Dan Burkert has posted comments on this change. Change subject: TLS-negotiation [7/n]: Add TLS helper classes for handling tunneled TLS handshakes ......................................................................
Patch Set 10: (7 comments) http://gerrit.cloudera.org:8080/#/c/5761/10/src/kudu/security/CMakeLists.txt File src/kudu/security/CMakeLists.txt: PS10, Line 73: tls_handshake-test > I just mean that the 'test/' subdir isn't meant to contain unit tests, but OK going to keep it as is for now. It definitely shows up in the list of ctest tests. http://gerrit.cloudera.org:8080/#/c/5761/10/src/kudu/security/tls_context.cc File src/kudu/security/tls_context.cc: PS10, Line 41: nullptr, SSL_CTX_free > nit: you could use ssl_make_unique() here; add the trait for SSL_CTX type. Done PS10, Line 46: CHECK(!ctx_.get()); > nit: CHECK(!ctx) would be enough, I think Done http://gerrit.cloudera.org:8080/#/c/5761/10/src/kudu/security/tls_context.h File src/kudu/security/tls_context.h: PS10, Line 58: std::unique_ptr<SSL_CTX, std::function<void(SSL_CTX*)>> > nit: openssl_util.h have a handy typedef for this type of wrappers. Done http://gerrit.cloudera.org:8080/#/c/5761/10/src/kudu/security/tls_handshake.cc File src/kudu/security/tls_handshake.cc: PS10, Line 89: unique_ptr<X509, void(*)(X509*)> cert > nit: you could use ssl_make_unique here: Done PS10, Line 94: // Get the peer's hostname : Sockaddr peer_addr; : if (!socket.GetPeerAddress(&peer_addr).ok()) { : return Status::NotAuthorized("Handshake failed: Could not retrieve peer address"); : } : string peer_hostname; : RETURN_NOT_OK(peer_addr.LookupHostname(&peer_hostname)); > It might be subject alternative name (SAN) instead. I think we are about t I think that's covered by the call to 'X509_check_host' (at least according to the comment). http://gerrit.cloudera.org:8080/#/c/5761/10/src/kudu/security/tls_handshake.h File src/kudu/security/tls_handshake.h: PS10, Line 83: ssl_ > I could not find where it's set. Probably I'm missing something. It's set directly by TlsContext, but now that you point it out that's pretty confusing. I'll make it a private setter instead. -- To view, visit http://gerrit.cloudera.org:8080/5761 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: I6776dbdc488eee56f7273cdd8bcd2b2b8c1ffa04 Gerrit-PatchSet: 10 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Dan Burkert <[email protected]> Gerrit-Reviewer: Adar Dembo <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Dan Burkert <[email protected]> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Sailesh Mukil <[email protected]> Gerrit-Reviewer: Tidy Bot Gerrit-Reviewer: Todd Lipcon <[email protected]> Gerrit-HasComments: Yes
