----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/49401/#review140170 -----------------------------------------------------------
Fix it, then Ship it! 3rdparty/libprocess/src/libevent_ssl_socket.cpp (line 527) <https://reviews.apache.org/r/49401/#comment205478> "verify the SSL connection later" => "verify the certificate later" ? 3rdparty/libprocess/src/libevent_ssl_socket.cpp (lines 1046 - 1047) <https://reviews.apache.org/r/49401/#comment205479> Can you check the wrapping on this? 3rdparty/libprocess/src/openssl.cpp (line 85) <https://reviews.apache.org/r/49401/#comment205484> Do we need to clarify that this is an extension? 3rdparty/libprocess/src/openssl.cpp (lines 409 - 410) <https://reviews.apache.org/r/49401/#comment205485> This seems confusing. If the flag is false, then we do verify by IP? 3rdparty/libprocess/src/openssl.cpp (line 612) <https://reviews.apache.org/r/49401/#comment205487> Should we be doing this before we do the NUL check below? 3rdparty/libprocess/src/openssl.cpp (line 628) <https://reviews.apache.org/r/49401/#comment205488> Depending on how you structure the above logs, consider printing out the matched value here. 3rdparty/libprocess/src/openssl.cpp (line 680) <https://reviews.apache.org/r/49401/#comment205489> Can we expand `CN`? 3rdparty/libprocess/src/openssl.cpp (line 689) <https://reviews.apache.org/r/49401/#comment205490> Same 3rdparty/libprocess/src/openssl.cpp (lines 700 - 712) <https://reviews.apache.org/r/49401/#comment205491> This is unfortunate. Can you sync with @mcypark to see if we can clean this up? - Joris Van Remoortere On June 30, 2016, 2 p.m., Till Toenshoff wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/49401/ > ----------------------------------------------------------- > > (Updated June 30, 2016, 2 p.m.) > > > Review request for mesos, Adam B, Albert Strasheim, Artem Harutyunyan, Joris > Van Remoortere, and Lukas Loesche. > > > Bugs: MESOS-5724 > https://issues.apache.org/jira/browse/MESOS-5724 > > > Repository: mesos > > > Description > ------- > > Allows the verification of X509 certificates based on an IP address > instead of a hostname. Introduces a new environment variable; > `SSL_VERIFY_IPADD` which, when set to `true` will enable the > peer certificate verification to additionally rely on the IP > address of a connection. > > > Diffs > ----- > > 3rdparty/libprocess/src/libevent_ssl_socket.hpp 1dbdaa8 > 3rdparty/libprocess/src/libevent_ssl_socket.cpp 19d9ae5 > 3rdparty/libprocess/src/openssl.hpp 7d55025 > 3rdparty/libprocess/src/openssl.cpp 0f62aa6 > > Diff: https://reviews.apache.org/r/49401/diff/ > > > Testing > ------- > > make check on OSX and various linux distros. > > > Thanks, > > Till Toenshoff > >