This is an automated email from the ASF dual-hosted git repository. josephwu pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 4a92c709fbafd382a030b8e87decf8d56357b57b Author: Joseph Wu <[email protected]> AuthorDate: Wed Oct 9 16:35:05 2019 -0700 SSL Socket: Allowed SSL without libevent. This removes the configure-time check on having both ENABLE_SSL and ENABLE_LIBEVENT set to true in order to have SSL sockets. The subsequent commits will add SSL support based on the existing poll socket class. This also updates the related documentation for SSL, including on Windows. Review: https://reviews.apache.org/r/71659 --- cmake/CompilationConfigure.cmake | 10 ++++----- configure.ac | 2 -- docs/configuration/autotools.md | 3 +-- docs/ssl.md | 46 ++++++++++++++++++++++++++++++++++------ docs/windows.md | 12 +++-------- 5 files changed, 47 insertions(+), 26 deletions(-) diff --git a/cmake/CompilationConfigure.cmake b/cmake/CompilationConfigure.cmake index 62cb23e..089df91 100644 --- a/cmake/CompilationConfigure.cmake +++ b/cmake/CompilationConfigure.cmake @@ -260,12 +260,6 @@ if (WIN32 AND ENABLE_LIBEVENT) "See MESOS-8668 for context.") endif () -if (ENABLE_SSL AND (NOT ENABLE_LIBEVENT)) - message( - FATAL_ERROR - "'ENABLE_SSL' currently requires 'ENABLE_LIBEVENT'.") -endif () - # SYSTEM CHECKS. ################ @@ -585,6 +579,10 @@ if (ENABLE_SSL) add_definitions(-DUSE_SSL_SOCKET=1) endif () +if (ENABLE_LIBEVENT) + add_definitions(-DUSE_LIBEVENT=1) +endif () + # Calculate some build information. string(TIMESTAMP BUILD_DATE "%Y-%m-%d %H:%M:%S UTC" UTC) string(TIMESTAMP BUILD_TIME "%s" UTC) diff --git a/configure.ac b/configure.ac index f274f34..6ff2a32 100644 --- a/configure.ac +++ b/configure.ac @@ -1602,8 +1602,6 @@ if test "x$enable_ssl" = "xyes"; then if test "x$with_bundled_libevent" != "xyes"; then MESOS_HAVE_LIBEVENT_SSL() fi - else - AC_MSG_ERROR([SSL is currently only supported with libevent]) fi fi diff --git a/docs/configuration/autotools.md b/docs/configuration/autotools.md index 55a5de8..577e794 100644 --- a/docs/configuration/autotools.md +++ b/docs/configuration/autotools.md @@ -232,8 +232,7 @@ layout: documentation </td> <td> Enable <a href="/documentation/latest/ssl">SSL</a> for libprocess - communication. Note that <code>--enable-libevent</code> is currently - required for SSL functionality. [default=no] + communication. [default=no] </td> </tr> <tr> diff --git a/docs/ssl.md b/docs/ssl.md index f6beb42..720eda4 100644 --- a/docs/ssl.md +++ b/docs/ssl.md @@ -5,16 +5,34 @@ layout: documentation # SSL in Mesos -By default, all the messages that flow through the Mesos cluster are unencrypted, making it possible for anyone with access to the cluster to intercept and potentially control arbitrary tasks. +By default, all the messages that flow through the Mesos cluster are +unencrypted, making it possible for anyone with access to the cluster to +intercept and potentially control arbitrary tasks. -SSL/TLS support was added to libprocess in Mesos 0.23.0, which encypts the low-level communication that Mesos uses for network communication between Mesos components. Additionally, HTTPS support was added to the Mesos WebUI. +SSL/TLS support was added to libprocess in Mesos 0.23.0, which encrypts the +data that Mesos uses for network communication between Mesos components. +Additionally, HTTPS support was added to the Mesos WebUI. # Build Configuration -There is currently only one implementation of the [libprocess socket interface](https://github.com/apache/mesos/blob/master/3rdparty/libprocess/include/process/socket.hpp) that supports SSL. This implementation uses [libevent](https://github.com/libevent/libevent). Specifically it relies on the `libevent-openssl` library that wraps `openssl`. -Before building Mesos 0.23.0 from source, assuming you have installed the required [Dependencies](#Dependencies), you can modify your configure line to enable SSL as follows: +There are currently two implementations of the +[libprocess socket