[Pkg-ganeti-devel] [ganeti] 10/12: Do not specify SSL method in impexpd
Apollon Oikonomopoulos
apoikos at moszumanska.debian.org
Tue Jun 27 08:23:43 UTC 2017
This is an automated email from the git hooks/post-receive script.
apoikos pushed a commit to branch master
in repository ganeti.
commit 962e4efb63e26d30e3d310caae450b7d47f88dd1
Author: Apollon Oikonomopoulos <apoikos at debian.org>
Date: Mon May 29 11:50:46 2017 +0300
Do not specify SSL method in impexpd
Instance import/export/move is currently broken on Stretch, as socat
cannot parse method=TLSv1 (it's called TLS1 now). Drop the option
completely, as there is no reason to pick a specific (old) SSL method
now that SSLv3 is gone, and let socat+OpenSSL choose the best supported
method instead.
---
.../patches/do-not-specify-socat-ssl-method.patch | 30 ++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 31 insertions(+)
diff --git a/debian/patches/do-not-specify-socat-ssl-method.patch b/debian/patches/do-not-specify-socat-ssl-method.patch
new file mode 100644
index 0000000..2ad2368
--- /dev/null
+++ b/debian/patches/do-not-specify-socat-ssl-method.patch
@@ -0,0 +1,30 @@
+From f8cfc917a890de1d2489ab89775780c41b68a651 Mon Sep 17 00:00:00 2001
+From: Apollon Oikonomopoulos <apoikos at debian.org>
+Date: Fri, 26 May 2017 12:45:41 +0300
+Subject: [PATCH 3/3] impexpd: do not specify SSL method
+
+Recent versions of socat have changed the OpenSSL method name from TLSv1
+to TLS1, making instance import/export fail. Since there is no reason to
+force a specific (old) TLS version now that SSLv3 support has been removed
+from OpenSSL, it makes sense to just let socat choose.
+---
+ lib/impexpd/__init__.py | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/lib/impexpd/__init__.py b/lib/impexpd/__init__.py
+index f40db31e4..97a9716cc 100644
+--- a/lib/impexpd/__init__.py
++++ b/lib/impexpd/__init__.py
+@@ -88,8 +88,7 @@ BUFSIZE = 1024 * 1024
+
+ # Common options for socat
+ SOCAT_TCP_OPTS = ["keepalive", "keepidle=60", "keepintvl=10", "keepcnt=5"]
+-SOCAT_OPENSSL_OPTS = ["verify=1", "method=TLSv1",
+- "cipher=%s" % constants.OPENSSL_CIPHERS]
++SOCAT_OPENSSL_OPTS = ["verify=1", "cipher=%s" % constants.OPENSSL_CIPHERS]
+
+ if constants.SOCAT_USE_COMPRESS:
+ # Disables all compression in by OpenSSL. Only supported in patched versions
+--
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index ea4d6e5..f2bf4cb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,3 +14,4 @@ non-DSA-SSH-key-support.patch
fix-ssh-key-renewal-on-single-node-clusters.patch
set-defaults-for-ssh-type-bits.patch
use-hv-class-to-check-for-migration.patch
+do-not-specify-socat-ssl-method.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ganeti/ganeti.git
More information about the Pkg-ganeti-devel
mailing list