Update to this issue.
I verified that setting the SSL_verify_mode to the value for SSL_VERIFY_PEER in
the xCAT Client.pm module fixes the problem. After making this change, xCAT
commands work fine with the updated SSL.pm perl module. Ideally, a newer
version of xCAT has done this.
Section of code identifed in /opt/xcat/lib/perl/xCAT/Client.pm by the error:
if (-r $keyfile and -r $certfile and -r $cafile) {
$client = IO::Socket::SSL->new(
PeerAddr => $xcathost,
SSL_key_file => $keyfile,
SSL_cert_file => $certfile,
SSL_ca_file => $cafile,
SSL_use_cert => 1,
Timeout => 15,
);
Insertion of the needed line:
if (-r $keyfile and -r $certfile and -r $cafile) {
$client = IO::Socket::SSL->new(
PeerAddr => $xcathost,
SSL_verify_mode => 0x01, ### <<-- Inserted this line, 0x01 is verify
peer
SSL_key_file => $keyfile,
SSL_cert_file => $certfile,
SSL_ca_file => $cafile,
SSL_use_cert => 1,
Timeout => 15,
);
Mike Waldron
Systems Specialist
ITS - Research Computing Center
University of North Carolina at Chapel Hill
________________________________________
From: Waldron, Michael H [[email protected]]
Sent: Thursday, January 10, 2013 1:24 PM
To: [email protected]
Subject: Upgrade to VCL 2.3.1 causing xCAT error
Not sure how many others are using xCAT or have run into this issue, but when I
upgraded our test VCL system from 2.2.1 to 2.3.1, I started getting the
following message when running any xCAT command:
*******************************************************************
Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER
together with SSL_ca_file|SSL_ca_path for verification.
If you really don't want to verify the certificate and keep the
connection open to Man-In-The-Middle attacks please set
SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
*******************************************************************
at /opt/xcat/lib/perl/xCAT/Client.pm line 138
The command actually runs anyway and succeeds, but this warning output is
interpreted by vcld as a failure, and so the VCL operation fails.
I tracked down the source of the problem to the perl module
/usr/lib/perl5/site_perl/5.8.8/IO/Socket/SSL.pm, which gets updated when the
install_perl_libs.pl script is run as part of the VCL 2.3.1 upgrade. This
upgraded the SSL.pm module from version 1.01 to 1.81. This change apparently
necessitates putting some code in the xCAT Client.pm module to set the values
that the warning message is talking about.
A quick fix was copy the 1.01 version back by doing:
'cp /usr/lib/perl5/vendor_perl/5.8.8/IO/Socket/SSL.pm
/usr/lib/perl5/site_perl/5.8.8/IO/Socket/SSL.pm'.
This made the warning message go away, and from additional testing I've done, I
haven't found any ill effects from doing this. Everything seems to work as it
should.
This is on RHEL 5.8 with xCAT 2.6.10. I haven't looked into whether updates to
xCAT address this or not.
Mike Waldron
Systems Specialist
ITS - Research Computing Center
University of North Carolina at Chapel Hill
