HTHou commented on PR #18130:
URL: https://github.com/apache/iotdb/pull/18130#issuecomment-4900823518

   I reviewed this PR locally against head 
`696ca4872a2a5c03635048a8a990c49b7e1d54b5`. I think there are a few issues 
worth addressing before merge:
   
   1. `trustStore` does not actually enable server certificate verification in 
the Thrift socket path.
   
      `RpcSslUtils::createTlsClientContext()` / `createTlcpClientContext()` 
load the trust store and set `SSL_VERIFY_PEER`, but 
`RpcSslUtils::createSslSocketFactory()` then calls 
`factory->authenticate(false)`. In Thrift 
`TSSLSocketFactory::authenticate(false)` resets the context verify mode to 
`SSL_VERIFY_NONE`, so the configured trust store is effectively bypassed for 
normal `Session` / `ThriftConnection` connections. This means the documented 
TLS one-way/server-authentication and TLCP trust-store behavior is not 
enforced. The current handshake tests use `SSL_connect` directly, so they do 
not cover this Thrift socket factory path.
   
      Could we make this conditional, for example call `authenticate(true)` 
when `config.effectiveTrustStore()` is set and keep `authenticate(false)` only 
for the legacy no-trust-store mode? It would also be good to add a 
Session/Thrift-level negative test where a wrong CA must fail.
   
   2. The bundled Tongsuo source is not pinned to an immutable artifact.
   
      `TONGSUO_GIT_REF` defaults to `8.4-stable`, and `FetchOpenSSL.cmake` 
downloads the branch tarball without an expected hash. Since that branch can 
move, the same IoTDB commit can produce different SDK binaries over time, which 
is risky for release reproducibility and dependency auditing. Please consider 
pinning a tag/commit and verifying the tarball hash.
   
   3. The packaged SDK examples are inconsistent with the updated examples 
README.
   
      `examples/README.md` documents `cpp_tls_example`, `cpp_ntls_example`, 
`tls_tree_example`, and `c_ntls_example`, but `src/assembly/client-cpp.xml` 
only packages the older example sources. Also, `examples/CMakeLists.txt` only 
creates the new TLS/TLCP example targets in the in-tree build path. After users 
unpack the released SDK zip, the documented TLS/TLCP examples are not 
available/buildable from the package.
   
   4. Architectural question: should Tongsuo be the default SSL provider for 
all C++ SDK builds?
   
      Since most users only need standard TLS, would it be possible to keep the 
default SDK on upstream OpenSSL and provide a Tongsuo/TLCP-specific build 
flavor only when TLCP is requested? For example, an explicit provider 
option/classifier such as `IOTDB_SSL_PROVIDER=TONGSUO` or a separate TLCP 
package could keep the default TLS path simpler, reduce the default 
dependency/build-toolchain surface, and limit the impact of Tongsuo to users 
who actually need TLCP.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to