Gluster communication via TLS client problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi to all,
The system is running Debian 12 with Gluster 10. All systems are using the same versions.

I try to encrypt the communication between the peers and the clients via TLS. The encryption between the peers works, but when I try to mount the volume on the client I always get an error.


What have I done?

1. all hosts and clients can resolve the name of all systems involved.

2. the volume is running and all hosts and clients can mount the volume, when TLS is not activated.

To activate TLS I did in /usr/lib/ssl on all participating systems with

 openssl genrsa -out glusterfs.key 2048

openssl req -new -x509 -key glusterfs.key -subj "/CN=c01.gluster" -out glusterfs.pem

Keys and certificates created (CN customised)

Then combine all certificates into one and copy them to /usr/lib/ssl/ as glusterfs.ca to all hosts.

Create the file /var/lib/glusterd/secure-access on the gluster peers.

Gluster volume stopped and glusterd restarted.

Then set the following parameters:

gluster volume set gv1 auth.ssl-allow '*'

gluster volume set gv1 client.ssl on

gluster volume set gv1 server.ssl on

When mounting the volume on the peers, I get the following messages:
-------------------
_64-linux-gnu/libglusterfs.so.0(runner_log+0x100) [0x7ffa11782640] ) 0-management: Ran script: /var/lib/glusterd/hooks/1/start/post/S30samba-start.sh --volname=gv1 --first=yes --version=1 --volume-op=start --gd-workdir=/var/lib/glusterd

0-socket.management: SSL support for MGMT is ENABLED IO path is ENABLED certificate depth is 1 for peer 192.168.57.42:49147

0-socket.management: SSL support for MGMT is ENABLED IO path is ENABLED certificate depth is 1 for peer 192.168.57.43:49147

0-socket.management: SSL support for MGMT is ENABLED IO path is ENABLED certificate depth is 1 for peer 192.168.57.41:49151

-------------------

Looks good to me

Now trying to mount on the client with:
---------------
mount -t glusterfs c01.gluster:/gv1 /mnt
---------------
Then I get the following messages:
On the gluster node in /var/log/gluster/glusterd
------
[2024-01-26 09:27:34.987837 +0000] I [socket.c:4288:ssl_setup_connection_params] 0-socket.management: SSL support for MGMT is ENABLED IO path is ENABLED certificate depth is 1 for peer 192.168.57.51:49151 [2024-01-26 09:27:34.991908 +0000] E [socket.c:224:ssl_dump_error_stack] 0-socket.management: error:0A00010B:SSL routines::wrong version number
------

On the client in /var/log/gluster/mnt.log
-------
[2024-01-26 09:30:06.673990 +0000] I [MSGID: 100030] [glusterfsd.c:2767:main] 0-/usr/sbin/glusterfs: Started running version [{arg=/usr/sbin/glusterfs}, {version=10.5}, {cmdlinestr=/usr/sbin/glusterfs --process-name fuse --volfile-server=c01.gluster --volfile-id=/gv1 /mnt}] [2024-01-26 09:30:06.677184 +0000] I [glusterfsd.c:2447:daemonize] 0-glusterfs: Pid of current running process is 931 [2024-01-26 09:30:06.685814 +0000] I [MSGID: 101190] [event-epoll.c:667:event_dispatch_epoll_worker] 0-epoll: Started thread with index [{index=1}] [2024-01-26 09:30:06.686116 +0000] I [MSGID: 101190] [event-epoll.c:667:event_dispatch_epoll_worker] 0-epoll: Started thread with index [{index=0}] [2024-01-26 09:30:06.690443 +0000] I [glusterfsd-mgmt.c:2681:mgmt_rpc_notify] 0-glusterfsd-mgmt: disconnected from remote-host: c01.gluster [2024-01-26 09:30:06.690512 +0000] I [glusterfsd-mgmt.c:2720:mgmt_rpc_notify] 0-glusterfsd-mgmt: Exhausted all volfile servers [2024-01-26 09:30:06.691618 +0000] W [glusterfsd.c:1458:cleanup_and_exit] (-->/lib/x86_64-linux-gnu/libgfrpc.so.0(+0xfa35) [0x7f83ace13a35] -->/usr/sbin/glusterfs(+0x14769) [0x55650549b769] -->/usr/sbin/glusterfs(cleanup_and_exit+0x57) [0x556505492447] ) 0-: received signum (1), shutting down [2024-01-26 09:30:06.691699 +0000] I [fuse-bridge.c:7065:fini] 0-fuse: Unmounting '/mnt'. [2024-01-26 09:30:06.694246 +0000] I [fuse-bridge.c:7069:fini] 0-fuse: Closing fuse connection to '/mnt'. [2024-01-26 09:30:06.694431 +0000] W [glusterfsd.c:1458:cleanup_and_exit] (-->/lib/x86_64-linux-gnu/libc.so.6(+0x89044) [0x7f83acc98044] -->/usr/sbin/glusterfs(glusterfs_sigwaiter+0xc5) [0x556505499e05] -->/usr/sbin/glusterfs(cleanup_and_exit+0x57) [0x556505492447] ) 0-: received signum (15), shutting down
-------


