----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/70732/ -----------------------------------------------------------
Review request for mesos, Alexander Rukletsov, Jan-Philip Gehrcke, and Till Toenshoff. Repository: mesos Description ------- When in SSL client mode and `LIBPROCESS_SSL_VERIFY_CERT=true` has been set, enforce that the server actually presents a certificate that can be verified. Note that in most cases, the TLS stack would rejected the connection before the code ever reaches `openssl::verify()`, since the TLS specification that a server MUST always send a certificate unless an anonymous cipher is used. Diffs ----- 3rdparty/libprocess/src/openssl.cpp e7dbd67913fa8e7fbbf60dee428e7e38895f86ce 3rdparty/libprocess/src/tests/ssl_tests.cpp 6b8496aeeed79ae1bd39d7013f4f403b248fdd4c Diff: https://reviews.apache.org/r/70732/diff/1/ Testing ------- Internal CI run. (Failed on platforms using Openssl < 1.1.1) Some manual tests using wireshark to verify that the second paragraph in the description is true, i.e. that the TLS stack actually rejects connections that don't present a certificate. Thanks, Benno Evers
