For a while now, Pacemaker has supported specifying your own
Diffie-Hellman parameters on the server end of a Pacemaker Remote or
remote CIB administration connection. The purpose of this is to allow
the server to communicate with older clients.
As part of cleaning up our TLS-related code a bit, I have decided to
deprecate this support. There's a couple factors at work here:
* gnutls >= 3.6 no longer recommends using the functions that we're
using to do this. It will instead negotiate the parameters between
client and server in accordance with RFC7919. I expect that at some
point, they will remove these functions entirely which will force the
issue for us.
* We will be bumping our minimum gnutls build requirement shortly. It's
currently 3.4.6, but we'll be bumping it several versions to make use of
some other new stuff. See https://projects.clusterlabs.org/T1 for details.
* gnutls 3.6 was released in 2017, and I have to go all the way back to
RHEL 7 to find a RH release that included an older version.
I think the only use case that will be affected by this change is
Pacemaker Remote nodes running an OS that shipped gnutls < 3.6 talking
to a cluster that is running Pacemaker >= 3.0.2. In other words, a RHEL
7 era remote node and a RHEL 10.something era cluster.
I expect very few, if any, people will actually be affected. If so,
please speak up and we can look at what the timeframe for removing this
support should be. For the moment, it's only deprecated but still
functional.
- Chris
_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
