GitHub user gadLinux opened a pull request:
https://github.com/apache/thrift/pull/930
THRIFT-3369 : Implement SSL/TLS support on C with c_glib
This is a proper pull request for this open issue. The patch that's on the
issue is no longer valid and migrated everything to this pull request.
Again the server part is missing so some tests are done over published SSL
server and are incomplete.
Requires ssl initialization:
thrift_ssl_socket_initialize_openssl();
and finalization
thrift_ssl_socket_finalize_openssl();
And can set pinning manager. Thought one is provided.
thrift_ssl_socket_set_manager(manager.socket,
my_access_manager);// Install pinning manager
read_from_file(cert_buffer, 65534,
"./owncloud.level2crm.pem");
if(!thrift_ssl_load_cert_from_buffer(manager.socket,
cert_buffer)){
g_warning("Certificates cannot be loaded!");
}
Good example of client creation can be:
if(ssl_proto>=0 && ssl_proto<=LATEST){
/*
* We will communicate using sockets
*/
int cypher=ssl_proto;
do{
manager->socket =
thrift_ssl_socket_new_with_host(cypher, host, port, error);
if((*error!=NULL &&
(*error)->code==THRIFT_SSL_SOCKET_ERROR_CIPHER_NOT_AVAILABLE)){
fprintf (stderr, "Cypher not available: %s\n",
(*error)->message);
g_error_free (*error);
(*error)=NULL;
cypher++;
}else{
cypher = LATEST;
}
}while(manager->socket==NULL && cypher<=LATEST);
if(manager->socket==NULL && cypher>=LATEST){
if((*error)==NULL){
g_set_error (error,
THRIFT_TRANSPORT_ERROR,
THRIFT_SSL_SOCKET_ERROR_CIPHER_NOT_AVAILABLE,
"no cypher overlap");
}
}
}
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/gadLinux/thrift thrift-3369
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/thrift/pull/930.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #930
----
commit c0d964299ed2f3d5e58a9cd86b2214e6ec94f20e
Author: Gonzalo Aguilar Delgado <[email protected]>
Date: 2016-03-07T12:42:44Z
Implement basic version of the TLS transport
commit d6c662f10b03748934eb90a5f501ba1069bdaf5e
Author: Gonzalo Aguilar Delgado <[email protected]>
Date: 2016-03-07T14:27:22Z
Certificate pinning features incorporated
commit 0d959eb351efd0c96e586e72922266b98bf41188
Author: Gonzalo Aguilar Delgado <[email protected]>
Date: 2016-03-07T14:29:10Z
Add test for certificate pinning
commit 2abb78adc95b9f35c7dee4fc22e6315bd2c4046e
Author: Gonzalo Aguilar Delgado <[email protected]>
Date: 2016-03-07T14:30:10Z
Add level2 test public key chain
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
