From da35f335b11be6b22cc4722aae4c1607b0ddb6c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=E1=B4=8F=C9=B4=C9=A2=20Jie?= Date: Wed, 4 Jul 2018 14:48:33 +0800 Subject: [PATCH] Fix github issue #5365. Proper handle the -no_ssl2 argument of openssl s_client (#5369) --- .../share/xcat/netboot/add-on/statelite/rc.localdisk | 4 ++-- .../share/xcat/netboot/add-on/statelite/rc.statelite | 2 +- .../xcat/netboot/add-on/statelite/rc.statelite.ppc.redhat | 2 +- xCAT/postscripts/getcredentials.awk | 5 ++++- xCAT/postscripts/getpostscript.awk | 7 +++++-- xCAT/postscripts/startsyncfiles | 2 +- xCAT/postscripts/startsyncfiles.awk | 5 ++++- 7 files changed, 18 insertions(+), 9 deletions(-) diff --git a/xCAT-server/share/xcat/netboot/add-on/statelite/rc.localdisk b/xCAT-server/share/xcat/netboot/add-on/statelite/rc.localdisk index 0e39ef125..71cb96d5e 100755 --- a/xCAT-server/share/xcat/netboot/add-on/statelite/rc.localdisk +++ b/xCAT-server/share/xcat/netboot/add-on/statelite/rc.localdisk @@ -68,9 +68,9 @@ xCATCmd () { # $2 is the command ARCH=`uname -m` if [ x$ARCH = x"ppc64" -a x$OS = x"rh" ]; then - echo "\n${2}\n" | /usr/sbin/chroot ${MNTDIR} /usr/bin/openssl s_client -quiet -no_ssl3 -no_ssl2 -connect ${1} -rand /bin/nice 2>/dev/null + echo "\n${2}\n" | /usr/sbin/chroot ${MNTDIR} /usr/bin/openssl s_client -quiet -no_ssl3 $(openssl s_client -help 2>&1 | grep -m 1 -o -- -no_ssl2) -connect ${1} -rand /bin/nice 2>/dev/null else - echo "\n${2}\n" | LD_LIBRARY_PATH=${MNTDIR}/lib64:${MNTDIR}/usr/lib64 ${MNTDIR}/usr/bin/openssl s_client -quiet -no_ssl3 -no_ssl2 -connect ${1} -rand /bin/nice 2>/dev/null + echo "\n${2}\n" | LD_LIBRARY_PATH=${MNTDIR}/lib64:${MNTDIR}/usr/lib64 ${MNTDIR}/usr/bin/openssl s_client -quiet -no_ssl3 $(openssl s_client -help 2>&1 | grep -m 1 -o -- -no_ssl2) -connect ${1} -rand /bin/nice 2>/dev/null fi } diff --git a/xCAT-server/share/xcat/netboot/add-on/statelite/rc.statelite b/xCAT-server/share/xcat/netboot/add-on/statelite/rc.statelite index 6199919fd..d41376de9 100755 --- a/xCAT-server/share/xcat/netboot/add-on/statelite/rc.statelite +++ b/xCAT-server/share/xcat/netboot/add-on/statelite/rc.statelite @@ -128,7 +128,7 @@ GetSyncInfo () { xCATCmd () { # $1 is the xCAT server # $2 is the command - echo "\n${2}\n" | LD_LIBRARY_PATH=${MNTDIR}/lib64:${MNTDIR}/usr/lib64 ${MNTDIR}/usr/bin/openssl s_client -quiet -no_ssl3 -no_ssl2 -connect ${1} -rand /bin/nice 2>/dev/null + echo "\n${2}\n" | LD_LIBRARY_PATH=${MNTDIR}/lib64:${MNTDIR}/usr/lib64 ${MNTDIR}/usr/bin/openssl s_client -quiet -no_ssl3 $(openssl s_client -help 2>&1 | grep -m 1 -o -- -no_ssl2) -connect ${1} -rand /bin/nice 2>/dev/null } diff --git a/xCAT-server/share/xcat/netboot/add-on/statelite/rc.statelite.ppc.redhat b/xCAT-server/share/xcat/netboot/add-on/statelite/rc.statelite.ppc.redhat index 2ea270de6..8507f8127 100755 --- a/xCAT-server/share/xcat/netboot/add-on/statelite/rc.statelite.ppc.redhat +++ b/xCAT-server/share/xcat/netboot/add-on/statelite/rc.statelite.ppc.redhat @@ -128,7 +128,7 @@ GetSyncInfo () { xCATCmd () { # $1 is the xCAT server # $2 is the command - echo "\n${2}\n" | /usr/sbin/chroot ${MNTDIR} /usr/bin/openssl s_client -quiet -no_ssl3 -no_ssl2 -connect ${1} -rand /bin/nice 2>/dev/null + echo "\n${2}\n" | /usr/sbin/chroot ${MNTDIR} /usr/bin/openssl s_client -quiet -no_ssl3 $(openssl s_client -help 2>&1 | grep -m 1 -o -- -no_ssl2) -connect ${1} -rand /bin/nice 2>/dev/null } diff --git a/xCAT/postscripts/getcredentials.awk b/xCAT/postscripts/getcredentials.awk index a471631d7..8e42c1da2 100755 --- a/xCAT/postscripts/getcredentials.awk +++ b/xCAT/postscripts/getcredentials.awk @@ -1,7 +1,10 @@ #!/usr/bin/awk -f BEGIN { if ((ENVIRON["USEOPENSSLFORXCAT"]) || (ENVIRON["AIX"])) { - server = "openssl s_client -quiet -no_ssl3 -no_ssl2 -connect " ENVIRON["XCATSERVER"] " -rand /bin/nice 2> /dev/null" + server = "openssl s_client -quiet -no_ssl3 -connect " ENVIRON["XCATSERVER"] " -rand /bin/nice 2> /dev/null" + if (system("openssl s_client -help 2>&1 | grep -m 1 -q -- -no_ssl2")) { + server = "openssl s_client -quiet -no_ssl3 -no_ssl2 -connect " ENVIRON["XCATSERVER"] " -rand /bin/nice 2> /dev/null" + } } else { server = "/inet/tcp/0/127.0.0.1/400" } diff --git a/xCAT/postscripts/getpostscript.awk b/xCAT/postscripts/getpostscript.awk index b4ae4e633..4afde78ec 100755 --- a/xCAT/postscripts/getpostscript.awk +++ b/xCAT/postscripts/getpostscript.awk @@ -1,11 +1,14 @@ #!/usr/bin/awk -f BEGIN { if (ENVIRON["USEOPENSSLFORXCAT"]) { - server = "openssl s_client -no_ssl3 -no_ssl2 -connect " ENVIRON["XCATSERVER"] " -rand /bin/nice 2> /dev/null" + server = "openssl s_client -no_ssl3 -connect " ENVIRON["XCATSERVER"] " -rand /bin/nice 2> /dev/null" + if (system("openssl s_client -help 2>&1 | grep -m 1 -q -- -no_ssl2")) { + server = "openssl s_client -no_ssl3 -no_ssl2 -connect " ENVIRON["XCATSERVER"] " -rand /bin/nice 2> /dev/null" + } } else { server = "/inet/tcp/0/127.0.0.1/400" } - + quit = "no" print "" |& server diff --git a/xCAT/postscripts/startsyncfiles b/xCAT/postscripts/startsyncfiles index 1f1be4fc2..9a15261a1 100755 --- a/xCAT/postscripts/startsyncfiles +++ b/xCAT/postscripts/startsyncfiles @@ -42,7 +42,7 @@ while read LINE;do RET=${RET%<*} [ "$RET" != "0" ] && RETCODE=1 fi -done < <(openssl s_client -no_ssl3 -no_ssl2 -connect $MASTER_IP:$XCATDPORT -ign_eof -quiet <<<$REQUEST) +done < <(openssl s_client -no_ssl3 $(openssl s_client -help 2>&1 | grep -m 1 -o -- -no_ssl2) -connect $MASTER_IP:$XCATDPORT -ign_eof -quiet <<<$REQUEST) rm -rf $RESPFILE exit $RETCODE diff --git a/xCAT/postscripts/startsyncfiles.awk b/xCAT/postscripts/startsyncfiles.awk index 88f5a9e4a..f146f5d03 100755 --- a/xCAT/postscripts/startsyncfiles.awk +++ b/xCAT/postscripts/startsyncfiles.awk @@ -1,7 +1,10 @@ #!/usr/bin/awk -f BEGIN { if (ENVIRON["USEOPENSSLFORXCAT"]) { - server = "openssl s_client -no_ssl3 -no_ssl2 -connect " ENVIRON["XCATSERVER"] " 2> /dev/null" + server = "openssl s_client -no_ssl3 -connect " ENVIRON["XCATSERVER"] " -rand /bin/nice 2> /dev/null" + if (system("openssl s_client -help 2>&1 | grep -m 1 -q -- -no_ssl2")) { + server = "openssl s_client -no_ssl3 -no_ssl2 -connect " ENVIRON["XCATSERVER"] " 2> /dev/null" + } } else { server = "/inet/tcp/0/127.0.0.1/400" }