> On June 4, 2019, 11:39 a.m., Alexander Rukletsov wrote: > > 3rdparty/libprocess/src/openssl.cpp > > Lines 565-567 (patched) > > <https://reviews.apache.org/r/70749/diff/1/?file=2147043#file2147043line565> > > > > Hm, this is unfortunate. I wonder if we can use > > https://www.openssl.org/docs/manmaster/man3/SSL_get_verify_result.html in > > combination with `SSL_VERIFY_NONE` to mimic the OR behaviour we currently > > have? Another question is whether we need to support OR at all. > > Benno Evers wrote: > We can mimic the behaviour pretty easily by calling `X509_check_host()` > and `X509_check_ip()` manually in `openssl::verify()`, and returning true if > one of them matches. (we don't even need `SSL_VERIFY_NONE` for that, since > hostname validatio > > However, there are downsides: > - If we still want to use the `SSL_set1_host()` api if possible, we have > *three* different code paths instead of two. > - If we decide to use only `X509_check_{host,ip}()`, invalid connections > are not rejected during the TLS handshake but only afterwards in the > application layer. I looked at the OpenSSL source (urgh) and their hostname > validation algorithm does essentially the same thing as ours, so I'm not sure > that adding an additional ssl flag with all the complicated handling logic > would really be worth it for what would then be a purely aesthetic change.
> (we don't even need SSL_VERIFY_NONE for that, since hostname validatio ...n will not be part of the TLS handshake unless `SSL_set1_host()` was called.) - Benno ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/70749/#review215673 ----------------------------------------------------------- On May 31, 2019, 3:47 p.m., Benno Evers wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/70749/ > ----------------------------------------------------------- > > (Updated May 31, 2019, 3:47 p.m.) > > > Review request for mesos, Alexander Rukletsov and Joseph Wu. > > > Bugs: MESOS-9809 > https://issues.apache.org/jira/browse/MESOS-9809 > > > Repository: mesos > > > Description > ------- > > WIP: Use openssl hostname validation. > > > Diffs > ----- > > 3rdparty/libprocess/include/process/ssl/flags.hpp > f3483f97f93bb29117b2c78f0f2ed9735d9c4b3a > 3rdparty/libprocess/src/openssl.hpp > 17bec246e516261f8d772f1647c17f092fae82d1 > 3rdparty/libprocess/src/openssl.cpp > e7dbd67913fa8e7fbbf60dee428e7e38895f86ce > 3rdparty/libprocess/src/posix/libevent/libevent_ssl_socket.cpp > 29a1bf71c1df9d80370455a6269ecea0ec4193b0 > > > Diff: https://reviews.apache.org/r/70749/diff/1/ > > > Testing > ------- > > > Thanks, > > Benno Evers > >
