mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benno Evers <bev...@mesosphere.com>
Subject Re: Review Request 70749: WIP: Introduced optional new algorithm for hostname validation.
Date Thu, 06 Jun 2019 23:23:54 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70749/#review215736
-----------------------------------------------------------



Some notes: 

First, this has become quite a big review, since I merged it with the other review about removing
reverse DNS calls for `connect()`.
The reason I did this was because it turns out that getting rid of rDNS will actually be a
noticable behavioural change, so it should be hidden behind a feature flag. On the other hand,
this review introduces a good candidate for such a flag, and I didn't want to introduce another
one that is required just for one commit.

Second, the semantics of the flag actually have changed compared to the first revision. I'll
update the design doc shortly, but in the meantime be sure to read the detailed description
in the follow-up commit.

Third, this is still a bit theoretical and requires additional testing to figure out how practical
the `openssl` algorithm is right now, but I felt it's better if other people are able to look
at the code as well.


3rdparty/libprocess/include/process/address.hpp
Lines 70 (patched)
<https://reviews.apache.org/r/70749/#comment302553>

    The renaming was mostly done to ensure I catch all usages of `hostname()`, I'm happy to
revert if you think this doesn't belong in this review or breaks API.
    
    However, given that several users of this function seemed to be unaware that calling this
would involve a network operation, I'd say renaming is in principle a good idea.


- Benno Evers


On June 6, 2019, 11:15 p.m., Benno Evers wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70749/
> -----------------------------------------------------------
> 
> (Updated June 6, 2019, 11:15 p.m.)
> 
> 
> Review request for mesos, Alexander Rukletsov and Joseph Wu.
> 
> 
> Bugs: MESOS-9809
>     https://issues.apache.org/jira/browse/MESOS-9809
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> This commit introduces a new libprocess SSL flag
> `hostname_validation_algorithm`, which can be used to select
> between the previous hostname validation behaviour and a new
> option to use standardized OpenSSL algorithms to handle
> hostname validation as part of the
> 
> As a nice side-effect, the new algorithm gets rid of reverse DNS
> lookups during TLS connection establishment, which used to be
> a common source of hard-to-debug unresponsiveness in Mesos
> components.
> 
> See `docs/ssl.md` in the follow-up commit for details of and
> differences between the algorithms.
> 
> 
> Diffs
> -----
> 
>   3rdparty/libprocess/include/process/address.hpp e740e840c38381bafd7a1a7fcde5f963832ac1fb

>   3rdparty/libprocess/include/process/ssl/flags.hpp f3483f97f93bb29117b2c78f0f2ed9735d9c4b3a

>   3rdparty/libprocess/src/http.cpp 3e73ee936f5c6329f41704a179f3d88ab65dfb6d 
>   3rdparty/libprocess/src/openssl.hpp 17bec246e516261f8d772f1647c17f092fae82d1 
>   3rdparty/libprocess/src/openssl.cpp e7dbd67913fa8e7fbbf60dee428e7e38895f86ce 
>   3rdparty/libprocess/src/posix/libevent/libevent_ssl_socket.cpp 29a1bf71c1df9d80370455a6269ecea0ec4193b0

>   3rdparty/libprocess/src/tests/http_tests.cpp 97aaf3ed3d4fab6d717d5c9b6d12402562ac6b46

>   3rdparty/libprocess/src/tests/ssl_tests.cpp 6b8496aeeed79ae1bd39d7013f4f403b248fdd4c

> 
> 
> Diff: https://reviews.apache.org/r/70749/diff/2/
> 
> 
> Testing
> -------
> 
> Todo!
> 
> 
> Thanks,
> 
> Benno Evers
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message