You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by be...@apache.org on 2019/04/29 20:30:29 UTC
[mesos] 01/02: Added LIBPROCESS_SSL_ENABLE_TLS_V1_3 environment
variable.
This is an automated email from the ASF dual-hosted git repository.
bennoe pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 712ee298800e257050d01b69abeaf3c4bc7d12ee
Author: Stéphane Cottin <st...@vixns.com>
AuthorDate: Mon Apr 29 13:27:04 2019 +0200
Added LIBPROCESS_SSL_ENABLE_TLS_V1_3 environment variable.
When building mesos with libopenssl >= 1.1.1, TLS1.3 is enabled by
default. This causes major communication issues between executors
and agents.
This patch adds a new `LIBPROCESS_SSL_ENABLE_TLS_V1_3` env var,
disabled by default. It should be changed to enabled by default when
full openssl >= 1.1 support will land.
Review: https://reviews.apache.org/r/70562/
---
3rdparty/libprocess/include/process/ssl/flags.hpp | 1 +
3rdparty/libprocess/include/process/ssl/gtest.hpp | 1 +
3rdparty/libprocess/src/openssl.cpp | 15 ++++++++++++++-
3rdparty/libprocess/src/openssl.hpp | 1 +
3rdparty/libprocess/src/tests/ssl_tests.cpp | 7 ++++++-
5 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/3rdparty/libprocess/include/process/ssl/flags.hpp b/3rdparty/libprocess/include/process/ssl/flags.hpp
index 3806266..f3483f9 100644
--- a/3rdparty/libprocess/include/process/ssl/flags.hpp
+++ b/3rdparty/libprocess/include/process/ssl/flags.hpp
@@ -50,6 +50,7 @@ public:
bool enable_tls_v1_0;
bool enable_tls_v1_1;
bool enable_tls_v1_2;
+ bool enable_tls_v1_3;
};
diff --git a/3rdparty/libprocess/include/process/ssl/gtest.hpp b/3rdparty/libprocess/include/process/ssl/gtest.hpp
index e173b32..6cdd781 100644
--- a/3rdparty/libprocess/include/process/ssl/gtest.hpp
+++ b/3rdparty/libprocess/include/process/ssl/gtest.hpp
@@ -131,6 +131,7 @@ protected:
os::unsetenv("LIBPROCESS_SSL_ENABLE_TLS_V1_0");
os::unsetenv("LIBPROCESS_SSL_ENABLE_TLS_V1_1");
os::unsetenv("LIBPROCESS_SSL_ENABLE_TLS_V1_2");
+ os::unsetenv("LIBPROCESS_SSL_ENABLE_TLS_V1_3");
// Copy the given map into the clean slate.
foreachpair (
diff --git a/3rdparty/libprocess/src/openssl.cpp b/3rdparty/libprocess/src/openssl.cpp
index a4d5036..789bef6 100644
--- a/3rdparty/libprocess/src/openssl.cpp
+++ b/3rdparty/libprocess/src/openssl.cpp
@@ -159,6 +159,11 @@ Flags::Flags()
"enable_tls_v1_2",
"Enable SSLV1.2.",
true);
+
+ add(&Flags::enable_tls_v1_3,
+ "enable_tls_v1_3",
+ "Enable SSLV1.3.",
+ false);
}
@@ -654,7 +659,11 @@ void reinitialize()
SSL_OP_NO_SSLv3 |
SSL_OP_NO_TLSv1 |
SSL_OP_NO_TLSv1_1 |
- SSL_OP_NO_TLSv1_2);
+ SSL_OP_NO_TLSv1_2
+#if defined(SSL_OP_NO_TLSv1_3)
+ | SSL_OP_NO_TLSv1_3
+#endif
+ );
// Use server preference for cipher.
long ssl_options = SSL_OP_CIPHER_SERVER_PREFERENCE;
@@ -672,6 +681,10 @@ void reinitialize()
if (!ssl_flags->enable_tls_v1_1) { ssl_options |= SSL_OP_NO_TLSv1_1; }
// Disable TLSv1.2.
if (!ssl_flags->enable_tls_v1_2) { ssl_options |= SSL_OP_NO_TLSv1_2; }
+#if defined(SSL_OP_NO_TLSv1_3)
+ // Disable TLSv1.3.
+ if (!ssl_flags->enable_tls_v1_3) { ssl_options |= SSL_OP_NO_TLSv1_3; }
+#endif
SSL_CTX_set_options(ctx, ssl_options);
diff --git a/3rdparty/libprocess/src/openssl.hpp b/3rdparty/libprocess/src/openssl.hpp
index 0c4192f..17bec24 100644
--- a/3rdparty/libprocess/src/openssl.hpp
+++ b/3rdparty/libprocess/src/openssl.hpp
@@ -51,6 +51,7 @@ namespace openssl {
// LIBPROCESS_SSL_ENABLE_TLS_V1_0=(false|0,true|1)
// LIBPROCESS_SSL_ENABLE_TLS_V1_1=(false|0,true|1)
// LIBPROCESS_SSL_ENABLE_TLS_V1_2=(false|0,true|1)
+// LIBPROCESS_SSL_ENABLE_TLS_V1_3=(false|0,true|1)
// LIBPROCESS_SSL_ECDH_CURVES=(auto|list of curves separated by ':')
//
// TODO(benh): When/If we need to support multiple contexts in the
diff --git a/3rdparty/libprocess/src/tests/ssl_tests.cpp b/3rdparty/libprocess/src/tests/ssl_tests.cpp
index 5e99449..6b8496a 100644
--- a/3rdparty/libprocess/src/tests/ssl_tests.cpp
+++ b/3rdparty/libprocess/src/tests/ssl_tests.cpp
@@ -121,7 +121,12 @@ static const vector<string> protocols = {
#endif
"LIBPROCESS_SSL_ENABLE_TLS_V1_0",
"LIBPROCESS_SSL_ENABLE_TLS_V1_1",
- "LIBPROCESS_SSL_ENABLE_TLS_V1_2"
+ "LIBPROCESS_SSL_ENABLE_TLS_V1_2",
+// On some platforms, we need to build against OpenSSL versions that
+// do not support TLS 1.3 yet.
+#ifdef SSL_OP_NO_TLSv1_3
+ "LIBPROCESS_SSL_ENABLE_TLS_V1_3",
+#endif
};