[GitHub] [nifi-minifi-cpp] martinzink commented on a diff in pull request #1595: MINIFICPP-2137 Rewrite MiNiFi Controller to use asio

via GitHub Tue, 01 Aug 2023 06:57:45 -0700


martinzink commented on code in PR #1595:
URL: https://github.com/apache/nifi-minifi-cpp/pull/1595#discussion_r1280688745



##########
libminifi/src/utils/net/AsioSocketUtils.cpp:
##########
@@ -30,9 +30,9 @@ asio::awaitable<std::tuple<std::error_code>> 
handshake(SslSocket& socket, asio::
   co_return co_await 
asyncOperationWithTimeout(socket.async_handshake(HandshakeType::client, 
use_nothrow_awaitable), timeout_duration);  // NOLINT
 }
 
-asio::ssl::context getSslContext(const controllers::SSLContextService& 
ssl_context_service) {
-  asio::ssl::context ssl_context(asio::ssl::context::tls_client);
-  ssl_context.set_options(asio::ssl::context::no_tlsv1 | 
asio::ssl::context::no_tlsv1_1);
+asio::ssl::context getSslContext(const controllers::SSLContextService& 
ssl_context_service, asio::ssl::context::method ssl_context_method) {
+  asio::ssl::context ssl_context(ssl_context_method);
+  ssl_context.set_options(asio::ssl::context::default_workarounds | 
asio::ssl::context::single_dh_use | asio::ssl::context::no_tlsv1 | 
asio::ssl::context::no_tlsv1_1);

Review Comment:
   Did a little bit more research and it turns out that the method 
tlsv12_server which we are passing in the ctor is not the maximum or minimum or 
recommended supported version but rather than the exact exclusive protocol to 
be used. 
   
   (Back when asio first was introduced to our codebase we only wanted to 
enable tlsv12 because we didnt have tlsv13 so it worked, and the test_case was 
skipped) 
   
   Moreover during the OpenSSL 3.0 refactor the test was modified so the 
expected support for TLSv3 was changed. (prior to this PR this test_case was 
skipped due to missing tlsv13 implementation) 
https://github.com/apache/nifi-minifi-cpp/commit/1f93c33b68203bee44a29e02951ed01ffc78bdda#diff-cba941a459893c41b8743d9b8423acf61afa575e3252a61773f8cb7949dc6626L290
   
   To enable both tls 1.2 and 1.3 we would need something like this
   
   ```
     asio::ssl::context ssl_context(asio::ssl::context::tls_server);
     auto tls_v12_or_v13 = asio::ssl::context::no_sslv2 | 
asio::ssl::context::no_sslv3 | asio::ssl::context::no_tlsv1_1;
     ssl_context.set_options(asio::ssl::context::default_workarounds | 
asio::ssl::context::single_dh_use | tls_v12_or_v13);
   
   ```
   
   This solves the explicit unsupported error from asio but still fails with 
https://github.com/apache/nifi-minifi-cpp/blob/main/extensions/standard-processors/tests/unit/ListenTcpTests.cpp#L300
 during the TLSv1.3 tests (1.2 works as intended and the previous versions 
fails as expected)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

[GitHub] [nifi-minifi-cpp] martinzink commented on a diff in pull request #1595: MINIFICPP-2137 Rewrite MiNiFi Controller to use asio

Reply via email to