> On June 4, 2019, 11:39 a.m., Alexander Rukletsov wrote: > > 3rdparty/libprocess/src/openssl.cpp > > Lines 565-567 (patched) > > <https://reviews.apache.org/r/70749/diff/1/?file=2147043#file2147043line565> > > > > Hm, this is unfortunate. I wonder if we can use > > https://www.openssl.org/docs/manmaster/man3/SSL_get_verify_result.html in > > combination with `SSL_VERIFY_NONE` to mimic the OR behaviour we currently > > have? Another question is whether we need to support OR at all.
We can mimic the behaviour pretty easily by calling `X509_check_host()` and `X509_check_ip()` manually in `openssl::verify()`, and returning true if one of them matches. (we don't even need `SSL_VERIFY_NONE` for that, since hostname validatio However, there are downsides: - If we still want to use the `SSL_set1_host()` api if possible, we have *three* different code paths instead of two. - If we decide to use only `X509_check_{host,ip}()`, invalid connections are not rejected during the TLS handshake but only afterwards in the application layer. I looked at the OpenSSL source (urgh) and their hostname validation algorithm does essentially the same thing as ours, so I'm not sure that adding an additional ssl flag with all the complicated handling logic would really be worth it for what would then be a purely aesthetic change. - Benno ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/70749/#review215673 ----------------------------------------------------------- On May 31, 2019, 3:47 p.m., Benno Evers wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/70749/ > ----------------------------------------------------------- > > (Updated May 31, 2019, 3:47 p.m.) > > > Review request for mesos, Alexander Rukletsov and Joseph Wu. > > > Bugs: MESOS-9809 > https://issues.apache.org/jira/browse/MESOS-9809 > > > Repository: mesos > > > Description > ------- > > WIP: Use openssl hostname validation. > > > Diffs > ----- > > 3rdparty/libprocess/include/process/ssl/flags.hpp > f3483f97f93bb29117b2c78f0f2ed9735d9c4b3a > 3rdparty/libprocess/src/openssl.hpp > 17bec246e516261f8d772f1647c17f092fae82d1 > 3rdparty/libprocess/src/openssl.cpp > e7dbd67913fa8e7fbbf60dee428e7e38895f86ce > 3rdparty/libprocess/src/posix/libevent/libevent_ssl_socket.cpp > 29a1bf71c1df9d80370455a6269ecea0ec4193b0 > > > Diff: https://reviews.apache.org/r/70749/diff/1/ > > > Testing > ------- > > > Thanks, > > Benno Evers > >