> On July 26, 2017, 8:55 a.m., Till Toenshoff wrote:
> > 3rdparty/libprocess/src/openssl.cpp
> > Lines 672 (patched)
> > <https://reviews.apache.org/r/60913/diff/6/?file=1782092#file1782092line672>
> >
> > This would break with OpenSSL < 0.9.8 as the function `initialize_ecdh_curve`
would not exist.
This is fixed now - will mark it accordingly.
- Till
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/60913/#review181444
-----------------------------------------------------------
On July 26, 2017, 9:25 a.m., Alexander Rojas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/60913/
> -----------------------------------------------------------
>
> (Updated July 26, 2017, 9:25 a.m.)
>
>
> Review request for mesos, Jie Yu, James Peach, and Till Toenshoff.
>
>
> Bugs: MESOS-7792
> https://issues.apache.org/jira/browse/MESOS-7792
>
>
> Repository: mesos
>
>
> Description
> -------
>
> This patch adds the configuration necesary so that the Elliptic Curve
> Diffie Hellman algorithm can be used for TLS key exchange if the
> OpenSSL version used supports it.
>
> It also adds the ssl flag `LIBPROCESS_SSL_ECDH_CURVES` which allows
> for the specification of a specific elliptic curve (or set of curves).
>
> Users will need to specify the TLS cipher suite that uses ECDH in order
> to enable the new key exchange. By default Mesos does not use any ECDH
> cipher suites.
>
> Support for ephemeral ECDH public keys is the default, so that new
> public keys are generated for each exchange.
>
> Note that in order to enable ECDSA ciphers an ECDSA is still necesary
> instead of the more traditionl RSA one.
>
>
> Diffs
> -----
>
> 3rdparty/libprocess/include/process/ssl/flags.hpp 13fa7a0cc9d6d6d6849976a3ce383263c51504d7
> 3rdparty/libprocess/src/openssl.hpp 7ded2c74b2f92aacfa0f366bd27d5e0df2b8f25c
> 3rdparty/libprocess/src/openssl.cpp e6f17e4591f573186e1dc9697e1e7b60a841fe4f
> 3rdparty/libprocess/src/tests/ssl_tests.cpp 8a14dcb865dfab34fb4d0d51f42a28a913fb7ace
>
>
> Diff: https://reviews.apache.org/r/60913/diff/7/
>
>
> Testing
> -------
>
> ```shell
> make check
> ```
>
> Launched Mesos with only ECDHE handshake ciphers enabled
>
> ```shell
> LIBPROCESS_SSL_ENABLED=1 \
> LIBPROCESS_SSL_KEY_FILE=/tmp/ssl/self-signed.key \
> LIBPROCESS_SSL_CERT_FILE=/tmp/ssl/self-signed.crt \
> LIBPROCESS_SSL_CIPHERS="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA"
\
> ./bin/mesos-master.sh \
> --work_dir=/tmp/mesos/master \
> --log_dir=/tmp/mesos/master/log
> ```
>
> Then in another shell:
>
> ```shell
> http -v --verify=no https://${MESOS_MASTER_IP}:5050/state
>
> # Launches a browser.
> open https://${MESOS_MASTER_IP}:5050/state
>
> # List the set of supported ciphers.
> # Expected output:
> # > Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-18 11:41 CEST
> # > Nmap scan report for ${MESOS_MASTER_HOSTNAME} (${MESOS_MASTER_IP})
> # > Host is up (0.13s latency).
> # > rDNS record for ${MESOS_MASTER_IP}: ${MESOS_MASTER_HOSTNAME}
> # >
> # > PORT STATE SERVICE
> # > 5050/tcp open mmcc
> # > | ssl-enum-ciphers:
> # > | TLSv1.2:
> # > | ciphers:
> # > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
> # > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
> # > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
> # > | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
> # > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
> # > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
> # > | compressors:
> # > | NULL
> # > | cipher preference: server
> # > |_ least strength: A
> # >
> # > Nmap done: 1 IP address (1 host up) scanned in 1.87 seconds
> wget https://svn.nmap.org/nmap/scripts/ssl-enum-ciphers.nse
> nmap --script ssl-enum-ciphers.nse -p 5050 ${MESOS_MASTER_IP}
> ```
>
>
> Thanks,
>
> Alexander Rojas
>
>
|