----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/60913/#review181052 -----------------------------------------------------------
3rdparty/libprocess/src/openssl.cpp Lines 294 (patched) <https://reviews.apache.org/r/60913/#comment256488> Judging from the NGINX sources, it appears that `OPENSSL_NO_ECDH` got introduced by the configuration setup of OpenSSL 0.9.8. So any version before that possibly does not set this define when the feature is missing. This means we will have to guard against that. - Till Toenshoff On July 20, 2017, 12:37 p.m., Alexander Rojas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/60913/ > ----------------------------------------------------------- > > (Updated July 20, 2017, 12:37 p.m.) > > > Review request for mesos, Jie Yu and Till Toenshoff. > > > Bugs: MESOS-7792 > https://issues.apache.org/jira/browse/MESOS-7792 > > > Repository: mesos > > > Description > ------- > > Support for Elliptic Curve Diffie Hellman algorithm requires extra > configuration parameters which weren't part of Mesos. > > This patch enables the extra configuration to Mesos in order to > support ECDH algorithm, it also adds the ssl flag > `LIBPROCESS_SSL_ECDH_CURVES` which allows for the specification of > a specific elliptic curve. > > > Diffs > ----- > > 3rdparty/libprocess/include/process/ssl/flags.hpp > 13fa7a0cc9d6d6d6849976a3ce383263c51504d7 > 3rdparty/libprocess/src/openssl.hpp > 7ded2c74b2f92aacfa0f366bd27d5e0df2b8f25c > 3rdparty/libprocess/src/openssl.cpp > e6f17e4591f573186e1dc9697e1e7b60a841fe4f > 3rdparty/libprocess/src/tests/ssl_tests.cpp > 8a14dcb865dfab34fb4d0d51f42a28a913fb7ace > > > Diff: https://reviews.apache.org/r/60913/diff/4/ > > > Testing > ------- > > ```shell > make check > ``` > > Launched Mesos with only ECDHE handshake ciphers enabled > > ```shell > LIBPROCESS_SSL_ENABLED=1 \ > LIBPROCESS_SSL_KEY_FILE=/tmp/ssl/self-signed.key \ > LIBPROCESS_SSL_CERT_FILE=/tmp/ssl/self-signed.crt \ > LIBPROCESS_SSL_CIPHERS="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA" > \ > ./bin/mesos-master.sh \ > --work_dir=/tmp/mesos/master \ > --log_dir=/tmp/mesos/master/log > ``` > > Then in another shell: > > ```shell > http -v --verify=no https://${MESOS_MASTER_IP}:5050/state > > # Launches a browser. > open https://${MESOS_MASTER_IP}:5050/state > > # List the set of supported ciphers. > # Expected output: > # > Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-18 11:41 CEST > # > Nmap scan report for ${MESOS_MASTER_HOSTNAME} (${MESOS_MASTER_IP}) > # > Host is up (0.13s latency). > # > rDNS record for ${MESOS_MASTER_IP}: ${MESOS_MASTER_HOSTNAME} > # > > # > PORT STATE SERVICE > # > 5050/tcp open mmcc > # > | ssl-enum-ciphers: > # > | TLSv1.2: > # > | ciphers: > # > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A > # > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A > # > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A > # > | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A > # > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A > # > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A > # > | compressors: > # > | NULL > # > | cipher preference: server > # > |_ least strength: A > # > > # > Nmap done: 1 IP address (1 host up) scanned in 1.87 seconds > wget https://svn.nmap.org/nmap/scripts/ssl-enum-ciphers.nse > nmap --script ssl-enum-ciphers.nse -p 5050 ${MESOS_MASTER_IP} > ``` > > > Thanks, > > Alexander Rojas > >
