You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by be...@apache.org on 2019/09/20 18:22:23 UTC
[mesos] branch master updated (b13de7e -> 9f1d38f)
This is an automated email from the ASF dual-hosted git repository.
bennoe pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git.
from b13de7e Implemented displaying roles of multi-role frameworks as a tree.
new 8595a52 Removed an outdated reference to the 'libprocess' hostname validation.
new 9f1d38f Introduced new names for SSL-related libprocess flags.
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
3rdparty/libprocess/include/process/ssl/flags.hpp | 2 +
3rdparty/libprocess/include/process/ssl/gtest.hpp | 2 +
3rdparty/libprocess/src/openssl.cpp | 65 +++++++++++++++++------
3rdparty/libprocess/src/openssl.hpp | 2 +
3rdparty/libprocess/src/tests/ssl_tests.cpp | 48 ++++++++---------
docs/ssl.md | 16 ++++--
docs/upgrades.md | 40 ++++++++++++++
7 files changed, 129 insertions(+), 46 deletions(-)
[mesos] 01/02: Removed an outdated reference to the 'libprocess'
hostname validation.
Posted by be...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
bennoe pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 8595a52fa70016f6babb19ec1465c3bbae73f30a
Author: Benno Evers <be...@mesosphere.com>
AuthorDate: Tue Sep 17 14:02:39 2019 +0200
Removed an outdated reference to the 'libprocess' hostname validation.
Removed a reference to the 'libprocess' hostname validation scheme,
which was renamed to 'legacy' during development.
Review: https://reviews.apache.org/r/71496
---
3rdparty/libprocess/src/openssl.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/3rdparty/libprocess/src/openssl.cpp b/3rdparty/libprocess/src/openssl.cpp
index 54d47cd..98824f7 100644
--- a/3rdparty/libprocess/src/openssl.cpp
+++ b/3rdparty/libprocess/src/openssl.cpp
@@ -840,7 +840,7 @@ Try<Nothing> verify(
// the peer hostname using a reverse DNS lookup.
Option<std::string> peer_hostname = hostname;
if (ip.isSome()) {
- VLOG(1) << "Doing rDNS lookup for 'libprocess' hostname validation";
+ VLOG(1) << "Doing rDNS lookup for 'legacy' hostname validation";
Stopwatch watch;
watch.start();
[mesos] 02/02: Introduced new names for SSL-related libprocess
flags.
Posted by be...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
bennoe pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 9f1d38f491e8d9c02bebb094da87467bb70a8d27
Author: Benno Evers <be...@mesosphere.com>
AuthorDate: Tue Sep 17 14:04:35 2019 +0200
Introduced new names for SSL-related libprocess flags.
The `LIBPROCESS_SSL_REQUIRE_CERT` flag was renamed to
`LIBPROCESS_SSL_REQUIRE_CLIENT_CERT`.
The `LIBPROCESS_SSL_VERIFY_CERT` flag was renamed to
`LIBPROCESS_SSL_VERIFY_SERVER_CERT`.
The new names better describe the actual effect of both flags, and
make upgrades easier by allowing operators to only enable verification
on agents that are new enough to contain the updated hostname
validation code paths.
Review: https://reviews.apache.org/r/71497
---
3rdparty/libprocess/include/process/ssl/flags.hpp | 2 +
3rdparty/libprocess/include/process/ssl/gtest.hpp | 2 +
3rdparty/libprocess/src/openssl.cpp | 63 +++++++++++++++++------
3rdparty/libprocess/src/openssl.hpp | 2 +
3rdparty/libprocess/src/tests/ssl_tests.cpp | 48 ++++++++---------
docs/ssl.md | 16 ++++--
docs/upgrades.md | 40 ++++++++++++++
7 files changed, 128 insertions(+), 45 deletions(-)
diff --git a/3rdparty/libprocess/include/process/ssl/flags.hpp b/3rdparty/libprocess/include/process/ssl/flags.hpp
index 1a0e382..27f02da 100644
--- a/3rdparty/libprocess/include/process/ssl/flags.hpp
+++ b/3rdparty/libprocess/include/process/ssl/flags.hpp
@@ -39,7 +39,9 @@ public:
Option<std::string> cert_file;
Option<std::string> key_file;
bool verify_cert;
+ bool verify_server_cert;
bool require_cert;
+ bool require_client_cert;
bool verify_ipadd;
unsigned int verification_depth;
Option<std::string> ca_dir;
diff --git a/3rdparty/libprocess/include/process/ssl/gtest.hpp b/3rdparty/libprocess/include/process/ssl/gtest.hpp
index 30a15f4..4a14a8e 100644
