Re: Review Request 70749: WIP: Use openssl hostname validation.

Tue, 04 Jun 2019 06:40:21 -0700 


> On June 4, 2019, 11:39 a.m., Alexander Rukletsov wrote:
> > 3rdparty/libprocess/src/openssl.cpp
> > Lines 565-567 (patched)
> > <https://reviews.apache.org/r/70749/diff/1/?file=2147043#file2147043line565>
> >
> >     Hm, this is unfortunate. I wonder if we can use 
> > https://www.openssl.org/docs/manmaster/man3/SSL_get_verify_result.html in 
> > combination with `SSL_VERIFY_NONE` to mimic the OR behaviour we currently 
> > have? Another question is whether we need to support OR at all.

We can mimic the behaviour pretty easily by calling `X509_check_host()` and 
`X509_check_ip()` manually in `openssl::verify()`, and returning true if one of 
them matches. (we don't even need `SSL_VERIFY_NONE` for that, since hostname 
validatio

However, there are downsides:
 - If we still want to use the `SSL_set1_host()` api if possible, we have 
*three* different code paths instead of two.
 - If we decide to use only `X509_check_{host,ip}()`, invalid connections are 
not rejected during the TLS handshake but only afterwards in the application 
layer. I looked at the OpenSSL source (urgh) and their hostname validation 
algorithm does essentially the same thing as ours, so I'm not sure that adding 
an additional ssl flag with all the complicated handling logic would really be 
worth it for what would then be a purely aesthetic change.


- Benno


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70749/#review215673
-----------------------------------------------------------


On May 31, 2019, 3:47 p.m., Benno Evers wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70749/
> -----------------------------------------------------------
> 
> (Updated May 31, 2019, 3:47 p.m.)
> 
> 
> Review request for mesos, Alexander Rukletsov and Joseph Wu.
> 
> 
> Bugs: MESOS-9809
>     https://issues.apache.org/jira/browse/MESOS-9809
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> WIP: Use openssl hostname validation.
> 
> 
> Diffs
> -----
> 
>   3rdparty/libprocess/include/process/ssl/flags.hpp 
> f3483f97f93bb29117b2c78f0f2ed9735d9c4b3a 
>   3rdparty/libprocess/src/openssl.hpp 
> 17bec246e516261f8d772f1647c17f092fae82d1 
>   3rdparty/libprocess/src/openssl.cpp 
> e7dbd67913fa8e7fbbf60dee428e7e38895f86ce 
>   3rdparty/libprocess/src/posix/libevent/libevent_ssl_socket.cpp 
> 29a1bf71c1df9d80370455a6269ecea0ec4193b0 
> 
> 
> Diff: https://reviews.apache.org/r/70749/diff/1/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Benno Evers
> 
>

Reply via email to