Re: Gluster communication via TLS client problem

Stefan Kania <stefan@xxxxxxxxxxxxxxx> · Mon, 29 Jan 2024 14:07:40 +0100

Am 28.01.24 um 23:03 schrieb Strahil Nikolov:
You didn't specify correctly the IP in the SANS but I'm not sure if that's the root cause.
In the SANs section Specify all hosts + their IPs: IP.1=1.2.3.4IP.2=2.3.4.5DNS.1=c01.glusterDNS.2=c02.gluster

ahh ok, I can try it, but I don't think that's my problem :-(

  What is the output from the client:openssl s_client -showcerts -connect c02.gluster:24007
Here is the result connecting from client to server:
-------------------
root@cluster-client:~# openssl s_client -showcerts -connect 
c02.gluster:24007
CONNECTED(00000003)
depth=0 CN = c02.gluster
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = c02.gluster
verify return:1
---
Certificate chain
 0 s:CN = c02.gluster
   i:CN = c02.gluster
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 28 15:04:34 2024 GMT; NotAfter: Feb 27 15:04:34 
2024 GMT
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIUZeKYuE2vfouJdoZmqyjQQfKSNzMwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLYzAyLmdsdXN0ZXIwHhcNMjQwMTI4MTUwNDM0WhcNMjQw
MjI3MTUwNDM0WjAWMRQwEgYDVQQDDAtjMDIuZ2x1c3RlcjCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALqvFOHIz3AEmwTxEE826NU2InRVogAPgdZxfNon
OC9ydY87L5mfJcdDTrOLNOODxtKsd9IaZ2Y2Y7gSNYT+pEq0SfylN2Fq3OxIAkF0
dXRgroQQo/sV4UKaiMEcZ1Z38PUgjDomnXclMZc6tPMo2nVSbTQCdOcgI3bf0qbS
tDVVeKAbgEtVV/+6HBZQJPEuQiT/Gy88sVmS3kdioyOAus+K31nBx2L4jhCot+Vl
8Sw6G+TIIUvKcYJ1P5dOz9dgZ4/gs9/PwP2AlvzAM1DGHsq2lmsBaPgqCGEpAn+5
asYgKwwPYQEeT/MEypA7pNXPdhvtgkjzNEQXMXWpgt/8iD0CAwEAAaNTMFEwHQYD
VR0OBBYEFIy62thrmXQc71J4Re1txCszlvjVMB8GA1UdIwQYMBaAFIy62thrmXQc
71J4Re1txCszlvjVMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
ACShUM7RYCVjIVgNJQvZ+eSknBTdV8sub0EFM0oD6nkkt8DDVkdaE7E83ykzcQSZ
cNDWEMJdt1yKcaCtbOaHnE4BPsL4AIFkHVAq3hJNMDkZQY7aslHTnWgYJBqj3fHR
K95jEyAv1C9Eo7pRj2WX5C6FlpQ/FhNWZd5IxM0J+/TL3qC/y41+v9EZZ+e3DDYp
LQ0z/qLbDjebvjSRgudVaTR5TVCZXydkpY6kMCBAnYhgqkcWA0FhalpMcZ8qzPRD
NW/SvZDmZH7SbUjuxHNDnwFI8iJ43gzgFoFrUOXuThROkqn2uOaXaPfClW0Z3quX
l1fRx/Tjnth2y8hor+EDsDM=
-----END CERTIFICATE-----
---
Server certificate
subject=CN = c02.gluster
issuer=CN = c02.gluster
---
No client certificate CA names sent
Requested Signature Algorithms: 
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Requested Signature Algorithms: 
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1534 bytes and written 777 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 
EC49FFB5EB73CC773A4D6BF322644B69450452ECA5D6CEC813505C98301DB277
    Session-ID-ctx:
    Resumption PSK: 
957A3A01436961C058515E8E5F74C817E1CEE574234DF6071E78117565CC6D579EBF6423DF94D7CDAD122F515EA03631
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 09 7c c3 b4 fd 39 18 ae-3a e4 ee 74 64 ed cc d7 
.|...9..:..td...
    0010 - c1 90 39 48 7d 00 69 a5-82 1c 0d 15 42 77 7a 31 
..9H}.i.....Bwz1

