----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/70749/#review215736 -----------------------------------------------------------
Some notes: First, this has become quite a big review, since I merged it with the other review about removing reverse DNS calls for `connect()`. The reason I did this was because it turns out that getting rid of rDNS will actually be a noticable behavioural change, so it should be hidden behind a feature flag. On the other hand, this review introduces a good candidate for such a flag, and I didn't want to introduce another one that is required just for one commit. Second, the semantics of the flag actually have changed compared to the first revision. I'll update the design doc shortly, but in the meantime be sure to read the detailed description in the follow-up commit. Third, this is still a bit theoretical and requires additional testing to figure out how practical the `openssl` algorithm is right now, but I felt it's better if other people are able to look at the code as well. 3rdparty/libprocess/include/process/address.hpp Lines 70 (patched) <https://reviews.apache.org/r/70749/#comment302553> The renaming was mostly done to ensure I catch all usages of `hostname()`, I'm happy to revert if you think this doesn't belong in this review or breaks API. However, given that several users of this function seemed to be unaware that calling this would involve a network operation, I'd say renaming is in principle a good idea. - Benno Evers On June 6, 2019, 11:15 p.m., Benno Evers wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/70749/ > ----------------------------------------------------------- > > (Updated June 6, 2019, 11:15 p.m.) > > > Review request for mesos, Alexander Rukletsov and Joseph Wu. > > > Bugs: MESOS-9809 > https://issues.apache.org/jira/browse/MESOS-9809 > > > Repository: mesos > > > Description > ------- > > This commit introduces a new libprocess SSL flag > `hostname_validation_algorithm`, which can be used to select > between the previous hostname validation behaviour and a new > option to use standardized OpenSSL algorithms to handle > hostname validation as part of the > > As a nice side-effect, the new algorithm gets rid of reverse DNS > lookups during TLS connection establishment, which used to be > a common source of hard-to-debug unresponsiveness in Mesos > components. > > See `docs/ssl.md` in the follow-up commit for details of and > differences between the algorithms. > > > Diffs > ----- > > 3rdparty/libprocess/include/process/address.hpp > e740e840c38381bafd7a1a7fcde5f963832ac1fb > 3rdparty/libprocess/include/process/ssl/flags.hpp > f3483f97f93bb29117b2c78f0f2ed9735d9c4b3a > 3rdparty/libprocess/src/http.cpp 3e73ee936f5c6329f41704a179f3d88ab65dfb6d > 3rdparty/libprocess/src/openssl.hpp > 17bec246e516261f8d772f1647c17f092fae82d1 > 3rdparty/libprocess/src/openssl.cpp > e7dbd67913fa8e7fbbf60dee428e7e38895f86ce > 3rdparty/libprocess/src/posix/libevent/libevent_ssl_socket.cpp > 29a1bf71c1df9d80370455a6269ecea0ec4193b0 > 3rdparty/libprocess/src/tests/http_tests.cpp > 97aaf3ed3d4fab6d717d5c9b6d12402562ac6b46 > 3rdparty/libprocess/src/tests/ssl_tests.cpp > 6b8496aeeed79ae1bd39d7013f4f403b248fdd4c > > > Diff: https://reviews.apache.org/r/70749/diff/2/ > > > Testing > ------- > > Todo! > > > Thanks, > > Benno Evers > >
