ciuncan opened a new pull request, #529:
URL: https://github.com/apache/pulsar-client-cpp/pull/529
<!--
### Contribution Checklist
- PR title format should be *[type][component] summary*. For details, see
*[Guideline - Pulsar PR Naming
Convention](https://docs.google.com/document/d/1d8Pw6ZbWk-_pCKdOmdvx9rnhPiyuxwq60_TrD68d7BA/edit#heading=h.trs9rsex3xom)*.
- Fill out the template below to describe the changes contributed by the
pull request. That will give reviewers the context they need to do the review.
- Each pull request should address only one issue, not mix up code from
multiple issues.
- Each commit in the pull request has a meaningful commit message
- Once all items of the checklist are addressed, remove the above text and
this checklist, leaving only the filled out template below.
-->
<!-- Either this PR fixes an issue, -->
Fixes #172
### Motivation
We've met this issue with a customer, whose network does deep packet
inspection and somehow prevents TLSv1.2 connections to successfully do
handshake. Other clients such as Java/Rust works just fine as they are able to
connect with TLSv1.3. Since TLSv1.2 usage is hardcoded in CPP client (and by
extension Python client), pulsar connection was no longer possible from there.
I've opened a PR and would be happy to get it evaluated to be incorporated in
`pulsar-client` (we use python package).
### Modifications
The asio SSL context is now constructed with
`ASIO::ssl::context::sslv23_client` instead of
`ASIO::ssl::context::tlsv12_client`, and with `default_workarounds | no_sslv2 |
no_sslv3 |no_tlsv1 | no_tlsv1_1` options, which excludes unsafe versions and
leaves only TLSv1.2 and TLSv1.3. I've tested this connection on the network and
it worked fine.
### Verifying this change
- [x] Make sure that the change passes the CI checks.
This change added tests and can be verified as follows:
*(example:)*
- Added TLS handshake tests (`TlsNegotiationTest.cc`) that will build a
mock server that will either accept only TLSv1.2 and TLSv1.3
- The updated client TLS connection code is tested against both protocol
versions
### Documentation
<!-- DO NOT REMOVE THIS SECTION. CHECK THE PROPER BOX ONLY. -->
- [ ] `doc-required`
(Your PR needs to update docs and you will update later)
- [ ] `doc-not-needed`
(Please explain why)
- [ ] `doc`
(Your PR contains doc changes)
- [ ] `doc-complete`
(Docs have been already added)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
