I've got to insert an editorial comment! Mike has demonstrated one of the problems with Open Source software (versus a purely proprietary package). One is at the mercy of changed in all of the other OS software included - not just xCAT, also Perl, PHP, MySQL, ...
He has also demonstrated one of the strengths of OS by successfully tracking down the problem, remedying it and showing a fix. This would not have been, or seldom been, possible with proprietary software. Whoop - preaching to the choir again! :-) --henry On Thu, Jan 10, 2013 at 2:16 PM, Waldron, Michael H <[email protected]>wrote: > Update to this issue. > > I verified that setting the SSL_verify_mode to the value for > SSL_VERIFY_PEER in the xCAT Client.pm module fixes the problem. After > making this change, xCAT commands work fine with the updated SSL.pm perl > module. Ideally, a newer version of xCAT has done this. > > Section of code identifed in /opt/xcat/lib/perl/xCAT/Client.pm by the > error: > if (-r $keyfile and -r $certfile and -r $cafile) { > $client = IO::Socket::SSL->new( > PeerAddr => $xcathost, > SSL_key_file => $keyfile, > SSL_cert_file => $certfile, > SSL_ca_file => $cafile, > SSL_use_cert => 1, > Timeout => 15, > ); > > Insertion of the needed line: > if (-r $keyfile and -r $certfile and -r $cafile) { > $client = IO::Socket::SSL->new( > PeerAddr => $xcathost, > SSL_verify_mode => 0x01, ### <<-- Inserted this line, 0x01 is > verify peer > SSL_key_file => $keyfile, > SSL_cert_file => $certfile, > SSL_ca_file => $cafile, > SSL_use_cert => 1, > Timeout => 15, > ); > > > Mike Waldron > Systems Specialist > ITS - Research Computing Center > University of North Carolina at Chapel Hill > > > ________________________________________ > From: Waldron, Michael H [[email protected]] > Sent: Thursday, January 10, 2013 1:24 PM > To: [email protected] > Subject: Upgrade to VCL 2.3.1 causing xCAT error > > Not sure how many others are using xCAT or have run into this issue, but > when I upgraded our test VCL system from 2.2.1 to 2.3.1, I started getting > the following message when running any xCAT command: > > ******************************************************************* > Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client > is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER > together with SSL_ca_file|SSL_ca_path for verification. > If you really don't want to verify the certificate and keep the > connection open to Man-In-The-Middle attacks please set > SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application. > ******************************************************************* > at /opt/xcat/lib/perl/xCAT/Client.pm line 138 > > The command actually runs anyway and succeeds, but this warning output is > interpreted by vcld as a failure, and so the VCL operation fails. > > I tracked down the source of the problem to the perl module > /usr/lib/perl5/site_perl/5.8.8/IO/Socket/SSL.pm, which gets updated when > the install_perl_libs.pl script is run as part of the VCL 2.3.1 upgrade. > This upgraded the SSL.pm module from version 1.01 to 1.81. This change > apparently necessitates putting some code in the xCAT Client.pm module to > set the values that the warning message is talking about. > > A quick fix was copy the 1.01 version back by doing: > 'cp /usr/lib/perl5/vendor_perl/5.8.8/IO/Socket/SSL.pm > /usr/lib/perl5/site_perl/5.8.8/IO/Socket/SSL.pm'. > > This made the warning message go away, and from additional testing I've > done, I haven't found any ill effects from doing this. Everything seems to > work as it should. > > This is on RHEL 5.8 with xCAT 2.6.10. I haven't looked into whether > updates to xCAT address this or not. > > Mike Waldron > Systems Specialist > ITS - Research Computing Center > University of North Carolina at Chapel Hill > >
