mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Till Toenshoff via Review Board <nore...@reviews.apache.org>
Subject Re: Review Request 70748: Disallow verification of empty TLS server certificates.
Date Fri, 14 Jun 2019 00:44:45 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70748/#review215878
-----------------------------------------------------------




3rdparty/libprocess/src/openssl.cpp
Line 738 (original), 745 (patched)
<https://reviews.apache.org/r/70748/#comment302818>

    This means that when a certificate gets provided, we always validate it. Entirely straightforward
but may be too much of a potential problem source in the real world, I fear. 
    
    IIUC then client certificate validation is exactly a non goal of this review-chain as
client certificates in real world scenarios often times do not match. My feeling is that we
have a great chance of reducing potential problem sources by working more like this;
    
    CLIENT mode (we initiate a connection)
    - when we receive a peer certificate, we verify it
    - when we receive no peer certificate, we error out
    SERVER mode (we accept a connection)
    - `require` is set to false
      - when we receive a peer certificate, we ignore it
      - when we receive no peer certificate, we ignore it
    
    We would return early as done for verify above like this;
    ```
      if (mode == Mode::SERVER && !ssl_flags->require_cert) {
        return Nothing();
      }
    ```
    
    Then relax this part towards;
    ```
      if (cert == nullptr) {
        return Error("Peer did not provide certificate");
      }
    ```


- Till Toenshoff


On June 6, 2019, 11:12 p.m., Benno Evers wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70748/
> -----------------------------------------------------------
> 
> (Updated June 6, 2019, 11:12 p.m.)
> 
> 
> Review request for mesos, Alexander Rukletsov, Jan-Philip Gehrcke, Joseph Wu, and Till
Toenshoff.
> 
> 
> Bugs: MESOS-9810
>     https://issues.apache.org/jira/browse/MESOS-9810
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> When in SSL client mode and `LIBPROCESS_SSL_VERIFY_CERT=true` has
> been set, enforce that the server actually presents a certificate
> that can be verified.
> 
> Note that in most cases, the TLS stack would rejected the connection
> before the code ever reaches `openssl::verify()`, since the TLS
> specification that a server MUST always send a certificate unless
> an anonymous cipher is used.
> 
> 
> Diffs
> -----
> 
>   3rdparty/libprocess/src/openssl.hpp 17bec246e516261f8d772f1647c17f092fae82d1 
>   3rdparty/libprocess/src/openssl.cpp e7dbd67913fa8e7fbbf60dee428e7e38895f86ce 
>   3rdparty/libprocess/src/posix/libevent/libevent_ssl_socket.cpp 29a1bf71c1df9d80370455a6269ecea0ec4193b0

>   3rdparty/libprocess/src/tests/ssl_tests.cpp 6b8496aeeed79ae1bd39d7013f4f403b248fdd4c

> 
> 
> Diff: https://reviews.apache.org/r/70748/diff/2/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Benno Evers
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message