[mesos] 11/11: SSL Socket: Guarded against downgrade while unimplemented.

Wed, 18 Dec 2019 14:34:39 -0800 

This is an automated email from the ASF dual-hosted git repository.

josephwu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git

commit 34bac34419ebec8441e69d3a5684381468352399
Author: Joseph Wu <[email protected]>
AuthorDate: Tue Dec 17 15:23:27 2019 -0800

    SSL Socket: Guarded against downgrade while unimplemented.
    
    The SSL downgrade feature present in our libevent-SSL socket
    is currently not supported on the plain-OpenSSL socket.
    
    For this reason, we make sure to check the related flag and
    prevent the related tests from running.
    
    Review: https://reviews.apache.org/r/71923
---
 3rdparty/libprocess/src/openssl.cpp         | 6 ++++++
 3rdparty/libprocess/src/tests/ssl_tests.cpp | 3 +++
 2 files changed, 9 insertions(+)

diff --git a/3rdparty/libprocess/src/openssl.cpp 
b/3rdparty/libprocess/src/openssl.cpp
index ec7d6e8..b2dd2fe 100644
--- a/3rdparty/libprocess/src/openssl.cpp
+++ b/3rdparty/libprocess/src/openssl.cpp
@@ -550,8 +550,14 @@ void reinitialize()
   // Notify users of the 'SSL_SUPPORT_DOWNGRADE' flag that this
   // setting allows insecure connections.
   if (ssl_flags->support_downgrade) {
+#ifdef USE_LIBEVENT
     LOG(WARNING) <<
       "Failed SSL connections will be downgraded to a non-SSL socket";
+#else
+    EXIT(EXIT_FAILURE)
+      << "Non-libevent SSL sockets do not support downgrade yet,"
+      << " see MESOS-10073";
+#endif // USE_LIBEVENT
   }
 
   // TODO(bevers): Remove the deprecated names for these flags after an
diff --git a/3rdparty/libprocess/src/tests/ssl_tests.cpp 
b/3rdparty/libprocess/src/tests/ssl_tests.cpp
index 3f1d103..a6563fb 100644
--- a/3rdparty/libprocess/src/tests/ssl_tests.cpp
+++ b/3rdparty/libprocess/src/tests/ssl_tests.cpp
@@ -483,6 +483,8 @@ TEST_F(SSLTest, ECDHESupport)
 }
 
 
+// TODO(josephw): Support downgrades on the native OpenSSL socket 
(MESOS-10073).
+#ifdef USE_LIBEVENT
 // Ensure we can communicate between a POLL based socket and an SSL
 // socket if 'SSL_SUPPORT_DOWNGRADE' is enabled.
 TEST_F(SSLTest, ValidDowngrade)
@@ -581,6 +583,7 @@ TEST_F(SSLTest, ValidDowngradeEachProtocol)
     AWAIT_ASSERT_READY(await_subprocess(client.get(), 0));
   }
 }
+#endif // USE_LIBEVENT
 
 
 // For each protocol: ensure we CANNOT communicate between a POLL

Reply via email to