--- a/3rdparty/libprocess/include/process/ssl/gtest.hpp
+++ b/3rdparty/libprocess/include/process/ssl/gtest.hpp
@@ -122,7 +122,9 @@ protected:
os::unsetenv("LIBPROCESS_SSL_CERT_FILE");
os::unsetenv("LIBPROCESS_SSL_KEY_FILE");
os::unsetenv("LIBPROCESS_SSL_VERIFY_CERT");
+ os::unsetenv("LIBPROCESS_SSL_VERIFY_SERVER_CERT");
os::unsetenv("LIBPROCESS_SSL_REQUIRE_CERT");
+ os::unsetenv("LIBPROCESS_SSL_REQUIRE_CLIENT_CERT");
os::unsetenv("LIBPROCESS_SSL_VERIFY_DEPTH");
os::unsetenv("LIBPROCESS_SSL_CA_DIR");
os::unsetenv("LIBPROCESS_SSL_CA_FILE");
diff --git a/3rdparty/libprocess/src/openssl.cpp b/3rdparty/libprocess/src/openssl.cpp
index 98824f7..832a1e1 100644
--- a/3rdparty/libprocess/src/openssl.cpp
+++ b/3rdparty/libprocess/src/openssl.cpp
@@ -110,14 +110,29 @@ Flags::Flags()
"key_file",
"Path to key.");
+ // NOTE: We're not using the libprocess built-in `DeprecatedName` mechanism
+ // for these aliases. This is to prevent the situation where a task
+ // configuration specifies the old value and the agent configuration
+ // specifies the new value, causing a program crash at startup when
+ // libprocess parses the environment for flags.
add(&Flags::verify_cert,
"verify_cert",
+ "Legacy alias for `verify_server_cert`.",
+ false);
+
+ add(&Flags::verify_server_cert,
+ "verify_server_cert",
"Whether or not to require and verify server certificates for "
"connections in client mode.",
false);
add(&Flags::require_cert,
"require_cert",
+ "Legacy alias for `require_client_cert",
+ false);
+
+ add(&Flags::require_client_cert,
+ "require_client_cert",
"Whether or not to require and verify client certificates for "
"connections in server mode.",
false);
@@ -531,9 +546,23 @@ void reinitialize()
"Failed SSL connections will be downgraded to a non-SSL socket";
}
+ // TODO(bevers): Remove the deprecated names for these flags after an
+ // appropriate amount of time. (MESOS-9973)
+ if (ssl_flags->verify_cert) {
+ LOG(WARNING) << "Usage of LIBPROCESS_SSL_VERIFY_CERT is deprecated; "
+ "it was renamed to LIBPROCESS_SSL_VERIFY_SERVER_CERT";
+ ssl_flags->verify_server_cert = true;
+ }
+
+ if (ssl_flags->require_cert) {
+ LOG(WARNING) << "Usage of LIBPROCESS_SSL_REQUIRE_CERT is deprecated; "
+ "it was renamed to LIBPROCESS_SSL_REQUIRE_CLIENT_CERT";
+ ssl_flags->require_client_cert = true;
+ }
+
// Print an additional warning if certificate verification is enabled while
// supporting downgrades, since this is most likely a misconfiguration.
- if ((ssl_flags->require_cert || ssl_flags->verify_cert) &&
+ if ((ssl_flags->require_client_cert || ssl_flags->verify_server_cert) &&
ssl_flags->support_downgrade) {
LOG(WARNING)
<< "TLS certificate verification was enabled by setting one of"
@@ -563,7 +592,7 @@ void reinitialize()
<< "Set CA directory path with LIBPROCESS_SSL_CA_DIR=<dirpath>";
}
- if (ssl_flags->require_cert) {
+ if (ssl_flags->require_client_cert) {
LOG(INFO) << "Will require client certificates for incoming TLS "
<< "connections.";
}
@@ -573,7 +602,7 @@ void reinitialize()
#if defined(_EVENT_HAVE_EPOLL) && \
defined(_EVENT_NUMERIC_VERSION) && \
_EVENT_NUMERIC_VERSION < 0x02010400L
- if (ssl_flags->require_cert &&
+ if (ssl_flags->require_client_cert &&
ssl_flags->hostname_validation_scheme == "legacy") {
LOG(WARNING) << "Enabling client certificate validation with the "
<< "'legacy' hostname validation scheme is known to "
@@ -587,24 +616,26 @@ void reinitialize()
<< "certificate extension.";
}
- if (ssl_flags->require_cert && !ssl_flags->verify_cert) {
+ if (ssl_flags->require_client_cert && !ssl_flags->verify_server_cert) {
// For backwards compatibility, `require_cert` implies `verify_cert`.
//
- // NOTE: Even without backwards compatility considerations, this would
- // be a reasonable requirement on the configuration.
- ssl_flags->verify_cert = true;
+ // NOTE: Even without backwards compatibility considerations, this is
+ // a reasonable requirement on the configuration so we apply the
+ // same logic even when the modern names `require_client_cert` and
+ // `verify_server_cert` are used.
