> On June 21, 2019, 1:32 a.m., Till Toenshoff wrote: > > 3rdparty/libprocess/src/openssl.cpp > > Lines 808 (patched) > > <https://reviews.apache.org/r/70749/diff/4/?file=2151450#file2151450line808> > > > > I know you just moved it, but where do these 100ms come from and how > > could we be more explicit about that choice? > > > > I would suggest to use a const with some explaining comment how that > > value was chosen - can we please? :D
I'm afraid I have no idea where the 100ms come from. The suggestion sounds good, but I think the changes will fit better in a separate review, since they're not really related to hostname validation. > On June 21, 2019, 1:32 a.m., Till Toenshoff wrote: > > 3rdparty/libprocess/src/openssl.cpp > > Lines 984-985 (patched) > > <https://reviews.apache.org/r/70749/diff/4/?file=2151450#file2151450line984> > > > > This sounds like a great idea worth spending 1 more cycle on -- can we > > create and reference a ticket that explains this jazz as nicely as we do > > here in the code? > > > > My thought is that being open about this idea in JIRA, we would > > provide more chances of getting community support for it. Opened https://issues.apache.org/jira/browse/MESOS-9855 > On June 21, 2019, 1:32 a.m., Till Toenshoff wrote: > > 3rdparty/libprocess/src/openssl.cpp > > Lines 989 (patched) > > <https://reviews.apache.org/r/70749/diff/4/?file=2151450#file2151450line989> > > > > Shall we explain why this is the `right` way - aka best practices? Huh, I actually removed this now: I originally had a look at the OpenSSL example code and at RFC6125, but missed that partial wildcards are only disallowed in *internationalized* domain names. (and for these, openssl already does the correct thing regardless of this flag.) With this removed, we're a bit more loose than what a web browser would accept, but Mesos is not a web browser so that seems fine. - Benno ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/70749/#review216017 ----------------------------------------------------------- On June 20, 2019, 5:48 p.m., Benno Evers wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/70749/ > ----------------------------------------------------------- > > (Updated June 20, 2019, 5:48 p.m.) > > > Review request for mesos, Alexander Rukletsov, Joseph Wu, and Till Toenshoff. > > > Bugs: MESOS-9809 > https://issues.apache.org/jira/browse/MESOS-9809 > > > Repository: mesos > > > Description > ------- > > This commit introduces a new libprocess SSL flag > `hostname_validation_scheme`, which can be used to select > between the previous hostname validation behaviour and a new > option to use standardized OpenSSL algorithms to handle > hostname validation as part of the handshake. > > As a nice side-effect, the new scheme gets rid of reverse DNS > lookups during TLS connection establishment, which used to be > a common source of hard-to-debug unresponsiveness in Mesos > components. > > See `docs/ssl.md` in the follow-up commit for details of and > differences between the schemes. > > > Diffs > ----- > > 3rdparty/libprocess/include/process/ssl/flags.hpp > f3483f97f93bb29117b2c78f0f2ed9735d9c4b3a > 3rdparty/libprocess/src/openssl.hpp > 17bec246e516261f8d772f1647c17f092fae82d1 > 3rdparty/libprocess/src/openssl.cpp > e7dbd67913fa8e7fbbf60dee428e7e38895f86ce > 3rdparty/libprocess/src/posix/libevent/libevent_ssl_socket.hpp > 6ef5a86566af3439cfe0b06ab3576076623f7be0 > 3rdparty/libprocess/src/posix/libevent/libevent_ssl_socket.cpp > 29a1bf71c1df9d80370455a6269ecea0ec4193b0 > > > Diff: https://reviews.apache.org/r/70749/diff/4/ > > > Testing > ------- > > Todo! > > > Thanks, > > Benno Evers > >
