-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70748/
-----------------------------------------------------------
(Updated July 2, 2019, 5:28 p.m.)
Review request for mesos, Alexander Rukletsov, Benjamin Mahler, Jan-Philip
Gehrcke, Joseph Wu, and Till Toenshoff.
Changes
-------
Rebased on master; moved a message to prevent illogical warnings in logs.
Bugs: MESOS-9810
https://issues.apache.org/jira/browse/MESOS-9810
Repository: mesos
Description
-------
This commit slightly updates the semants of the
`LIBPROCESS_SSL_VERIFY_CERT` and `LIBPROCESS_SSL_REQUIRE_CERT`
environment variables. The former now only applies to connections
in client mode and the latter now only applies to connections in
server mode.
In particular, in TLS server mode we now *only* verify client
certificates when `LIBPROCESS_SSL_REQUIRE_CERT` is set to `true`,
regardless of the value of `LIBPROCESS_SSL_VERIFY_CERT`.
In addtion, when in SSL client mode and `LIBPROCESS_SSL_VERIFY_CERT`
has been set to `true`, enforce that the server actually presents a
certificate that can be verified. Note that this is expected to be
not a behavioural change in practice, since the TLS specification
already states that a server MUST always send a certificate unless an
anonymous cipher is used, and most TLS ciphersuites are configured to
exclude anonymous ciphers.
Diffs (updated)
-----
3rdparty/libprocess/src/openssl.hpp 17bec246e516261f8d772f1647c17f092fae82d1
3rdparty/libprocess/src/openssl.cpp 19d25a89f7dda1f6c66dd1ffc5051e35457d26b0
3rdparty/libprocess/src/posix/libevent/libevent_ssl_socket.cpp
7e2229a9ed815727500bd457356e5531607fa6cf
3rdparty/libprocess/src/tests/ssl_tests.cpp
5d360221937e68da185754f0633fa41a217c7107
Diff: https://reviews.apache.org/r/70748/diff/9/
Changes: https://reviews.apache.org/r/70748/diff/8-9/
Testing
-------
See end of this chain.
Thanks,
Benno Evers