+ ssl_flags->verify_server_cert = true;
LOG(INFO) << "LIBPROCESS_SSL_REQUIRE_CERT implies "
<< "server certificate verification.\n"
<< "LIBPROCESS_SSL_VERIFY_CERT set to true";
}
- if (ssl_flags->verify_cert) {
+ if (ssl_flags->verify_server_cert) {
LOG(INFO) << "Will verify server certificates for outgoing TLS "
<< "connections.";
} else {
LOG(INFO) << "Will not verify server certificates!\n"
- << "NOTE: Set LIBPROCESS_SSL_VERIFY_CERT=1 to enable "
+ << "NOTE: Set LIBPROCESS_SSL_VERIFY_SERVER_CERT=1 to enable "
<< "peer certificate verification";
}
@@ -626,7 +657,7 @@ void reinitialize()
// Initialize OpenSSL if we've been asked to do verification of peer
// certificates.
- if (ssl_flags->verify_cert) {
+ if (ssl_flags->verify_server_cert) {
// Set CA locations.
if (ssl_flags->ca_file.isSome() || ssl_flags->ca_dir.isSome()) {
const char* ca_file =
@@ -801,11 +832,11 @@ Try<Nothing> verify(
const Option<net::IP>& ip)
{
// Return early if we don't need to verify.
- if (mode == Mode::CLIENT && !ssl_flags->verify_cert) {
+ if (mode == Mode::CLIENT && !ssl_flags->verify_server_cert) {
return Nothing();
}
- if (mode == Mode::SERVER && !ssl_flags->require_cert) {
+ if (mode == Mode::SERVER && !ssl_flags->require_client_cert) {
return Nothing();
}
@@ -866,7 +897,7 @@ Try<Nothing> verify(
if (!ssl_flags->verify_ipadd && peer_hostname.isNone()) {
X509_free(cert);
- return ssl_flags->require_cert
+ return ssl_flags->require_client_cert
? Error("Cannot verify peer certificate: peer hostname unknown")
: Try<Nothing>(Nothing());
}
@@ -1008,14 +1039,14 @@ Try<Nothing> configure_socket(
const Address& peer_address,
const Option<std::string>& peer_hostname)
{
- if (mode == Mode::CLIENT && ssl_flags->verify_cert) {
+ if (mode == Mode::CLIENT && ssl_flags->verify_server_cert) {
SSL_set_verify(
ssl,
SSL_VERIFY_PEER,
&verify_callback);
}
- if (mode == Mode::SERVER && ssl_flags->require_cert) {
+ if (mode == Mode::SERVER && ssl_flags->require_client_cert) {
SSL_set_verify(
ssl,
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
@@ -1039,7 +1070,7 @@ Try<Nothing> configure_socket(
return Nothing();
}
- if (mode == openssl::Mode::CLIENT && !ssl_flags->verify_cert) {
+ if (mode == openssl::Mode::CLIENT && !ssl_flags->verify_server_cert) {
return Nothing();
}
diff --git a/3rdparty/libprocess/src/openssl.hpp b/3rdparty/libprocess/src/openssl.hpp
index 271cc95..2958577 100644
--- a/3rdparty/libprocess/src/openssl.hpp
+++ b/3rdparty/libprocess/src/openssl.hpp
@@ -45,7 +45,9 @@ namespace openssl {
// LIBPROCESS_SSL_CERT_FILE=(path to certificate)
// LIBPROCESS_SSL_KEY_FILE=(path to key)
// LIBPROCESS_SSL_VERIFY_CERT=(false|0,true|1)
+// LIBPROCESS_SSL_VERIFY_SERVER_CERT=(false|0,true|1)
// LIBPROCESS_SSL_REQUIRE_CERT=(false|0,true|1)
+// LIBPROCESS_SSL_REQUIRE_CLIENT_CERT=(false|0,true|1)
// LIBPROCESS_SSL_VERIFY_IPADD=(false|0,true|1)
// LIBPROCESS_SSL_VERIFY_DEPTH=(4)
// LIBPROCESS_SSL_CA_DIR=(path to CA directory)
diff --git a/3rdparty/libprocess/src/tests/ssl_tests.cpp b/3rdparty/libprocess/src/tests/ssl_tests.cpp
index 9d5ab67..3f1d103 100644
--- a/3rdparty/libprocess/src/tests/ssl_tests.cpp
+++ b/3rdparty/libprocess/src/tests/ssl_tests.cpp
@@ -216,7 +216,7 @@ INSTANTIATE_TEST_CASE_P(HostnameValidationScheme,
// Ensure that a certificate that was not generated using the
// certificate authority is still allowed to communicate as long as
-// the LIBPROCESS_SSL_VERIFY_CERT and LIBPROCESS_SSL_REQUIRE_CERT
+// the LIBPROCESS_SSL_VERIFY_SERVER_CERT and LIBPROCESS_SSL_REQUIRE_CLIENT_CERT
// flags are disabled.
