[Pkg-ganeti-devel] [ganeti] 10/12: Do not specify SSL method in impexpd

[Apollon Oikonomopoulos]

This is an automated email from the git hooks/post-receive script.

apoikos pushed a commit to branch master
in repository ganeti.

commit 962e4efb63e26d30e3d310caae450b7d47f88dd1
Author: Apollon Oikonomopoulos <apoikos at debian.org>
Date:   Mon May 29 11:50:46 2017 +0300

    Do not specify SSL method in impexpd
    
    Instance import/export/move is currently broken on Stretch, as socat
    cannot parse method=TLSv1 (it's called TLS1 now). Drop the option
    completely, as there is no reason to pick a specific (old) SSL method
    now that SSLv3 is gone, and let socat+OpenSSL choose the best supported
    method instead.
---
 .../patches/do-not-specify-socat-ssl-method.patch  | 30 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 31 insertions(+)

diff --git a/debian/patches/do-not-specify-socat-ssl-method.patch b/debian/patches/do-not-specify-socat-ssl-method.patch
new file mode 100644
index 0000000..2ad2368
--- /dev/null
+++ b/debian/patches/do-not-specify-socat-ssl-method.patch
@@ -0,0 +1,30 @@
+From f8cfc917a890de1d2489ab89775780c41b68a651 Mon Sep 17 00:00:00 2001
+From: Apollon Oikonomopoulos <apoikos at debian.org>
+Date: Fri, 26 May 2017 12:45:41 +0300
+Subject: [PATCH 3/3] impexpd: do not specify SSL method
+
+Recent versions of socat have changed the OpenSSL method name from TLSv1
+to TLS1, making instance import/export fail. Since there is no reason to
+force a specific (old) TLS version now that SSLv3 support has been removed
+from OpenSSL, it makes sense to just let socat choose.
+---
+ lib/impexpd/__init__.py | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/lib/impexpd/__init__.py b/lib/impexpd/__init__.py
+index f40db31e4..97a9716cc 100644
+--- a/lib/impexpd/__init__.py
++++ b/lib/impexpd/__init__.py
+@@ -88,8 +88,7 @@ BUFSIZE = 1024 * 1024
+ 
+ # Common options for socat
+ SOCAT_TCP_OPTS = ["keepalive", "keepidle=60", "keepintvl=10", "keepcnt=5"]
+-SOCAT_OPENSSL_OPTS = ["verify=1", "method=TLSv1",
+-                      "cipher=%s" % constants.OPENSSL_CIPHERS]
++SOCAT_OPENSSL_OPTS = ["verify=1", "cipher=%s" % constants.OPENSSL_CIPHERS]
+ 
+ if constants.SOCAT_USE_COMPRESS:
+   # Disables all compression in by OpenSSL. Only supported in patched versions
+-- 
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index ea4d6e5..f2bf4cb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,3 +14,4 @@ non-DSA-SSH-key-support.patch
 fix-ssh-key-renewal-on-single-node-clusters.patch
 set-defaults-for-ssh-type-bits.patch
 use-hv-class-to-check-for-migration.patch
+do-not-specify-socat-ssl-method.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ganeti/ganeti.git