mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Till Toenshoff <toensh...@me.com>
Subject Re: Review Request 52031: Added openssl error string output to initializing failures.
Date Tue, 20 Sep 2016 13:59:08 GMT


> On Sept. 20, 2016, 1:23 a.m., Joris Van Remoortere wrote:
> > 3rdparty/libprocess/src/openssl.cpp, lines 481-482
> > <https://reviews.apache.org/r/52031/diff/1/?file=1502587#file1502587line481>
> >
> >     Is there any information we can provide here about where we are looking for
the defaults to help the user identify the problem?
> 
> Till Toenshoff wrote:
>     The defaults are baked into the openssl libraries at compile-time. The user may override
those using openssl's `SSL_CERT_FILE` and `SSL_CERT_DIR`. There seems to be no public way
to extract those paths back out to get them displayed.
>     
>     Quick background: that information is obviously attached to the context, internally
that specific certificate stuff is handled by the `X509_STORE`-API. The above call effectively
attaches a new cert store to our context and populates it with the content of the given file/dir
path. The result is a (bunch of) certificate/s attached. The source path however is unknown
later on - at least from the API point of view. So all we could possibly show here are the
context attached certificates but not their source locations.

The documentation totally stays silent on `X509_get_default_cert_file` and `X509_get_default_cert_dir`.
However after checking their implementations, to me it seems as if they would never return
the value/s of user-environment supplied overrides (e.g. `SSL_CERT_FILE`) but only the baked
in defaults. So instead of being helpful, in cases where the user used the OpenSSL specific
environment variables the output of those functions would be even more confusing. In other
words, if the user set `SSL_CERT_FILE` towards `/foo/bar/cert.pem`, calling `X509_get_default_cert_file`
would yield the baked in default (e.g. `SSLCERTS:cert.pem`).


- Till


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/52031/#review149593
-----------------------------------------------------------


On Sept. 19, 2016, 1:13 p.m., Till Toenshoff wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/52031/
> -----------------------------------------------------------
> 
> (Updated Sept. 19, 2016, 1:13 p.m.)
> 
> 
> Review request for mesos, Joris Van Remoortere and Joseph Wu.
> 
> 
> Bugs: MESOS-5320
>     https://issues.apache.org/jira/browse/MESOS-5320
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Adds the human readable openssl error messages for failure cases. Also
> fixes a spacing nit in one of the existing messages.
> 
> 
> Diffs
> -----
> 
>   3rdparty/libprocess/src/openssl.cpp c09cdc89509e4e4ca4c8a0f4fb0a57156a3a6091 
> 
> Diff: https://reviews.apache.org/r/52031/diff/
> 
> 
> Testing
> -------
> 
> make check && functional testing
> 
> 
> Thanks,
> 
> Till Toenshoff
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message