[
https://issues.apache.org/jira/browse/THRIFT-3369?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15183067#comment-15183067
]
ASF GitHub Bot commented on THRIFT-3369:
----------------------------------------
GitHub user gadLinux opened a pull request:
https://github.com/apache/thrift/pull/930
THRIFT-3369 : Implement SSL/TLS support on C with c_glib
This is a proper pull request for this open issue. The patch that's on the
issue is no longer valid and migrated everything to this pull request.
Again the server part is missing so some tests are done over published SSL
server and are incomplete.
Requires ssl initialization:
thrift_ssl_socket_initialize_openssl();
and finalization
thrift_ssl_socket_finalize_openssl();
And can set pinning manager. Thought one is provided.
thrift_ssl_socket_set_manager(manager.socket,
my_access_manager);// Install pinning manager
read_from_file(cert_buffer, 65534,
"./owncloud.level2crm.pem");
if(!thrift_ssl_load_cert_from_buffer(manager.socket,
cert_buffer)){
g_warning("Certificates cannot be loaded!");
}
Good example of client creation can be:
if(ssl_proto>=0 && ssl_proto<=LATEST){
/*
* We will communicate using sockets
*/
int cypher=ssl_proto;
do{
manager->socket =
thrift_ssl_socket_new_with_host(cypher, host, port, error);
if((*error!=NULL &&
(*error)->code==THRIFT_SSL_SOCKET_ERROR_CIPHER_NOT_AVAILABLE)){
fprintf (stderr, "Cypher not available: %s\n",
(*error)->message);
g_error_free (*error);
(*error)=NULL;
cypher++;
}else{
cypher = LATEST;
}
}while(manager->socket==NULL && cypher<=LATEST);
if(manager->socket==NULL && cypher>=LATEST){
if((*error)==NULL){
g_set_error (error,
THRIFT_TRANSPORT_ERROR,
THRIFT_SSL_SOCKET_ERROR_CIPHER_NOT_AVAILABLE,
"no cypher overlap");
}
}
}
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/gadLinux/thrift thrift-3369
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/thrift/pull/930.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #930
----
commit c0d964299ed2f3d5e58a9cd86b2214e6ec94f20e
Author: Gonzalo Aguilar Delgado <[email protected]>
Date: 2016-03-07T12:42:44Z
Implement basic version of the TLS transport
commit d6c662f10b03748934eb90a5f501ba1069bdaf5e
Author: Gonzalo Aguilar Delgado <[email protected]>
Date: 2016-03-07T14:27:22Z
Certificate pinning features incorporated
commit 0d959eb351efd0c96e586e72922266b98bf41188
Author: Gonzalo Aguilar Delgado <[email protected]>
Date: 2016-03-07T14:29:10Z
Add test for certificate pinning
commit 2abb78adc95b9f35c7dee4fc22e6315bd2c4046e
Author: Gonzalo Aguilar Delgado <[email protected]>
Date: 2016-03-07T14:30:10Z
Add level2 test public key chain
----
> Implement SSL/TLS support on C with c_glib
> ------------------------------------------
>
> Key: THRIFT-3369
> URL: https://issues.apache.org/jira/browse/THRIFT-3369
> Project: Thrift
> Issue Type: Improvement
> Components: C glib - Library
> Affects Versions: 0.9.1, 0.9.2, 0.9.3, 1.0
> Reporter: Gonzalo Aguilar
> Labels: features, patch
> Fix For: 0.10.0, 1.0
>
>
> Implement SSL/TLS based on plain openssl instead of going through the way
> defined in THRIFT-1016.
> This help us to maintain a reference implementation and later switch over GIO
> or whatever is defined. But also does not add any other dependencies to the
> project. So bare minimum installation for supporting SSL/TLS is there and
> aligned with CPP counterpart.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
