mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benno Evers <bev...@mesosphere.com>
Subject Re: Review Request 70749: WIP: Use openssl hostname validation.
Date Tue, 04 Jun 2019 13:43:26 GMT


> On June 4, 2019, 11:39 a.m., Alexander Rukletsov wrote:
> > 3rdparty/libprocess/src/openssl.cpp
> > Lines 565-567 (patched)
> > <https://reviews.apache.org/r/70749/diff/1/?file=2147043#file2147043line565>
> >
> >     Hm, this is unfortunate. I wonder if we can use https://www.openssl.org/docs/manmaster/man3/SSL_get_verify_result.html
in combination with `SSL_VERIFY_NONE` to mimic the OR behaviour we currently have? Another
question is whether we need to support OR at all.
> 
> Benno Evers wrote:
>     We can mimic the behaviour pretty easily by calling `X509_check_host()` and `X509_check_ip()`
manually in `openssl::verify()`, and returning true if one of them matches. (we don't even
need `SSL_VERIFY_NONE` for that, since hostname validatio
>     
>     However, there are downsides:
>      - If we still want to use the `SSL_set1_host()` api if possible, we have *three*
different code paths instead of two.
>      - If we decide to use only `X509_check_{host,ip}()`, invalid connections are not
rejected during the TLS handshake but only afterwards in the application layer. I looked at
the OpenSSL source (urgh) and their hostname validation algorithm does essentially the same
thing as ours, so I'm not sure that adding an additional ssl flag with all the complicated
handling logic would really be worth it for what would then be a purely aesthetic change.

> (we don't even need SSL_VERIFY_NONE for that, since hostname validatio

...n will not be part of the TLS handshake unless `SSL_set1_host()` was called.)


- Benno


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70749/#review215673
-----------------------------------------------------------


On May 31, 2019, 3:47 p.m., Benno Evers wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70749/
> -----------------------------------------------------------
> 
> (Updated May 31, 2019, 3:47 p.m.)
> 
> 
> Review request for mesos, Alexander Rukletsov and Joseph Wu.
> 
> 
> Bugs: MESOS-9809
>     https://issues.apache.org/jira/browse/MESOS-9809
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> WIP: Use openssl hostname validation.
> 
> 
> Diffs
> -----
> 
>   3rdparty/libprocess/include/process/ssl/flags.hpp f3483f97f93bb29117b2c78f0f2ed9735d9c4b3a

>   3rdparty/libprocess/src/openssl.hpp 17bec246e516261f8d772f1647c17f092fae82d1 
>   3rdparty/libprocess/src/openssl.cpp e7dbd67913fa8e7fbbf60dee428e7e38895f86ce 
>   3rdparty/libprocess/src/posix/libevent/libevent_ssl_socket.cpp 29a1bf71c1df9d80370455a6269ecea0ec4193b0

> 
> 
> Diff: https://reviews.apache.org/r/70749/diff/1/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Benno Evers
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message