This is an automated email from the ASF dual-hosted git repository. bennoe pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/mesos.git
commit f1c60dd1de13ab5d0863eb2515e813a86976ac5c Author: Benno Evers <[email protected]> AuthorDate: Fri Jun 21 16:38:51 2019 +0200 Added OpenSSL-related changes to CHANGELOG. Review: https://reviews.apache.org/r/70921 --- CHANGELOG | 16 ++++++++++++++++ docs/upgrades.md | 24 +++++++++++++++++++++++- 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/CHANGELOG b/CHANGELOG index c431070..182c837 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -2,6 +2,16 @@ Release Notes - Mesos - Version 1.9.0 (WIP) ------------------------------------------- This release contains the following highlights: + * Security + + * A new libprocess flag `--hostname_validation_scheme` has been added. + This allows users to enable a new RFC 6125-compliant hostname verification + scheme based on primitives provided by OpenSSL. This will also improve + performance by getting rid of all reverse DNS lookups. (MESOS-9784) + + * The use of anonymous cipher suites is now disallowed when TLS certificate + verification is enabled. (MESOS-9810) + * Containerization: * [MESOS-9760] - A new `--docker_ignore_runtime` flag has been @@ -11,6 +21,12 @@ This release contains the following highlights: * [MESOS-9771] - The Mesos containerizer now masks sensitive paths in `/proc` for containers that do not share the host's PID namespace. + +Additional API Changes: + + * Mesos components will now forego TLS certificate validation for incoming + connections, unless `LIBPROCESS_SSL_REQUIRE_CERT` is set to true. + Release Notes - Mesos - Version 1.8.1 (WIP) ------------------------------------------- * This is a bug fix release. diff --git a/docs/upgrades.md b/docs/upgrades.md index 4a818df..0493e18 100644 --- a/docs/upgrades.md +++ b/docs/upgrades.md @@ -47,7 +47,11 @@ We categorize the changes as follows: </td> <td style="word-wrap: break-word; overflow-wrap: break-word;"><!--Mesos Core--> - </td> + <ul style="padding-left:10px;"> + <li>A <a href="#1-9-x-hostname-validation-scheme">hostname_validation_scheme</a></li> + <li>C <a href="#1-9-x-client-certificate-verification">TLS certificate verification behaviour</a></li> + </ul> + </td> <td style="word-wrap: break-word; overflow-wrap: break-word;"><!--Flags--> <ul style="padding-left:10px;"> @@ -507,6 +511,24 @@ We categorize the changes as follows: <a name="1-9-x-docker-ignore-runtime"></a> * A new [`--docker_ignore_runtime`](configuration/agent.md#docker_ignore_runtime) flag has been added. This causes the agent to ignore any runtime configuration present in Docker images. +<a name="1-9-x-hostname-validation-scheme"></a> +* A new libprocess TLS flag `--hostname_validation_scheme` along with the corresponding environment variable `LIBPROCESS_SSL_HOSTNAME_VALIDATION_SCHEME` + has been added. Using this flag, users can configure the way libprocess performs hostname validation for TLS connections. + See [`docs/ssl`](ssl.md) for details. + +<a name="1-9-x-client-certificate-verification"></a> +* The semantics of the libprocess environment variables `LIBPROCESS_SSL_VERIFY_CERT` and `LIBPROCESS_SSL_REQUIRE_CERT` have been slightly updated such that + the former now only applies to client-mode and the latter only to server-mode connections. As part of this re-adjustment, the following two changes have + been introduced that might require changes for operators running Mesos in unusual TLS configurations. + * Anonymous ciphers can not be used anymore when `LIBPROCESS_SSL_VERIFY_CERT` is set to true. This is because the use of anonymous ciphers enables + a malicious attacker to bypass certificate verification by choosing a certificate-less cipher. + Users that rely on anonymous ciphers being available should make sure that `LIBPROCESS_SSL_VERIFY_CERT` is set to false. + * For incoming connections, certificates are not verified unless `LIBPROCESS_SSL_REQUIRE_CERT` is set to true. + This is because verifying the certificate can lead to false negatives, where a connection is aborted even though presenting no certificate at all + would have been successfull. Users that rely on incoming connection requests presenting valid TLS certificates should make sure that + the `LIBPROCESS_SSL_REQUIRE_CERT` option is set to true. + + ## Upgrading from 1.7.x to 1.8.x ## <a name="1-8-x-linux-seccomp-isolator"></a>
