Alexey Serbin has posted comments on this change. Change subject: TLS-negotiation [7/n]: Add TLS helper classes for handling tunneled TLS handshakes ......................................................................
Patch Set 10: (7 comments) http://gerrit.cloudera.org:8080/#/c/5761/10/src/kudu/security/CMakeLists.txt File src/kudu/security/CMakeLists.txt: PS10, Line 73: tls_handshake-test nit: why not to put it under the test sub-dir? http://gerrit.cloudera.org:8080/#/c/5761/10/src/kudu/security/tls_context.cc File src/kudu/security/tls_context.cc: PS10, Line 41: nullptr, SSL_CTX_free nit: you could use ssl_make_unique() here; add the trait for SSL_CTX type. PS10, Line 46: CHECK(!ctx_.get()); nit: CHECK(!ctx) would be enough, I think http://gerrit.cloudera.org:8080/#/c/5761/10/src/kudu/security/tls_context.h File src/kudu/security/tls_context.h: PS10, Line 58: std::unique_ptr<SSL_CTX, std::function<void(SSL_CTX*)>> nit: openssl_util.h have a handy typedef for this type of wrappers. http://gerrit.cloudera.org:8080/#/c/5761/10/src/kudu/security/tls_handshake.cc File src/kudu/security/tls_handshake.cc: PS10, Line 89: unique_ptr<X509, void(*)(X509*)> cert nit: you could use ssl_make_unique here: auto cert = ssl_make_unique(SSL_get_peer_certificate(...)); The trait for X509 is needed. PS10, Line 94: // Get the peer's hostname : Sockaddr peer_addr; : if (!socket.GetPeerAddress(&peer_addr).ok()) { : return Status::NotAuthorized("Handshake failed: Could not retrieve peer address"); : } : string peer_hostname; : RETURN_NOT_OK(peer_addr.LookupHostname(&peer_hostname)); It might be subject alternative name (SAN) instead. I think we are about to use that for our TLS certs. http://gerrit.cloudera.org:8080/#/c/5761/10/src/kudu/security/tls_handshake.h File src/kudu/security/tls_handshake.h: PS10, Line 83: ssl_ I could not find where it's set. Probably I'm missing something. -- To view, visit http://gerrit.cloudera.org:8080/5761 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: I6776dbdc488eee56f7273cdd8bcd2b2b8c1ffa04 Gerrit-PatchSet: 10 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Dan Burkert <danburk...@apache.org> Gerrit-Reviewer: Adar Dembo <a...@cloudera.com> Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com> Gerrit-Reviewer: Dan Burkert <danburk...@apache.org> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Sailesh Mukil <sail...@cloudera.com> Gerrit-Reviewer: Tidy Bot Gerrit-Reviewer: Todd Lipcon <t...@apache.org> Gerrit-HasComments: Yes