[
https://issues.apache.org/jira/browse/MESOS-9791?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16844701#comment-16844701
]
Alexander Rukletsov commented on MESOS-9791:
--------------------------------------------
A prototype relaxing certificate verification:
https://github.com/rukletsov/mesos/commits/alexr/ssl-server-cert
> Libprocess does not support server only SSL certificate verification.
> ---------------------------------------------------------------------
>
> Key: MESOS-9791
> URL: https://issues.apache.org/jira/browse/MESOS-9791
> Project: Mesos
> Issue Type: Improvement
> Components: libprocess
> Reporter: Alexander Rukletsov
> Priority: Major
> Labels: foundations, mesosphere, security, ssl, tls
>
> Currently SSL certificate verification in Libprocess can be configured in the
> [following
> ways|https://github.com/apache/mesos/blob/eecb82c77117998af0c67a53c64e9b1e975acfa4/3rdparty/libprocess/src/openssl.cpp#L88-L97]:
> (1) send certificate if in server mode, verify peer certificates *if present*;
> (2) require valid peer certificates in *both* client and server modes.
> It is currently impossible to configure a Libprocess instance to
> simultaneously:
> (3) require valid peer certificate in client mode and send certificate in
> server mode.
> Because Libprocess is often used by programs that act both as servers and
> clients, implementing (3) is necessary to enable the so-called
> webserver-browser model.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
