You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@mesos.apache.org by Benno Evers <be...@mesosphere.com> on 2019/07/02 17:49:16 UTC
Re: Review Request 70749: Introduced RFC6125-compliant hostname
validation scheme.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70749/
-----------------------------------------------------------
(Updated July 2, 2019, 5:49 p.m.)
Review request for mesos, Alexander Rukletsov, Benjamin Mahler, Joseph Wu, and Till Toenshoff.
Changes
-------
Rebased onto latest master; changed title.
Summary (updated)
-----------------
Introduced RFC6125-compliant hostname validation scheme.
Bugs: MESOS-9809
https://issues.apache.org/jira/browse/MESOS-9809
Repository: mesos
Description
-------
This commit introduces a new libprocess SSL flag
`hostname_validation_scheme`, which can be used to select
between the previous hostname validation behaviour and a new
option to use standardized OpenSSL algorithms to handle
hostname validation as part of the
As a nice side-effect, the new scheme gets rid of reverse DNS
lookups during TLS connection establishment, which used to be
a common source of hard-to-debug unresponsiveness in Mesos
components.
See `docs/ssl.md` in the follow-up commit for details of and
differences between the schemes.
Diffs (updated)
-----
3rdparty/libprocess/include/process/ssl/flags.hpp f3483f97f93bb29117b2c78f0f2ed9735d9c4b3a
3rdparty/libprocess/src/openssl.hpp 17bec246e516261f8d772f1647c17f092fae82d1
3rdparty/libprocess/src/openssl.cpp 19d25a89f7dda1f6c66dd1ffc5051e35457d26b0
3rdparty/libprocess/src/posix/libevent/libevent_ssl_socket.hpp 6ef5a86566af3439cfe0b06ab3576076623f7be0
3rdparty/libprocess/src/posix/libevent/libevent_ssl_socket.cpp 7e2229a9ed815727500bd457356e5531607fa6cf
Diff: https://reviews.apache.org/r/70749/diff/8/
Changes: https://reviews.apache.org/r/70749/diff/7-8/
Testing (updated)
-------
See added unit tests later in this chain.
Thanks,
Benno Evers
Re: Review Request 70749: Introduced RFC6125-compliant hostname
validation scheme.
Posted by Benno Evers <be...@mesosphere.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70749/
-----------------------------------------------------------
(Updated July 4, 2019, 6:52 p.m.)
Review request for mesos, Alexander Rukletsov, Benjamin Mahler, Joseph Wu, and Till Toenshoff.
Changes
-------
Renamed 'libprocess' -> 'legacy'
Bugs: MESOS-9809
https://issues.apache.org/jira/browse/MESOS-9809
Repository: mesos
Description (updated)
-------
This commit introduces a new libprocess SSL flag
`hostname_validation_scheme`, which can be set to 'legacy'
to select the previous hostname validation behaviour or to
'openssl' to use standardized OpenSSL algorithms to handle
hostname validation as part of the TLS handshake.
As a nice side-effect, the new scheme gets rid of reverse DNS
lookups during TLS connection establishment, which used to be
a common source of hard-to-debug unresponsiveness in Mesos
components.
See `docs/ssl.md` in the follow-up commit for details of and
differences between the schemes.
Diffs (updated)
-----
3rdparty/libprocess/include/process/ssl/flags.hpp f3483f97f93bb29117b2c78f0f2ed9735d9c4b3a
3rdparty/libprocess/src/openssl.hpp 17bec246e516261f8d772f1647c17f092fae82d1
3rdparty/libprocess/src/openssl.cpp 19d25a89f7dda1f6c66dd1ffc5051e35457d26b0
3rdparty/libprocess/src/posix/libevent/libevent_ssl_socket.hpp 6ef5a86566af3439cfe0b06ab3576076623f7be0
3rdparty/libprocess/src/posix/libevent/libevent_ssl_socket.cpp 7e2229a9ed815727500bd457356e5531607fa6cf
Diff: https://reviews.apache.org/r/70749/diff/9/
Changes: https://reviews.apache.org/r/70749/diff/8-9/
Testing
-------
See added unit tests later in this chain.
Thanks,
Benno Evers