> On Sept. 20, 2016, 1:23 a.m., Joris Van Remoortere wrote:
> > 3rdparty/libprocess/src/openssl.cpp, lines 481-482
> > <https://reviews.apache.org/r/52031/diff/1/?file=1502587#file1502587line481>
> >
> >     Is there any information we can provide here about where we are looking 
> > for the defaults to help the user identify the problem?
> 
> Till Toenshoff wrote:
>     The defaults are baked into the openssl libraries at compile-time. The 
> user may override those using openssl's `SSL_CERT_FILE` and `SSL_CERT_DIR`. 
> There seems to be no public way to extract those paths back out to get them 
> displayed.
>     
>     Quick background: that information is obviously attached to the context, 
> internally that specific certificate stuff is handled by the 
> `X509_STORE`-API. The above call effectively attaches a new cert store to our 
> context and populates it with the content of the given file/dir path. The 
> result is a (bunch of) certificate/s attached. The source path however is 
> unknown later on - at least from the API point of view. So all we could 
> possibly show here are the context attached certificates but not their source 
> locations.

The documentation totally stays silent on `X509_get_default_cert_file` and 
`X509_get_default_cert_dir`. However after checking their implementations, to 
me it seems as if they would never return the value/s of user-environment 
supplied overrides (e.g. `SSL_CERT_FILE`) but only the baked in defaults. So 
instead of being helpful, in cases where the user used the OpenSSL specific 
environment variables the output of those functions would be even more 
confusing. In other words, if the user set `SSL_CERT_FILE` towards 
`/foo/bar/cert.pem`, calling `X509_get_default_cert_file` would yield the baked 
in default (e.g. `SSLCERTS:cert.pem`).


- Till


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/52031/#review149593
-----------------------------------------------------------


On Sept. 19, 2016, 1:13 p.m., Till Toenshoff wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/52031/
> -----------------------------------------------------------
> 
> (Updated Sept. 19, 2016, 1:13 p.m.)
> 
> 
> Review request for mesos, Joris Van Remoortere and Joseph Wu.
> 
> 
> Bugs: MESOS-5320
>     https://issues.apache.org/jira/browse/MESOS-5320
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Adds the human readable openssl error messages for failure cases. Also
> fixes a spacing nit in one of the existing messages.
> 
> 
> Diffs
> -----
> 
>   3rdparty/libprocess/src/openssl.cpp 
> c09cdc89509e4e4ca4c8a0f4fb0a57156a3a6091 
> 
> Diff: https://reviews.apache.org/r/52031/diff/
> 
> 
> Testing
> -------
> 
> make check && functional testing
> 
> 
> Thanks,
> 
> Till Toenshoff
> 
>

Reply via email to