You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@mesos.apache.org by be...@apache.org on 2019/04/29 21:16:12 UTC

[mesos] branch 1.8.x updated (fc87c19 -> dea6de1)

This is an automated email from the ASF dual-hosted git repository.

bennoe pushed a change to branch 1.8.x
in repository https://gitbox.apache.org/repos/asf/mesos.git.


    from fc87c19  Updated the 1.8.0 CHANGELOG.
     new 9342fd1  Added LIBPROCESS_SSL_ENABLE_TLS_V1_3 environment variable.
     new dea6de1  Documented LIBPROCESS_SSL_ENABLE_TLS_V1_3.

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 3rdparty/libprocess/include/process/ssl/flags.hpp |  1 +
 3rdparty/libprocess/include/process/ssl/gtest.hpp |  1 +
 3rdparty/libprocess/src/openssl.cpp               | 15 ++++++++++++++-
 3rdparty/libprocess/src/openssl.hpp               |  1 +
 3rdparty/libprocess/src/tests/ssl_tests.cpp       |  7 ++++++-
 docs/ssl.md                                       |  2 ++
 6 files changed, 25 insertions(+), 2 deletions(-)

[mesos] 01/02: Added LIBPROCESS_SSL_ENABLE_TLS_V1_3 environment variable.

Posted by be...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

bennoe pushed a commit to branch 1.8.x
in repository https://gitbox.apache.org/repos/asf/mesos.git

commit 9342fd1989064caa109621b0dc1812c724451eea
Author: Stéphane Cottin <st...@vixns.com>
AuthorDate: Mon Apr 29 13:27:04 2019 +0200

    Added LIBPROCESS_SSL_ENABLE_TLS_V1_3 environment variable.
    
    When building mesos with libopenssl >= 1.1.1, TLS1.3 is enabled by
    default. This causes major communication issues between executors
    and agents.
    
    This patch adds a new `LIBPROCESS_SSL_ENABLE_TLS_V1_3` env var,
    disabled by default. It should be changed to enabled by default when
    full openssl >= 1.1 support will land.
    
    Review: https://reviews.apache.org/r/70562/
---
 3rdparty/libprocess/include/process/ssl/flags.hpp |  1 +
 3rdparty/libprocess/include/process/ssl/gtest.hpp |  1 +
 3rdparty/libprocess/src/openssl.cpp               | 15 ++++++++++++++-
 3rdparty/libprocess/src/openssl.hpp               |  1 +
 3rdparty/libprocess/src/tests/ssl_tests.cpp       |  7 ++++++-
 5 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/3rdparty/libprocess/include/process/ssl/flags.hpp b/3rdparty/libprocess/include/process/ssl/flags.hpp
index 3806266..f3483f9 100644
--- a/3rdparty/libprocess/include/process/ssl/flags.hpp
+++ b/3rdparty/libprocess/include/process/ssl/flags.hpp
@@ -50,6 +50,7 @@ public:
   bool enable_tls_v1_0;
   bool enable_tls_v1_1;
   bool enable_tls_v1_2;
+  bool enable_tls_v1_3;
 };
 
 
diff --git a/3rdparty/libprocess/include/process/ssl/gtest.hpp b/3rdparty/libprocess/include/process/ssl/gtest.hpp
index e173b32..6cdd781 100644
--- a/3rdparty/libprocess/include/process/ssl/gtest.hpp
+++ b/3rdparty/libprocess/include/process/ssl/gtest.hpp
@@ -131,6 +131,7 @@ protected:
     os::unsetenv("LIBPROCESS_SSL_ENABLE_TLS_V1_0");
     os::unsetenv("LIBPROCESS_SSL_ENABLE_TLS_V1_1");
     os::unsetenv("LIBPROCESS_SSL_ENABLE_TLS_V1_2");
+    os::unsetenv("LIBPROCESS_SSL_ENABLE_TLS_V1_3");
 
     // Copy the given map into the clean slate.
     foreachpair (
diff --git a/3rdparty/libprocess/src/openssl.cpp b/3rdparty/libprocess/src/openssl.cpp
index a4d5036..789bef6 100644
--- a/3rdparty/libprocess/src/openssl.cpp
+++ b/3rdparty/libprocess/src/openssl.cpp
@@ -159,6 +159,11 @@ Flags::Flags()
       "enable_tls_v1_2",
       "Enable SSLV1.2.",
       true);
+
+  add(&Flags::enable_tls_v1_3,
+      "enable_tls_v1_3",
+      "Enable SSLV1.3.",
+      false);
 }
 
 
@@ -654,7 +659,11 @@ void reinitialize()
       SSL_OP_NO_SSLv3 |
       SSL_OP_NO_TLSv1 |
       SSL_OP_NO_TLSv1_1 |
-      SSL_OP_NO_TLSv1_2);
+      SSL_OP_NO_TLSv1_2
+#if defined(SSL_OP_NO_TLSv1_3)
+      | SSL_OP_NO_TLSv1_3
+#endif
+      );
 
