mirror of
				https://github.com/xcat2/xcat-core.git
				synced 2025-10-26 00:45:38 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			49 lines
		
	
	
		
			2.1 KiB
		
	
	
	
		
			ReStructuredText
		
	
	
	
	
	
			
		
		
	
	
			49 lines
		
	
	
		
			2.1 KiB
		
	
	
	
		
			ReStructuredText
		
	
	
	
	
	
| OpenSSL Configuration
 | |
| =====================
 | |
| 
 | |
| xCAT does not ship OpenSSL RPMS nor does it statically link to any OpenSSL libraries.  Communication between the xCAT client and daemon utilizes OpenSSL and the administrator can configure SSL_version and SSL_cipher that should be used by xCAT daemons.
 | |
| 
 | |
| The configuration is stored in the xCAT site table using the ``site.xcatsslversion`` and ``site.xcatsslciphers`` variables.
 | |
| 
 | |
| Configuration
 | |
| -------------
 | |
| 
 | |
| ``site.xcatsslversion`` is the ``SSL_version`` option ``xcatd`` used and passed to ``IO::Socket::SSL->start_SSL()``. By default, this value is set to empty. In this case, ``xcatd`` will use ``SSLv23:!SSLv2:!SSLv3:!TLSv1`` internally. For more detail, see https://metacpan.org/pod/IO::Socket::SSL
 | |
| By default, xCAT ships with an empty value for ``site.xcatsslversion``. In this case, ``xcatd`` will use ``SSLv23:!SSLv2:!SSLv3:!TLSv1`` internally.
 | |
| 
 | |
| Here is an example of change ``site.xcatsslversoin`` to a different value. Say, TLS 1.2 is preferred. ::
 | |
| 
 | |
|     chtab key=xcatsslversion site.value=TLSv1_2
 | |
| 
 | |
| If running > ``TLSv1``, it is possible to disable insecure ciphers.  Here's an example of one possible configuration: ::
 | |
| 
 | |
|     "xcatsslciphers","kDH:kEDH:kRSA:!SSLv3:!SSLv2:!aNULL:!eNULL:!MEDIUM:!LOW:!MD5:!EXPORT:!CAMELLIA:!ECDH",,
 | |
| 
 | |
| After making any changes to these configuration values, ``xcatd`` must be restarted: ::
 | |
| 
 | |
|     service restart xcatd
 | |
| 
 | |
| 
 | |
| If any mistakes have been made and communiation is lost to xCAT, use ``XCATBYPASS`` to fix/remove the bad configuration: ::
 | |
| 
 | |
|     XCATBYPASS=1 tabedit site
 | |
| 
 | |
| 
 | |
| Validation
 | |
| ----------
 | |
| 
 | |
| Use the ``openssl`` command to validate the SSL configuration is valid and expected.
 | |
| 
 | |
| * To check whether TLSv1 is supported by xcatd: ::
 | |
| 
 | |
|     openssl s_client -connect 127.0.0.1:3001 -tls1
 | |
| 
 | |
| * To check if SSLv3 is disabled on ``xcatd``: ::
 | |
| 
 | |
|     openssl s_client -connect localhost:3001 -ssl3
 | |
| 
 | |
|   You should get a reponse similar to: ::
 | |
| 
 | |
|     70367087597568:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1259:SSL alert number 40
 | |
|     70367087597568:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
 |