You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by be...@apache.org on 2019/04/29 20:30:29 UTC

[mesos] 01/02: Added LIBPROCESS_SSL_ENABLE_TLS_V1_3 environment variable.

This is an automated email from the ASF dual-hosted git repository.

bennoe pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git

commit 712ee298800e257050d01b69abeaf3c4bc7d12ee
Author: Stéphane Cottin <st...@vixns.com>
AuthorDate: Mon Apr 29 13:27:04 2019 +0200

    Added LIBPROCESS_SSL_ENABLE_TLS_V1_3 environment variable.
    
    When building mesos with libopenssl >= 1.1.1, TLS1.3 is enabled by
    default. This causes major communication issues between executors
    and agents.
    
    This patch adds a new `LIBPROCESS_SSL_ENABLE_TLS_V1_3` env var,
    disabled by default. It should be changed to enabled by default when
    full openssl >= 1.1 support will land.
    
    Review: https://reviews.apache.org/r/70562/
---
 3rdparty/libprocess/include/process/ssl/flags.hpp |  1 +
 3rdparty/libprocess/include/process/ssl/gtest.hpp |  1 +
 3rdparty/libprocess/src/openssl.cpp               | 15 ++++++++++++++-
 3rdparty/libprocess/src/openssl.hpp               |  1 +
 3rdparty/libprocess/src/tests/ssl_tests.cpp       |  7 ++++++-
 5 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/3rdparty/libprocess/include/process/ssl/flags.hpp b/3rdparty/libprocess/include/process/ssl/flags.hpp
index 3806266..f3483f9 100644
--- a/3rdparty/libprocess/include/process/ssl/flags.hpp
+++ b/3rdparty/libprocess/include/process/ssl/flags.hpp
@@ -50,6 +50,7 @@ public:
   bool enable_tls_v1_0;
   bool enable_tls_v1_1;
   bool enable_tls_v1_2;
+  bool enable_tls_v1_3;
 };
 
 
diff --git a/3rdparty/libprocess/include/process/ssl/gtest.hpp b/3rdparty/libprocess/include/process/ssl/gtest.hpp
index e173b32..6cdd781 100644
--- a/3rdparty/libprocess/include/process/ssl/gtest.hpp
+++ b/3rdparty/libprocess/include/process/ssl/gtest.hpp
@@ -131,6 +131,7 @@ protected:
     os::unsetenv("LIBPROCESS_SSL_ENABLE_TLS_V1_0");
     os::unsetenv("LIBPROCESS_SSL_ENABLE_TLS_V1_1");
     os::unsetenv("LIBPROCESS_SSL_ENABLE_TLS_V1_2");
+    os::unsetenv("LIBPROCESS_SSL_ENABLE_TLS_V1_3");
 
     // Copy the given map into the clean slate.
     foreachpair (
diff --git a/3rdparty/libprocess/src/openssl.cpp b/3rdparty/libprocess/src/openssl.cpp
index a4d5036..789bef6 100644
--- a/3rdparty/libprocess/src/openssl.cpp
+++ b/3rdparty/libprocess/src/openssl.cpp
@@ -159,6 +159,11 @@ Flags::Flags()
       "enable_tls_v1_2",
       "Enable SSLV1.2.",
       true);
+
+  add(&Flags::enable_tls_v1_3,
+      "enable_tls_v1_3",
+      "Enable SSLV1.3.",
+      false);
 }
 
 
@@ -654,7 +659,11 @@ void reinitialize()
       SSL_OP_NO_SSLv3 |
       SSL_OP_NO_TLSv1 |
       SSL_OP_NO_TLSv1_1 |
-      SSL_OP_NO_TLSv1_2);
+      SSL_OP_NO_TLSv1_2
+#if defined(SSL_OP_NO_TLSv1_3)
+      | SSL_OP_NO_TLSv1_3
+#endif
+      );
 
   // Use server preference for cipher.
   long ssl_options = SSL_OP_CIPHER_SERVER_PREFERENCE;
@@ -672,6 +681,10 @@ void reinitialize()
   if (!ssl_flags->enable_tls_v1_1) { ssl_options |= SSL_OP_NO_TLSv1_1; }
   // Disable TLSv1.2.
   if (!ssl_flags->enable_tls_v1_2) { ssl_options |= SSL_OP_NO_TLSv1_2; }
+#if defined(SSL_OP_NO_TLSv1_3)
+  // Disable TLSv1.3.
+  if (!ssl_flags->enable_tls_v1_3) { ssl_options |= SSL_OP_NO_TLSv1_3; }
+#endif
 
   SSL_CTX_set_options(ctx, ssl_options);
 
diff --git a/3rdparty/libprocess/src/openssl.hpp b/3rdparty/libprocess/src/openssl.hpp
index 0c4192f..17bec24 100644
--- a/3rdparty/libprocess/src/openssl.hpp
+++ b/3rdparty/libprocess/src/openssl.hpp
@@ -51,6 +51,7 @@ namespace openssl {
 //    LIBPROCESS_SSL_ENABLE_TLS_V1_0=(false|0,true|1)
 //    LIBPROCESS_SSL_ENABLE_TLS_V1_1=(false|0,true|1)
 //    LIBPROCESS_SSL_ENABLE_TLS_V1_2=(false|0,true|1)
+//    LIBPROCESS_SSL_ENABLE_TLS_V1_3=(false|0,true|1)
 //    LIBPROCESS_SSL_ECDH_CURVES=(auto|list of curves separated by ':')
 //
 // TODO(benh): When/If we need to support multiple contexts in the
diff --git a/3rdparty/libprocess/src/tests/ssl_tests.cpp b/3rdparty/libprocess/src/tests/ssl_tests.cpp
index 5e99449..6b8496a 100644
--- a/3rdparty/libprocess/src/tests/ssl_tests.cpp
+++ b/3rdparty/libprocess/src/tests/ssl_tests.cpp
@@ -121,7 +121,12 @@ static const vector<string> protocols = {
 #endif
   "LIBPROCESS_SSL_ENABLE_TLS_V1_0",
   "LIBPROCESS_SSL_ENABLE_TLS_V1_1",
-  "LIBPROCESS_SSL_ENABLE_TLS_V1_2"
+  "LIBPROCESS_SSL_ENABLE_TLS_V1_2",
+// On some platforms, we need to build against OpenSSL versions that
+// do not support TLS 1.3 yet.
+#ifdef SSL_OP_NO_TLSv1_3
+  "LIBPROCESS_SSL_ENABLE_TLS_V1_3",
+#endif
 };