Re: Review Request 49401: Updated certificate validation to check 'IP Address' SAN.

Thu, 30 Jun 2016 08:59:01 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/49401/#review140170
-----------------------------------------------------------


Fix it, then Ship it!





3rdparty/libprocess/src/libevent_ssl_socket.cpp (line 527)
<https://reviews.apache.org/r/49401/#comment205478>

    "verify the SSL connection later"
    =>
    "verify the certificate later"
    ?



3rdparty/libprocess/src/libevent_ssl_socket.cpp (lines 1046 - 1047)
<https://reviews.apache.org/r/49401/#comment205479>

    Can you check the wrapping on this?



3rdparty/libprocess/src/openssl.cpp (line 85)
<https://reviews.apache.org/r/49401/#comment205484>

    Do we need to clarify that this is an extension?



3rdparty/libprocess/src/openssl.cpp (lines 409 - 410)
<https://reviews.apache.org/r/49401/#comment205485>

    This seems confusing.
    If the flag is false, then we do verify by IP?



3rdparty/libprocess/src/openssl.cpp (line 612)
<https://reviews.apache.org/r/49401/#comment205487>

    Should we be doing this before we do the NUL check below?



3rdparty/libprocess/src/openssl.cpp (line 628)
<https://reviews.apache.org/r/49401/#comment205488>

    Depending on how you structure the above logs, consider printing out the 
matched value here.



3rdparty/libprocess/src/openssl.cpp (line 680)
<https://reviews.apache.org/r/49401/#comment205489>

    Can we expand `CN`?



3rdparty/libprocess/src/openssl.cpp (line 689)
<https://reviews.apache.org/r/49401/#comment205490>

    Same



3rdparty/libprocess/src/openssl.cpp (lines 700 - 712)
<https://reviews.apache.org/r/49401/#comment205491>

    This is unfortunate.
    Can you sync with @mcypark to see if we can clean this up?


- Joris Van Remoortere


On June 30, 2016, 2 p.m., Till Toenshoff wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/49401/
> -----------------------------------------------------------
> 
> (Updated June 30, 2016, 2 p.m.)
> 
> 
> Review request for mesos, Adam B, Albert Strasheim, Artem Harutyunyan, Joris 
> Van Remoortere, and Lukas Loesche.
> 
> 
> Bugs: MESOS-5724
>     https://issues.apache.org/jira/browse/MESOS-5724
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Allows the verification of X509 certificates based on an IP address
> instead of a hostname. Introduces a new environment variable;
> `SSL_VERIFY_IPADD` which, when set to `true` will enable the
> peer certificate verification to additionally rely on the IP
> address of a connection.
> 
> 
> Diffs
> -----
> 
>   3rdparty/libprocess/src/libevent_ssl_socket.hpp 1dbdaa8 
>   3rdparty/libprocess/src/libevent_ssl_socket.cpp 19d9ae5 
>   3rdparty/libprocess/src/openssl.hpp 7d55025 
>   3rdparty/libprocess/src/openssl.cpp 0f62aa6 
> 
> Diff: https://reviews.apache.org/r/49401/diff/
> 
> 
> Testing
> -------
> 
> make check on OSX and various linux distros.
> 
> 
> Thanks,
> 
> Till Toenshoff
> 
>

Reply via email to