    Start Time: 1706527955
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 
80A42FC0DF4F92F3118474F1CEFC4FB8A12344E74E190EE9E9161884C482E2B1
    Session-ID-ctx:
    Resumption PSK: 
C18CC9CD3BFDF0701B46255049802F5BAA8D36DA3EAC2BD7C2350DDEC71EDB2E622DDF8CD926B6174E1EFE09E72479C7
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - da 99 d0 e7 2d 1d 1a 73-8b 98 62 a6 43 34 b8 72 
....-..s..b.C4.r
    0010 - bc 84 12 b5 6e 37 19 d9-b2 b5 ff 48 98 f7 e6 07 
....n7.....H....

    Start Time: 1706527955
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
4037D3DD357F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof 
while reading:../ssl/record/rec_layer_s3.c:303
-------------------

I think, the last line can be ignored.

Testing same command from server to sever the result is the same. The 
management-encryption is working. The connection between the three nodes 
is not showing any error glusterd.log is showing:
-----------------
0-socket.management: SSL support for MGMT is ENABLED IO path is ENABLED 
certificate depth is 1 for peer 192.168.57.41:49148

 0-socket.management: SSL support for MGMT is ENABLED IO path is 
ENABLED certificate depth is 1 for peer 192.168.57.42:49149

 0-socket.management: SSL support for MGMT is ENABLED IO path is 
ENABLED certificate depth is 1 for peer 192.168.57.43:49148
-----------------

There is a very good article on the topic:https://www.redhat.com/en/blog/hardening-gluster-installations-tls
Nice article ;-) Maybe the only one I did note read up to now :-) I did 
everything the same way :-(

Can you check it for a missed step ?Can you share the volume settings ?
Yes, here are the result from "gluster v info" and "gluster v status"
----------------
root@c01:~# gluster v info

Volume Name: gv1
Type: Replicate
Volume ID: fe89dc61-3ee5-4507-8025-22c19f248d53
Status: Started
Snapshot Count: 0
Number of Bricks: 1 x 3 = 3
Transport-type: tcp
Bricks:
Brick1: c01.gluster:/gluster/brick
Brick2: c02.gluster:/gluster/brick
Brick3: c03.gluster:/gluster/brick
Options Reconfigured:
performance.client-io-threads: off
nfs.disable: on
transport.address-family: inet
storage.fips-mode-rchecksum: on
cluster.granular-entry-heal: on
auth.ssl-allow: *
client.ssl: on
server.ssl: on

root@c01:~# gluster v status
Status of volume: gv1
Gluster process                             TCP Port  RDMA Port  Online  Pid
--------------------------------------------------------------------------
Brick c01.gluster:/gluster/brick       59287     0          Y       866
Brick c02.gluster:/gluster/brick       51998     0          Y       850
Brick c03.gluster:/gluster/brick       60291     0          Y       807
Self-heal Daemon on localhost          N/A       N/A        Y       1216
Self-heal Daemon on c03.gluster        N/A       N/A        Y       883
Self-heal Daemon on c02.gluster        N/A       N/A        Y       883

Task Status of Volume gv1
------------------------------------------------------------------------------
There are no active volume tasks
----------------
There is only on thing I set "auth.ssl-allow: *" instead of all the 
hostnames. But with all fqdn set it's the same.

Attachment:
smime.p7s

Description: Kryptografische S/MIME-Signatur
________

Community Meeting Calendar:

Schedule -
Every 2nd and 4th Tuesday at 14:30 IST / 09:00 UTC
Bridge: https://meet.google.com/cpu-eiue-hvk
Gluster-users mailing list
Gluster-users@xxxxxxxxxxx
https://lists.gluster.org/mailman/listinfo/gluster-users