You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "fgerlits (via GitHub)" <gi...@apache.org> on 2023/06/07 15:11:18 UTC

[GitHub] [nifi-minifi-cpp] fgerlits commented on a diff in pull request #1583: MINIFICPP-1719 Replace LibreSSL with OpenSSL 3.1

fgerlits commented on code in PR #1583:
URL: https://github.com/apache/nifi-minifi-cpp/pull/1583#discussion_r1221678296


##########
docker/test/integration/steps/steps.py:
##########
@@ -358,8 +358,8 @@ def step_impl(context):
 @given("an ssl context service set up for {producer_name} and {consumer_name}")
 def step_impl(context, producer_name, consumer_name):
     root_ca_cert, root_ca_key = make_ca("root CA")
-    minifi_cert, minifi_key = make_cert("minifi-cpp-flow", root_ca_cert, root_ca_key)
-    secondary_cert, secondary_key = make_cert("secondary", root_ca_cert, root_ca_key)
+    minifi_cert, minifi_key = make_cert("minifi-cpp-flow", root_ca_cert, root_ca_key, False)
+    secondary_cert, secondary_key = make_cert("secondary", root_ca_cert, root_ca_key, True)

Review Comment:
   I think it would be nicer to make the new parameter a string (or a list of strings), so these would be `make_cert(..., b"clientAuth")` and `make_cert(..., b"serverAuth")` instead of `False` and `True`.



##########
extensions/standard-processors/tests/integration/TLSClientSocketSupportedProtocolsTest.cpp:
##########


Review Comment:
   Can we add a `SimpleSSLTestServerTLSv1_3` (and client)?  It's OK if you want that to be done in a separate PR.



##########
README.md:
##########
@@ -151,6 +151,10 @@ and rebuild.
 * Lua and development headers -- Required if Lua support is enabled
 * libgps-dev -- Required if building libGPS support
 * Zlib headers
+* perl -- Required for OpenSSL configuration
+* NASM -- Required for OpenSSL only on Windows
+
+**NOTE** On Windows if Strawberry Perl is used the `${StrawberryPerlRoot}\c\bin` directory should not be part of the %PATH% variable as Strawberry Perl's patch.exe will be found as the patch executable in the configure phase instead if the git patch executable.

Review Comment:
   tiny typo:
   ```suggestion
   **NOTE** On Windows if Strawberry Perl is used the `${StrawberryPerlRoot}\c\bin` directory should not be part of the %PATH% variable as Strawberry Perl's patch.exe will be found as the patch executable in the configure phase instead of the git patch executable.
   ```



##########
cmake/BundledOpenSSL.cmake:
##########
@@ -0,0 +1,128 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+function(use_openssl SOURCE_DIR BINARY_DIR)
+    message("Using bundled OpenSSL")
+
+    if(APPLE OR WIN32 OR CMAKE_SIZEOF_VOID_P EQUAL 4)
+        set(LIBDIR "lib")
+    else()
+        set(LIBDIR "lib64")
+    endif()
+
+    # Define byproducts
+    set(BYPRODUCT_PREFIX "lib" CACHE STRING "" FORCE)
+    if (WIN32)
+        set(BYPRODUCT_SUFFIX ".lib" CACHE STRING "" FORCE)
+    elseif (APPLE AND (CMAKE_SYSTEM_PROCESSOR MATCHES "x86_64|amd64|AMD64"))
+        set(BYPRODUCT_SUFFIX ".dylib" CACHE STRING "" FORCE)
+    else()
+        set(BYPRODUCT_SUFFIX ".a" CACHE STRING "" FORCE)
+    endif()
+
+    if (APPLE AND (CMAKE_SYSTEM_PROCESSOR MATCHES "x86_64|amd64|AMD64"))
+        set(OPENSSL_SHARED_FLAG "" CACHE STRING "" FORCE)

Review Comment:
   Can you add a comment to explain why we need to do this, please?



##########
libminifi/test/SimpleSSLTestServer.h:
##########
@@ -50,11 +50,12 @@ class SimpleSSLTestServer  {
   };
 
  public:
-  SimpleSSLTestServer(const SSL_METHOD* method, int port, const std::filesystem::path& key_dir)
+  SimpleSSLTestServer(uint64_t disable_version, int port, const std::filesystem::path& key_dir)

Review Comment:
   I think `tls_version_flags` would be a better parameter name than `disable_version`.



##########
extensions/standard-processors/tests/unit/ListenTcpTests.cpp:
##########
@@ -287,7 +287,7 @@ TEST_CASE("Test ListenTCP SSL/TLS compatibility", "[ListenTCP][NetworkListenerPr
 
   SECTION("tlsv13 should be enabled") {
     client_method = asio::ssl::context::method::tlsv13_client;
-    expected_to_work = true;
+    expected_to_work = false;

Review Comment:
   What's going on here?  I would expect TLS 1.3 to go from `expected_to_work == false` to `true`, but apparently it's changing from `true` to `false`...



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org