mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benno Evers <bev...@mesosphere.com>
Subject Re: Review Request 70749: WIP: Use openssl hostname validation.
Date Tue, 04 Jun 2019 13:39:48 GMT


> On June 4, 2019, 11:39 a.m., Alexander Rukletsov wrote:
> > 3rdparty/libprocess/src/openssl.cpp
> > Lines 565-567 (patched)
> > <https://reviews.apache.org/r/70749/diff/1/?file=2147043#file2147043line565>
> >
> >     Hm, this is unfortunate. I wonder if we can use https://www.openssl.org/docs/manmaster/man3/SSL_get_verify_result.html
in combination with `SSL_VERIFY_NONE` to mimic the OR behaviour we currently have? Another
question is whether we need to support OR at all.

We can mimic the behaviour pretty easily by calling `X509_check_host()` and `X509_check_ip()`
manually in `openssl::verify()`, and returning true if one of them matches. (we don't even
need `SSL_VERIFY_NONE` for that, since hostname validatio

However, there are downsides:
 - If we still want to use the `SSL_set1_host()` api if possible, we have *three* different
code paths instead of two.
 - If we decide to use only `X509_check_{host,ip}()`, invalid connections are not rejected
during the TLS handshake but only afterwards in the application layer. I looked at the OpenSSL
source (urgh) and their hostname validation algorithm does essentially the same thing as ours,
so I'm not sure that adding an additional ssl flag with all the complicated handling logic
would really be worth it for what would then be a purely aesthetic change.


- Benno


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70749/#review215673
-----------------------------------------------------------


On May 31, 2019, 3:47 p.m., Benno Evers wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70749/
> -----------------------------------------------------------
> 
> (Updated May 31, 2019, 3:47 p.m.)
> 
> 
> Review request for mesos, Alexander Rukletsov and Joseph Wu.
> 
> 
> Bugs: MESOS-9809
>     https://issues.apache.org/jira/browse/MESOS-9809
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> WIP: Use openssl hostname validation.
> 
> 
> Diffs
> -----
> 
>   3rdparty/libprocess/include/process/ssl/flags.hpp f3483f97f93bb29117b2c78f0f2ed9735d9c4b3a

>   3rdparty/libprocess/src/openssl.hpp 17bec246e516261f8d772f1647c17f092fae82d1 
>   3rdparty/libprocess/src/openssl.cpp e7dbd67913fa8e7fbbf60dee428e7e38895f86ce 
>   3rdparty/libprocess/src/posix/libevent/libevent_ssl_socket.cpp 29a1bf71c1df9d80370455a6269ecea0ec4193b0

> 
> 
> Diff: https://reviews.apache.org/r/70749/diff/1/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Benno Evers
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message