[ClusterLabs] Antw: [EXT] Re: corosync 2.4.4 version provide secure the communication by default

Jan Friesse jfriesse at redhat.com
Mon Jan 23 09:54:43 EST 2023 

On 23/01/2023 12:51, Ulrich Windl wrote:
>>>> Jan Friesse <jfriesse at redhat.com> schrieb am 23.01.2023 um 10:20 in Nachricht
> <d0e27873-4249-0bab-fc24-b97130555fef at redhat.com>:
>> Hi,
>>
>> On 23/01/2023 01:37, S Sathish S via Users wrote:
>>> Hi Team,
>>>
>>> corosync 2.4.4 version provide mechanism to secure the communication path
>> between nodes of a cluster by default? bcoz in our configuration secauth is
>> turned off but still communication occur is encrypted.
>>>
>>> Note : Capture tcpdump for port 5405 and I can see that the data is already
>> garbled and not in the clear.
>>
>> It's binary protocol so don't expect some really readable format (like
>> xml/json/...). But with your config it should be unencrypted. You can
>> check message "notice  [TOTEM ] Initializing transmit/receive security
>> (NSS) crypto: none hash: none" during start of corosync.
> 
> Probably a good example for "a false feeling of security" (you think the comminication is encrypted, while in fact it is not).

Yeah, "none" and "none" is definitively "false feeling of security" and 
definitively suggest communication is encrypted. Sigh...


> 
>>
>> Regards,
>>     Honza
>>
>>
>>>
>>> [root at node1 ~]# cat /etc/corosync/corosync.conf
>>> totem {
>>>       version: 2
>>>       cluster_name: OCC
>>>      secauth: off
>>>       transport: udpu
>>> }
>>>
>>> nodelist {
>>>       node {
>>>           ring0_addr: node1
>>>           nodeid: 1
>>>       }
>>>
>>>       node {
>>>           ring0_addr: node2
>>>           nodeid: 2
>>>       }
>>>
>>>       node {
>>>           ring0_addr: node3
>>>           nodeid: 3
>>>       }
>>> }
>>>
>>> quorum {
>>>       provider: corosync_votequorum
>>> }
>>>
>>> logging {
>>>       to_logfile: yes
>>>       logfile: /var/log/cluster/corosync.log
>>>       to_syslog: no
>>>       timestamp: on
>>> }
>>>
>>> Thanks and Regards,
>>> S Sathish S
>>>
>>>
>>> _______________________________________________
>>> Manage your subscription:
>>> https://lists.clusterlabs.org/mailman/listinfo/users
>>>
>>> ClusterLabs home: https://www.clusterlabs.org/
>>>
>>
>> _______________________________________________
>> Manage your subscription:
>> https://lists.clusterlabs.org/mailman/listinfo/users
>>
>> ClusterLabs home: https://www.clusterlabs.org/
> 
> 
> 
> 
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
> 
> ClusterLabs home: https://www.clusterlabs.org/
>

More information about the Users mailing list