interface](https://github.com/apache/mesos/blob/master/3rdparty/libprocess/include/process/socket.hpp) +that support SSL. + +The first implementation, added in Mesos 0.23.0, uses +[libevent](https://github.com/libevent/libevent). +Specifically it relies on the `libevent-openssl` library that wraps `openssl`. + +The second implementation, added in Mesos 1.10.0, is a generic socket +wrapper which only relies on the OpenSSL (1.1+) library. + +Before building Mesos from source, assuming you have installed the +required [Dependencies](#Dependencies), you can modify your configure line +to enable SSL as follows: ~~~ +../configure --enable-ssl +# Or: ../configure --enable-libevent --enable-ssl ~~~ @@ -206,7 +224,10 @@ since attackers that are able to forge a DNS or rDNS result can launch a success man-in-the-middle attack on the 'legacy' scheme. ### libevent -We require the OpenSSL support from libevent. The suggested version of libevent is [`2.0.22-stable`](https://github.com/libevent/libevent/releases/tag/release-2.0.22-stable). As new releases come out we will try to maintain compatibility. +If building with `--enable-libevent`, we require the OpenSSL support from +libevent. The suggested version of libevent is +[`2.0.22-stable`](https://github.com/libevent/libevent/releases/tag/release-2.0.22-stable). +As new releases come out we will try to maintain compatibility. ~~~ // For example, on OSX: @@ -214,8 +235,19 @@ brew install libevent ~~~ ### OpenSSL -We require [OpenSSL](https://github.com/openssl/openssl). There are multiple branches of OpenSSL that are being maintained by the community. Since security requires being vigilant, we recommend reading the release notes for the current releases of OpenSSL and deciding on a version within your organization based on your security needs. Mesos is not too deeply dependent on specific OpenSSL versions, so there is room for you to make security decisions as an organization. -Please ensure the `event2` and `openssl` headers are available for building Mesos. +We require [OpenSSL](https://github.com/openssl/openssl). +There are multiple branches of OpenSSL that are being maintained by the +community. Since security requires being vigilant, we recommend reading +the release notes for the current releases of OpenSSL and deciding on a +version within your organization based on your security needs. + +When building with libevent, Mesos is not too deeply dependent on specific +OpenSSL versions, so there is room for you to make security decisions as +an organization. When building without libevent, OpenSSL 1.1+ is required, +because Mesos makes use of APIs introduced in later versions of OpenSSL. + +Please ensure the `event2` (when building with libevent) and +`openssl` headers are available for building Mesos. ~~~ // For example, on OSX: diff --git a/docs/windows.md b/docs/windows.md index 35b12dd..4f45ef3 100644 --- a/docs/windows.md +++ b/docs/windows.md @@ -123,7 +123,7 @@ components on Windows, turn it `ON`: mkdir build; cd build $env:PATH += ";C:\...\apache-maven-3.3.9\bin\" $env:JAVA_HOME = "C:\Program Files\Java\jdk1.8.0_144" -cmake .. -DENABLE_JAVA=ON -DENABLE_LIBEVENT=ON -G "Visual Studio 15 2017 Win64" -T "host=x64" +cmake .. -DENABLE_JAVA=ON -G "Visual Studio 15 2017 Win64" -T "host=x64" cmake --build . --target mesos-java ``` @@ -159,15 +159,9 @@ of OpenSSL for Windows. A commonly chosen distribution is [openssl]: https://slproweb.com/products/Win32OpenSSL.html -As of this writing, OpenSSL 1.1.x is not yet supported, but 1.0.2M has been -tested. +As of this writing, OpenSSL 1.1.x is supported. -Use `-DENABLE_SSL=ON -DENABLE_LIBEVENT=ON` to build with OpenSSL. - -> Warning: This currently requires the use of libevent instead of the -> native Windows Thread Pool API. However, the use of libevent on -> Windows is NOT recommended, as it is buggy and will be unsupported -> in the future. +Use `-DENABLE_SSL=ON` to build with OpenSSL. Note that it will link to OpenSSL dynamically, so if the built executables are deployed elsewhere, that machine also needs OpenSSL installed.
