[ClusterLabs] Antw: Re: Antw: [EXT] Re: corosync 2.4.4 version provide secure the communication by default

Ulrich Windl Ulrich.Windl at rz.uni-regensburg.de
Mon Jan 23 10:05:58 EST 2023 

>>> Jan Friesse <jfriesse at redhat.com> schrieb am 23.01.2023 um 15:54 in Nachricht
<c8633c5c-453c-9062-9ea3-5a97f1a01786 at redhat.com>:
> On 23/01/2023 12:51, Ulrich Windl wrote:
>>>>> Jan Friesse <jfriesse at redhat.com> schrieb am 23.01.2023 um 10:20 in Nachricht
>> <d0e27873-4249-0bab-fc24-b97130555fef at redhat.com>:
>>> Hi,
>>>
>>> On 23/01/2023 01:37, S Sathish S via Users wrote:
>>>> Hi Team,
>>>>
>>>> corosync 2.4.4 version provide mechanism to secure the communication path
>>> between nodes of a cluster by default? bcoz in our configuration secauth is
>>> turned off but still communication occur is encrypted.
>>>>
>>>> Note : Capture tcpdump for port 5405 and I can see that the data is already
>>> garbled and not in the clear.
>>>
>>> It's binary protocol so don't expect some really readable format (like
>>> xml/json/...). But with your config it should be unencrypted. You can
>>> check message "notice  [TOTEM ] Initializing transmit/receive security
>>> (NSS) crypto: none hash: none" during start of corosync.
>> 
>> Probably a good example for "a false feeling of security" (you think the 
> comminication is encrypted, while in fact it is not).
> 
> Yeah, "none" and "none" is definitively "false feeling of security" and 
> definitively suggest communication is encrypted. Sigh...

I meant "looking at the bytes on the network", not at the tool's output...

> 
> 
>> 
>>>
>>> Regards,
>>>     Honza
>>>
>>>
>>>>
>>>> [root at node1 ~]# cat /etc/corosync/corosync.conf
>>>> totem {
>>>>       version: 2
>>>>       cluster_name: OCC
>>>>      secauth: off
>>>>       transport: udpu
>>>> }
>>>>
>>>> nodelist {
>>>>       node {
>>>>           ring0_addr: node1
>>>>           nodeid: 1
>>>>       }
>>>>
>>>>       node {
>>>>           ring0_addr: node2
>>>>           nodeid: 2
>>>>       }
>>>>
>>>>       node {
>>>>           ring0_addr: node3
>>>>           nodeid: 3
>>>>       }
>>>> }
>>>>
>>>> quorum {
>>>>       provider: corosync_votequorum
>>>> }
>>>>
>>>> logging {
>>>>       to_logfile: yes
>>>>       logfile: /var/log/cluster/corosync.log
>>>>       to_syslog: no
>>>>       timestamp: on
>>>> }
>>>>
>>>> Thanks and Regards,
>>>> S Sathish S
>>>>
>>>>
>>>> _______________________________________________
>>>> Manage your subscription:
>>>> https://lists.clusterlabs.org/mailman/listinfo/users 
>>>>
>>>> ClusterLabs home: https://www.clusterlabs.org/ 
>>>>
>>>
>>> _______________________________________________
>>> Manage your subscription:
>>> https://lists.clusterlabs.org/mailman/listinfo/users 
>>>
>>> ClusterLabs home: https://www.clusterlabs.org/ 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Manage your subscription:
>> https://lists.clusterlabs.org/mailman/listinfo/users 
>> 
>> ClusterLabs home: https://www.clusterlabs.org/ 
>> 
> 
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users 
> 
> ClusterLabs home: https://www.clusterlabs.org/

More information about the Users mailing list