]) || (ENVIRON["AIX"])) {
-            server = "openssl s_client -quiet -connect " ENVIRON["XCATSERVER"] " -rand /bin/nice 2> /dev/null"
+            server = "openssl s_client -quiet -no_ssl3 -no_ssl2 -connect " ENVIRON["XCATSERVER"] " -rand /bin/nice 2> /dev/null"
         } else {
             server = "/inet/tcp/0/127.0.0.1/400"
         }
diff --git a/xCAT/postscripts/getpostscript.awk b/xCAT/postscripts/getpostscript.awk
index efb90e2a0..99725d4a4 100755
--- a/xCAT/postscripts/getpostscript.awk
+++ b/xCAT/postscripts/getpostscript.awk
@@ -1,7 +1,7 @@
 #!/usr/bin/awk -f
 BEGIN {
         if (ENVIRON["USEOPENSSLFORXCAT"]) {
-            server = "openssl s_client -connect " ENVIRON["XCATSERVER"] " -rand /bin/nice 2> /dev/null"
+            server = "openssl s_client -no_ssl3 -no_ssl2 -connect " ENVIRON["XCATSERVER"] " -rand /bin/nice 2> /dev/null"
         } else {
             server = "/inet/tcp/0/127.0.0.1/400"
         }
diff --git a/xCAT/postscripts/startsyncfiles.awk b/xCAT/postscripts/startsyncfiles.awk
index 697ae8a40..a7975410d 100755
--- a/xCAT/postscripts/startsyncfiles.awk
+++ b/xCAT/postscripts/startsyncfiles.awk
@@ -1,7 +1,7 @@
 #!/usr/bin/awk -f
 BEGIN {
   if (ENVIRON["USEOPENSSLFORXCAT"]) {
-      server = "openssl s_client  -connect " ENVIRON["XCATSERVER"] " 2> /dev/null"
+      server = "openssl s_client -no_ssl3 -no_ssl2 -connect " ENVIRON["XCATSERVER"] " 2> /dev/null"
   } else {
       server = "/inet/tcp/0/127.0.0.1/400"
   }