Merge pull request #6090 from neo954/rhels8-openssl

[RH8] Show warning message when site.xcatsslversion has an value during upgrade
2025-05-30 09:36:41 +00:00 · 2019-03-13 18:11:34 +08:00 · 2019-03-13 18:11:34 +08:00 · d6b36a54fa
commit d6b36a54fa
parent 50c23478d9 240841483d
3 changed files with 35 additions and 12 deletions
--- a/docs/source/advanced/security/ssl_config.rst
+++ b/docs/source/advanced/security/ssl_config.rst
@ -8,21 +8,13 @@ The configuration is stored in the xCAT site table using the ``site.xcatsslversi
 Configuration
 -------------

-By default, xCAT ships with ``TLSv1`` configured.  The current highest SSL version that can be supported is ``TLSv1.2``.
+``site.xcatsslversion`` is the ``SSL_version`` option ``xcatd`` used and passed to ``IO::Socket::SSL->start_SSL()``. By default, this value is set to empty. In this case, ``xcatd`` will use ``SSLv23:!SSLv2:!SSLv3:!TLSv1`` internally. For more detail, see https://metacpan.org/pod/IO::Socket::SSL
+By default, xCAT ships with an empty value for ``site.xcatsslversion``. In this case, ``xcatd`` will use ``SSLv23:!SSLv2:!SSLv3:!TLSv1`` internally.

-* For rhels7.x and sles12.x and higher: ::
-
-    chtab key=xcatsslversion site.value=TLSv12
-
-* For ubuntu 14.x and higher: ::
+Here is an example of change ``site.xcatsslversoin`` to a different value. Say, TLS 1.2 is preferred. ::

    chtab key=xcatsslversion site.value=TLSv1_2

-* For AIX 7.1.3.x: ::
-
-    chtab key=xcatsslversion site.value=TLSv1_2
-
-
 If running > ``TLSv1``, it is possible to disable insecure ciphers.  Here's an example of one possible configuration: ::

    "xcatsslciphers","kDH:kEDH:kRSA:!SSLv3:!SSLv2:!aNULL:!eNULL:!MEDIUM:!LOW:!MD5:!EXPORT:!CAMELLIA:!ECDH",,
--- a/docs/source/guides/admin-guides/references/man5/site.5.rst
+++ b/docs/source/guides/admin-guides/references/man5/site.5.rst
@ -465,7 +465,11 @@ site Attributes:
  
   xcatlport:  The port used by xcatd command log writer process to collect command output.
  
-   xcatsslversion:  The ssl version by xcatd. Default is TLSv1.
+   xcatsslversion:  The SSL_version option xcatd used and passed to
+                    IO::Socket::SSL->start_SSL(). By default, this value is
+                    set to empty. In this case, xcatd will use
+                    'SSLv23:!SSLv2:!SSLv3:!TLSv1' internally.
+                    For more detail, see https://metacpan.org/pod/IO::Socket::SSL
  
   xcatsslciphers:  The ssl cipher by xcatd. Default is 3DES.
 
--- a/xCAT-server/sbin/xcatconfig
+++ b/xCAT-server/sbin/xcatconfig
@ -1206,6 +1206,7 @@ sub initDB
        $chtabcmds .= "$::XCATROOT/sbin/chtab key=cleanupxcatpost site.value=no;";
        $chtabcmds .= "$::XCATROOT/sbin/chtab key=dhcplease site.value=43200;";
        $chtabcmds .= "$::XCATROOT/sbin/chtab key=auditnosyslog site.value=0;";
+        $chtabcmds .= "$::XCATROOT/sbin/chtab key=xcatsslversion site.value=;";
        $chtabcmds .= "$::XCATROOT/sbin/chtab key=auditskipcmds site.value=ALL;";

        #$chtabcmds .= "$::XCATROOT/sbin/chtab key=useflowcontrol site.value=yes;"; # need to fix 4031
@ -1471,6 +1472,32 @@ sub initDB
                xCAT::MsgUtils->message('E', "Could not set ddns as dnshandler.");
            }
        }
+
+        # Set default value for site.xcatsslversion when update xcat
+        $cmds = "XCATBYPASS=Y $::XCATROOT/sbin/tabdump site 2>/dev/null | grep xcatsslversion";
+        xCAT::Utils->runcmd("$cmds", -1);
+        if ($::RUNCMD_RC == 0) {
+            xCAT::MsgUtils->message('I',
+                "__      ___   ___ _  _ ___ _  _  ___");
+            xCAT::MsgUtils->message('I',
+                "\\ \\    / /_\\ | _ \\ \\| |_ _| \\| |/ __|                      _     +-+-+-+-+-+-+-+");
+            xCAT::MsgUtils->message('I',
+                " \\ \\/\\/ / _ \\|   / .` || || .` | (_ |                     oo\\    |W|A|R|N|I|N|G|");
+            xCAT::MsgUtils->message('I',
+                "  \\_/\\_/_/ \\_\\_|_\\_|\\_|___|_|\\_|\\___|                    (__)\\   +-+-+-+-+-+-+-+");
+            xCAT::MsgUtils->message('I',
+                "+--------------------------------------------------------------+ +-+-+-+-+-+-+-+");
+            xCAT::MsgUtils->message('I',
+                "| The default value of `site.xcatsslversion' was updated.      |:|W|A|R|N|I|N|G|");
+            xCAT::MsgUtils->message('I',
+                "| Run `chdef -t site xcatsslversion=' to update your system to |:+-+-+-+-+-+-+-+");
+            xCAT::MsgUtils->message('I',
+                "| the new default value. See `man site' for more details.      |:+-+-+-+-+-+-+-+");
+            xCAT::MsgUtils->message('I',
+                "+--------------------------------------------------------------+:|W|A|R|N|I|N|G|");
+            xCAT::MsgUtils->message('I',
+                " ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::+-+-+-+-+-+-+-+");
+        }
    }

    # remove xcatserver,xcatclient