> On July 20, 2017, 3:21 p.m., Till Toenshoff wrote: > > 3rdparty/libprocess/src/openssl.cpp > > Lines 124 (patched) > > <https://reviews.apache.org/r/60913/diff/4/?file=1780273#file1780273line124> > > > > ``` > > "NOTE: OpenSSL versions below 1.0.2 support only..." > > ``` > > > > This also needs to be part of `docs/ssl.md`.
... and this :) .... sorry - I missed that RR. - Till ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/60913/#review181045 ----------------------------------------------------------- On July 20, 2017, 12:37 p.m., Alexander Rojas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/60913/ > ----------------------------------------------------------- > > (Updated July 20, 2017, 12:37 p.m.) > > > Review request for mesos, Jie Yu and Till Toenshoff. > > > Bugs: MESOS-7792 > https://issues.apache.org/jira/browse/MESOS-7792 > > > Repository: mesos > > > Description > ------- > > Support for Elliptic Curve Diffie Hellman algorithm requires extra > configuration parameters which weren't part of Mesos. > > This patch enables the extra configuration to Mesos in order to > support ECDH algorithm, it also adds the ssl flag > `LIBPROCESS_SSL_ECDH_CURVES` which allows for the specification of > a specific elliptic curve. > > > Diffs > ----- > > 3rdparty/libprocess/include/process/ssl/flags.hpp > 13fa7a0cc9d6d6d6849976a3ce383263c51504d7 > 3rdparty/libprocess/src/openssl.hpp > 7ded2c74b2f92aacfa0f366bd27d5e0df2b8f25c > 3rdparty/libprocess/src/openssl.cpp > e6f17e4591f573186e1dc9697e1e7b60a841fe4f > 3rdparty/libprocess/src/tests/ssl_tests.cpp > 8a14dcb865dfab34fb4d0d51f42a28a913fb7ace > > > Diff: https://reviews.apache.org/r/60913/diff/4/ > > > Testing > ------- > > ```shell > make check > ``` > > Launched Mesos with only ECDHE handshake ciphers enabled > > ```shell > LIBPROCESS_SSL_ENABLED=1 \ > LIBPROCESS_SSL_KEY_FILE=/tmp/ssl/self-signed.key \ > LIBPROCESS_SSL_CERT_FILE=/tmp/ssl/self-signed.crt \ > LIBPROCESS_SSL_CIPHERS="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA" > \ > ./bin/mesos-master.sh \ > --work_dir=/tmp/mesos/master \ > --log_dir=/tmp/mesos/master/log > ``` > > Then in another shell: > > ```shell > http -v --verify=no https://${MESOS_MASTER_IP}:5050/state > > # Launches a browser. > open https://${MESOS_MASTER_IP}:5050/state > > # List the set of supported ciphers. > # Expected output: > # > Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-18 11:41 CEST > # > Nmap scan report for ${MESOS_MASTER_HOSTNAME} (${MESOS_MASTER_IP}) > # > Host is up (0.13s latency). > # > rDNS record for ${MESOS_MASTER_IP}: ${MESOS_MASTER_HOSTNAME} > # > > # > PORT STATE SERVICE > # > 5050/tcp open mmcc > # > | ssl-enum-ciphers: > # > | TLSv1.2: > # > | ciphers: > # > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A > # > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A > # > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A > # > | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A > # > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A > # > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A > # > | compressors: > # > | NULL > # > | cipher preference: server > # > |_ least strength: A > # > > # > Nmap done: 1 IP address (1 host up) scanned in 1.87 seconds > wget https://svn.nmap.org/nmap/scripts/ssl-enum-ciphers.nse > nmap --script ssl-enum-ciphers.nse -p 5050 ${MESOS_MASTER_IP} > ``` > > > Thanks, > > Alexander Rojas > >
