Merge pull request #6090 from neo954/rhels8-openssl

[RH8] Show warning message when site.xcatsslversion has an value during upgrade
xcat2 · Mar 13, 2019 · d6b36a5 · d6b36a5
2 parents 50c2347 + 2408414
commit d6b36a5
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 12 deletions.
diff --git a/docs/source/advanced/security/ssl_config.rst b/docs/source/advanced/security/ssl_config.rst
@@ -8,21 +8,13 @@ The configuration is stored in the xCAT site table using the ``site.xcatsslversi
 Configuration
 -------------
 
-By default, xCAT ships with ``TLSv1`` configured.  The current highest SSL version that can be supported is ``TLSv1.2``.
+``site.xcatsslversion`` is the ``SSL_version`` option ``xcatd`` used and passed to ``IO::Socket::SSL->start_SSL()``. By default, this value is set to empty. In this case, ``xcatd`` will use ``SSLv23:!SSLv2:!SSLv3:!TLSv1`` internally. For more detail, see https://metacpan.org/pod/IO::Socket::SSL
+By default, xCAT ships with an empty value for ``site.xcatsslversion``. In this case, ``xcatd`` will use ``SSLv23:!SSLv2:!SSLv3:!TLSv1`` internally.
 
-* For rhels7.x and sles12.x and higher: ::
-
-    chtab key=xcatsslversion site.value=TLSv12
-
-* For ubuntu 14.x and higher: ::
-
-    chtab key=xcatsslversion site.value=TLSv1_2
-
-* For AIX 7.1.3.x: ::
+Here is an example of change ``site.xcatsslversoin`` to a different value. Say, TLS 1.2 is preferred. ::
 
     chtab key=xcatsslversion site.value=TLSv1_2
 
-
 If running > ``TLSv1``, it is possible to disable insecure ciphers.  Here's an example of one possible configuration: ::
 
     "xcatsslciphers","kDH:kEDH:kRSA:!SSLv3:!SSLv2:!aNULL:!eNULL:!MEDIUM:!LOW:!MD5:!EXPORT:!CAMELLIA:!ECDH",,

diff --git a/docs/source/guides/admin-guides/references/man5/site.5.rst b/docs/source/guides/admin-guides/references/man5/site.5.rst
@@ -465,7 +465,11 @@ site Attributes:
   
    xcatlport:  The port used by xcatd command log writer process to collect command output.
   
-   xcatsslversion:  The ssl version by xcatd. Default is TLSv1.
+   xcatsslversion:  The SSL_version option xcatd used and passed to
+                    IO::Socket::SSL->start_SSL(). By default, this value is
+                    set to empty. In this case, xcatd will use
+                    'SSLv23:!SSLv2:!SSLv3:!TLSv1' internally.
+                    For more detail, see https://metacpan.org/pod/IO::Socket::SSL
   
    xcatsslciphers:  The ssl cipher by xcatd. Default is 3DES.
  

diff --git a/xCAT-server/sbin/xcatconfig b/xCAT-server/sbin/xcatconfig
@@ -1206,6 +1206,7 @@ sub initDB
         $chtabcmds .= "$::XCATROOT/sbin/chtab key=cleanupxcatpost site.value=no;";
         $chtabcmds .= "$::XCATROOT/sbin/chtab key=dhcplease site.value=43200;";
         $chtabcmds .= "$::XCATROOT/sbin/chtab key=auditnosyslog site.value=0;";
+        $chtabcmds .= "$::XCATROOT/sbin/chtab key=xcatsslversion site.value=;";
         $chtabcmds .= "$::XCATROOT/sbin/chtab key=auditskipcmds site.value=ALL;";
 
         #$chtabcmds .= "$::XCATROOT/sbin/chtab key=useflowcontrol site.value=yes;"; # need to fix 4031
@@ -1471,6 +1472,32 @@ sub initDB
                 xCAT::MsgUtils->message('E', "Could not set ddns as dnshandler.");
             }
         }
+
+        # Set default value for site.xcatsslversion when update xcat
+        $cmds = "XCATBYPASS=Y $::XCATROOT/sbin/tabdump site 2>/dev/null | grep xcatsslversion";
+        xCAT::Utils->runcmd("$cmds", -1);
+        if ($::RUNCMD_RC == 0) {
+            xCAT::MsgUtils->message('I',
+                "__      ___   ___ _  _ ___ _  _  ___");
+            xCAT::MsgUtils->message('I',
+                "\\ \\    / /_\\ | _ \\ \\| |_ _| \\| |/ __|                      _     +-+-+-+-+-+-+-+");
+            xCAT::MsgUtils->message('I',
+                " \\ \\/\\/ / _ \\|   / .` || || .` | (_ |                     oo\\    |W|A|R|N|I|N|G|");
+            xCAT::MsgUtils->message('I',
+                "  \\_/\\_/_/ \\_\\_|_\\_|\\_|___|_|\\_|\\___|                    (__)\\   +-+-+-+-+-+-+-+");
+            xCAT::MsgUtils->message('I',
+                "+--------------------------------------------------------------+ +-+-+-+-+-+-+-+");
+            xCAT::MsgUtils->message('I',
+                "| The default value of `site.xcatsslversion' was updated.      |:|W|A|R|N|I|N|G|");
+            xCAT::MsgUtils->message('I',
+                "| Run `chdef -t site xcatsslversion=' to update your system to |:+-+-+-+-+-+-+-+");
+            xCAT::MsgUtils->message('I',
+                "| the new default value. See `man site' for more details.      |:+-+-+-+-+-+-+-+");
+            xCAT::MsgUtils->message('I',
+                "+--------------------------------------------------------------+:|W|A|R|N|I|N|G|");
+            xCAT::MsgUtils->message('I',
+                " ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::+-+-+-+-+-+-+-+");
+        }
     }
 
     # remove xcatserver,xcatclient