Testing with openssl on the client show:

root@cluster-client:~# openssl s_client -CAfile /usr/lib/ssl/glusterfs.ca -connect c01.gluster:24007
CONNECTED(00000003)
depth=0 CN = c01.gluster
verify return:1
---
Certificate chain
 0 s:CN = c01.gluster
   i:CN = c01.gluster
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 26 08:27:12 2024 GMT; NotAfter: Feb 25 08:27:12 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIULCwcIV9jWFzeZoeO1Xs5TJ9J5rkwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLYzAxLmdsdXN0ZXIwHhcNMjQwMTI2MDgyNzEyWhcNMjQw
MjI1MDgyNzEyWjAWMRQwEgYDVQQDDAtjMDEuZ2x1c3RlcjCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBANPQ+fSk2V+hAjSOViZJxDWEgkjO1g8r3JH47QmI
D8mhEAVoeUhzDdbDV2gWw26pgU1Z22cCQr72rnZaK9vV1xzvGVjdzbKwQU8NhqhR
XWGJVlHdc5LxcOXfU7FpY6XMDzDLvRuNTMzsc685vJ8hjMxMAZJSLMAXNmLPMPnW
NuaudBE+1f7oc9sdGWhUqmPcWXT6xUeEUEJCDbOrccH8nhUwBMbQFiU7S4pV3smB
bbYNHFtw7Liz9B/vMoX1HckUKAsWcaWqPlWYr1rFHHPneyuG2evVcfRDhGsA1Fmo
v7kamrGtXgEAdgXC6HdENFBJzdSSb77A89d8OSHOYNyEV5UCAwEAAaNTMFEwHQYD
VR0OBBYEFCFjInacsKnR6TuPf+BI30b8qWPtMB8GA1UdIwQYMBaAFCFjInacsKnR
6TuPf+BI30b8qWPtMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
AKBZNCRxKO5rv4yezGZRa/SDdpEc/vrGD5jKbHxQjBP+0YX/hToOGt04oh48iNFT
A2vqUVby4JXml9FjPCNktHlRk/NYXIlQiTm//TBeG2D+HrAQRyLR6TXF62/4H3Pb
Yktzr+vNk/znd5AKv3g8kMMpAB0UGxjZ9CtMDTuAYrQPtFCgCy1rf6fvP3cKZwaK
kk/QjJyc9u6zTvL0ptOHdOdQbhrHjZHiQ1D6QvJu6LouMsY3gGlVXfh0rQHUzSvT
7MmDRb/l4jTs2sn/nexh9bpHUv/m3vzDWBbrWcwGzenKXR+lg1hvAZAP3Ds33S/+
W7sfZVptCwBXbYK0bSh+KiU=
-----END CERTIFICATE-----
subject=CN = c01.gluster
issuer=CN = c01.gluster
---
No client certificate CA names sent
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1534 bytes and written 777 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
Session-ID: A9CA3DA57FDA9BF9D9EFBBD0E5CE5D8F7A5DE091C10E54310D52A23DCB7DA95B
    Session-ID-ctx:
Resumption PSK: C7BA79D9FB045352371121AC97F891FBD4C2578AA48A7CD57747A941C6864CCE5163D5AF94BE01D75233148BD75E755E
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
0000 - 6e fd 36 f6 0f 16 dc d0-f1 9f 02 4b 32 20 5e 4b n.6........K2 ^K 0010 - e4 98 1e 6f 4c 8d b3 71-c8 12 40 ed 75 3f f7 ce ...oL..q..@.u?..

    Start Time: 1706261953
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
Session-ID: 42BA7A7BFC9B64C030DB99E2D12B060052F53B5A771826199868A6AE913ED245
    Session-ID-ctx:
Resumption PSK: 3E66E04230CDFDF569A87764318B3C0C67FEA910742784CBC31E0221C44DB4EB91C2EBCB471AEB31FFFD5AB452C899F3
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
0000 - 79 2a c8 0c 4c c7 2b f1-2d 3c 01 cf dd b3 e0 68 y*..L.+.-<.....h 0010 - 7c 19 e7 e3 96 d9 5d 77-19 a3 e1 a8 9e 6c 3a 37 |.....]w.....l:7

    Start Time: 1706261953
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
40D7F609527F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:303:

Any help?

Thank's

Stefan

Attachment: smime.p7s
Description: Kryptografische S/MIME-Signatur

________



Community Meeting Calendar:

Schedule -
Every 2nd and 4th Tuesday at 14:30 IST / 09:00 UTC
Bridge: https://meet.google.com/cpu-eiue-hvk
Gluster-users mailing list
Gluster-users@xxxxxxxxxxx
https://lists.gluster.org/mailman/listinfo/gluster-users

[Index of Archives]     [Gluster Development]     [Linux Filesytems Development]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux