----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/70748/ -----------------------------------------------------------
(Updated July 2, 2019, 5:28 p.m.) Review request for mesos, Alexander Rukletsov, Benjamin Mahler, Jan-Philip Gehrcke, Joseph Wu, and Till Toenshoff. Changes ------- Rebased on master; moved a message to prevent illogical warnings in logs. Bugs: MESOS-9810 https://issues.apache.org/jira/browse/MESOS-9810 Repository: mesos Description ------- This commit slightly updates the semants of the `LIBPROCESS_SSL_VERIFY_CERT` and `LIBPROCESS_SSL_REQUIRE_CERT` environment variables. The former now only applies to connections in client mode and the latter now only applies to connections in server mode. In particular, in TLS server mode we now *only* verify client certificates when `LIBPROCESS_SSL_REQUIRE_CERT` is set to `true`, regardless of the value of `LIBPROCESS_SSL_VERIFY_CERT`. In addtion, when in SSL client mode and `LIBPROCESS_SSL_VERIFY_CERT` has been set to `true`, enforce that the server actually presents a certificate that can be verified. Note that this is expected to be not a behavioural change in practice, since the TLS specification already states that a server MUST always send a certificate unless an anonymous cipher is used, and most TLS ciphersuites are configured to exclude anonymous ciphers. Diffs (updated) ----- 3rdparty/libprocess/src/openssl.hpp 17bec246e516261f8d772f1647c17f092fae82d1 3rdparty/libprocess/src/openssl.cpp 19d25a89f7dda1f6c66dd1ffc5051e35457d26b0 3rdparty/libprocess/src/posix/libevent/libevent_ssl_socket.cpp 7e2229a9ed815727500bd457356e5531607fa6cf 3rdparty/libprocess/src/tests/ssl_tests.cpp 5d360221937e68da185754f0633fa41a217c7107 Diff: https://reviews.apache.org/r/70748/diff/9/ Changes: https://reviews.apache.org/r/70748/diff/8-9/ Testing ------- See end of this chain. Thanks, Benno Evers