> On Sept. 20, 2016, 1:23 a.m., Joris Van Remoortere wrote: > > 3rdparty/libprocess/src/openssl.cpp, lines 481-482 > > <https://reviews.apache.org/r/52031/diff/1/?file=1502587#file1502587line481> > > > > Is there any information we can provide here about where we are looking > > for the defaults to help the user identify the problem? > > Till Toenshoff wrote: > The defaults are baked into the openssl libraries at compile-time. The > user may override those using openssl's `SSL_CERT_FILE` and `SSL_CERT_DIR`. > There seems to be no public way to extract those paths back out to get them > displayed. > > Quick background: that information is obviously attached to the context, > internally that specific certificate stuff is handled by the > `X509_STORE`-API. The above call effectively attaches a new cert store to our > context and populates it with the content of the given file/dir path. The > result is a (bunch of) certificate/s attached. The source path however is > unknown later on - at least from the API point of view. So all we could > possibly show here are the context attached certificates but not their source > locations. > > Till Toenshoff wrote: > The documentation totally stays silent on `X509_get_default_cert_file` > and `X509_get_default_cert_dir`. However after checking their > implementations, to me it seems as if they would never return the value/s of > user-environment supplied overrides (e.g. `SSL_CERT_FILE`) but only the baked > in defaults. So instead of being helpful, in cases where the user used the > OpenSSL specific environment variables the output of those functions would be > even more confusing. In other words, if the user set `SSL_CERT_FILE` towards > `/foo/bar/cert.pem`, calling `X509_get_default_cert_file` would yield the > baked in default (e.g. `SSLCERTS:cert.pem`).
At this point I only see the following as an option for displaying helpful information: Emulate the internal openssl bizzlogic by first checking the env var `SSL_CERT_FILE` for content - if set, return that one in our debug logging -- if not set, return the baked in default. See https://github.com/openssl/openssl/blob/master/crypto/x509/by_file.c#L50 for the details on their implementation. - Till ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/52031/#review149593 ----------------------------------------------------------- On Sept. 19, 2016, 1:13 p.m., Till Toenshoff wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/52031/ > ----------------------------------------------------------- > > (Updated Sept. 19, 2016, 1:13 p.m.) > > > Review request for mesos, Joris Van Remoortere and Joseph Wu. > > > Bugs: MESOS-5320 > https://issues.apache.org/jira/browse/MESOS-5320 > > > Repository: mesos > > > Description > ------- > > Adds the human readable openssl error messages for failure cases. Also > fixes a spacing nit in one of the existing messages. > > > Diffs > ----- > > 3rdparty/libprocess/src/openssl.cpp > c09cdc89509e4e4ca4c8a0f4fb0a57156a3a6091 > > Diff: https://reviews.apache.org/r/52031/diff/ > > > Testing > ------- > > make check && functional testing > > > Thanks, > > Till Toenshoff > >