   // Use server preference for cipher.
   long ssl_options = SSL_OP_CIPHER_SERVER_PREFERENCE;
@@ -672,6 +681,10 @@ void reinitialize()
   if (!ssl_flags->enable_tls_v1_1) { ssl_options |= SSL_OP_NO_TLSv1_1; }
   // Disable TLSv1.2.
   if (!ssl_flags->enable_tls_v1_2) { ssl_options |= SSL_OP_NO_TLSv1_2; }
+#if defined(SSL_OP_NO_TLSv1_3)
+  // Disable TLSv1.3.
+  if (!ssl_flags->enable_tls_v1_3) { ssl_options |= SSL_OP_NO_TLSv1_3; }
+#endif
 
   SSL_CTX_set_options(ctx, ssl_options);
 
diff --git a/3rdparty/libprocess/src/openssl.hpp b/3rdparty/libprocess/src/openssl.hpp
index 0c4192f..17bec24 100644
--- a/3rdparty/libprocess/src/openssl.hpp
+++ b/3rdparty/libprocess/src/openssl.hpp
@@ -51,6 +51,7 @@ namespace openssl {
 //    LIBPROCESS_SSL_ENABLE_TLS_V1_0=(false|0,true|1)
 //    LIBPROCESS_SSL_ENABLE_TLS_V1_1=(false|0,true|1)
 //    LIBPROCESS_SSL_ENABLE_TLS_V1_2=(false|0,true|1)
+//    LIBPROCESS_SSL_ENABLE_TLS_V1_3=(false|0,true|1)
 //    LIBPROCESS_SSL_ECDH_CURVES=(auto|list of curves separated by ':')
 //
 // TODO(benh): When/If we need to support multiple contexts in the
diff --git a/3rdparty/libprocess/src/tests/ssl_tests.cpp b/3rdparty/libprocess/src/tests/ssl_tests.cpp
index 5e99449..6b8496a 100644
--- a/3rdparty/libprocess/src/tests/ssl_tests.cpp
+++ b/3rdparty/libprocess/src/tests/ssl_tests.cpp
@@ -121,7 +121,12 @@ static const vector<string> protocols = {
 #endif
   "LIBPROCESS_SSL_ENABLE_TLS_V1_0",
   "LIBPROCESS_SSL_ENABLE_TLS_V1_1",
-  "LIBPROCESS_SSL_ENABLE_TLS_V1_2"
+  "LIBPROCESS_SSL_ENABLE_TLS_V1_2",
+// On some platforms, we need to build against OpenSSL versions that
+// do not support TLS 1.3 yet.
+#ifdef SSL_OP_NO_TLSv1_3
+  "LIBPROCESS_SSL_ENABLE_TLS_V1_3",
+#endif
 };

[mesos] 02/02: Documented LIBPROCESS_SSL_ENABLE_TLS_V1_3.

Posted by be...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

bennoe pushed a commit to branch 1.8.x
in repository https://gitbox.apache.org/repos/asf/mesos.git

commit dea6de183cb395e9bbe4a308c330c4402c18ba64
Author: Stéphane Cottin <st...@vixns.com>
AuthorDate: Mon Apr 29 13:28:06 2019 +0200

    Documented LIBPROCESS_SSL_ENABLE_TLS_V1_3.
    
    Updated documentation about `LIBPROCESS_SSL_ENABLE_TLS_V1_3` and TLS1.3.
    
    Review: https://reviews.apache.org/r/70563/
---
 docs/ssl.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/ssl.md b/docs/ssl.md
index e6c1181..ce50588 100644
--- a/docs/ssl.md
+++ b/docs/ssl.md
@@ -70,7 +70,9 @@ A list of `:`-separated ciphers. Use these if you want to restrict or open up th
 #### LIBPROCESS_SSL_ENABLE_TLS_V1_0=(false|0,true|1) [default=false|0]
 #### LIBPROCESS_SSL_ENABLE_TLS_V1_1=(false|0,true|1) [default=false|0]
 #### LIBPROCESS_SSL_ENABLE_TLS_V1_2=(false|0,true|1) [default=true|1]
+#### LIBPROCESS_SSL_ENABLE_TLS_V1_3=(false|0,true|1) [default=false|0]
 The above switches enable / disable the specified protocols. By default only TLS V1.2 is enabled. SSL V2 is always disabled; there is no switch to enable it. The mentality here is to restrict security by default, and force users to open it up explicitly. Many older version of the protocols have known vulnerabilities, so only enable these if you fully understand the risks.
+TLS V1.3 is not supported yet and should not be enabled. [MESOS-9730](https://issues.apache.org/jira/browse/MESOS-9730).
 _SSLv2 is disabled completely because modern versions of OpenSSL disable it using multiple compile time configuration options._
 #<a name="Dependencies"></a>Dependencies