You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@thrift.apache.org by "Ping Li (JIRA)" <ji...@apache.org> on 2009/05/13 07:44:46 UTC

[jira] Updated: (THRIFT-151) TSSLServerSocket and TSSLSocket implementation

     [ https://issues.apache.org/jira/browse/THRIFT-151?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ping Li updated THRIFT-151:
---------------------------

    Attachment: ssl-redesigned.patch

I created a diff for the redesigned SSL. Again, I'm not familiar with the make file structure. This diff doesn't include required changes in the Makefile. It's loaded only for review.

One issue I have is the error queue clean up issue in OpenSSL. If OpenSSL API is called in a thread, it is important to call ERR_remove_state(0) at the end of that thread. This is difficult to do in Thrift. In this diff, ERR_remove_state(0) is called whenever an SSL socket is closed. As long as only the Thrift application server is being used, this is not a problem. However, if the SSL socket is passed around threads, the error queue of involved threads may not be cleaned up correctly.

I tried a few approaches, but either didn't work or had other issues. Other than the possible memory leak and unnecessary calls to ERR_remove_state(0), this design is very clean.

I added tutorial/README.SSL. For working example, take a look at test/cpp/src/TestClient.cpp and TestServer.cpp. OpenSSL initialization and cleanup are taken care of inside TSSLSocketFactory, so you don't have to.

> TSSLServerSocket and TSSLSocket implementation
> ----------------------------------------------
>
>                 Key: THRIFT-151
>                 URL: https://issues.apache.org/jira/browse/THRIFT-151
>             Project: Thrift
>          Issue Type: Improvement
>          Components: Library (C++)
>            Reporter: Ian Pye
>         Attachments: ssl-pingli.patch, ssl-redesigned.patch, ssl-test-pingli.patch, ssl.patch
>
>   Original Estimate: 6h
>  Remaining Estimate: 6h
>
> SSL Connections w/ autogenerated self signed x509 certs seem to be the state of the art for rpc layers.
> It would be good if there was a C++ implementation of TSocket and TServerSocket classes.
> This is similar to the Java issue Thrift 106.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.