TEST_P(SSLTestStringParameter, NoVerifyBadCA)
{
@@ -224,7 +224,7 @@ TEST_P(SSLTestStringParameter, NoVerifyBadCA)
{"LIBPROCESS_SSL_ENABLED", "true"},
{"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
{"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()},
- {"LIBPROCESS_SSL_REQUIRE_CERT", "false"},
+ {"LIBPROCESS_SSL_REQUIRE_CLIENT_CERT", "false"},
{"LIBPROCESS_SSL_HOSTNAME_VALIDATION_SCHEME", GetParam()}});
ASSERT_SOME(server);
@@ -232,7 +232,7 @@ TEST_P(SSLTestStringParameter, NoVerifyBadCA)
{"LIBPROCESS_SSL_ENABLED", "true"},
{"LIBPROCESS_SSL_KEY_FILE", scrap_key_path().string()},
{"LIBPROCESS_SSL_CERT_FILE", scrap_certificate_path().string()},
- {"LIBPROCESS_SSL_VERIFY_CERT", "false"},
+ {"LIBPROCESS_SSL_VERIFY_SERVER_CERT", "false"},
{"LIBPROCESS_SSL_CA_FILE", certificate_path().string()},
{"LIBPROCESS_SSL_HOSTNAME_VALIDATION_SCHEME", GetParam()}},
server.get(),
@@ -252,7 +252,7 @@ TEST_P(SSLTestStringParameter, NoVerifyBadCA)
// Ensure that a client certificate that was not generated using the
// certificate authority is NOT allowed to communicate when the
-// LIBPROCESS_SSL_REQUIRE_CERT flag is enabled.
+// LIBPROCESS_SSL_REQUIRE_CLIENT_CERT flag is enabled.
//
// NOTE: We cannot run this test with the 'legacy' hostname
// validation scheme due to MESOS-9867.
@@ -263,7 +263,7 @@ TEST_F(SSLTest, RequireBadCA)
{"LIBPROCESS_SSL_ENABLED", "true"},
{"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
{"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()},
- {"LIBPROCESS_SSL_REQUIRE_CERT", "true"},
+ {"LIBPROCESS_SSL_REQUIRE_CLIENT_CERT", "true"},
{"LIBPROCESS_SSL_HOSTNAME_VALIDATION_SCHEME", "openssl"}});
ASSERT_SOME(server);
@@ -271,7 +271,7 @@ TEST_F(SSLTest, RequireBadCA)
{"LIBPROCESS_SSL_ENABLED", "true"},
{"LIBPROCESS_SSL_KEY_FILE", scrap_key_path().string()},
{"LIBPROCESS_SSL_CERT_FILE", scrap_certificate_path().string()},
- {"LIBPROCESS_SSL_VERIFY_CERT", "false"},
+ {"LIBPROCESS_SSL_VERIFY_SERVER_CERT", "false"},
{"LIBPROCESS_SSL_HOSTNAME_VALIDATION_SCHEME", "openssl"}},
server.get(),
true);
@@ -287,14 +287,14 @@ TEST_F(SSLTest, RequireBadCA)
// Ensure that a server certificate that was not generated using the
// certificate authority is NOT allowed to communicate when the
-// LIBPROCESS_SSL_VERIFY_CERT flag is enabled.
+// LIBPROCESS_SSL_VERIFY_SERVER_CERT flag is enabled.
TEST_P(SSLTestStringParameter, VerifyBadCA)
{
Try<Socket> server = setup_server({
{"LIBPROCESS_SSL_ENABLED", "true"},
{"LIBPROCESS_SSL_KEY_FILE", scrap_key_path().string()},
{"LIBPROCESS_SSL_CERT_FILE", scrap_certificate_path().string()},
- {"LIBPROCESS_SSL_REQUIRE_CERT", "false"},
+ {"LIBPROCESS_SSL_REQUIRE_CLIENT_CERT", "false"},
{"LIBPROCESS_SSL_HOSTNAME_VALIDATION_SCHEME", GetParam()}});
ASSERT_SOME(server);
@@ -308,7 +308,7 @@ TEST_P(SSLTestStringParameter, VerifyBadCA)
{"LIBPROCESS_SSL_ENABLED", "true"},
{"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
{"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()},
- {"LIBPROCESS_SSL_VERIFY_CERT", "true"},
+ {"LIBPROCESS_SSL_VERIFY_SERVER_CERT", "true"},
{"LIBPROCESS_SSL_HOSTNAME_VALIDATION_SCHEME", GetParam()}},
*hostname,
address->ip,
@@ -325,8 +325,8 @@ TEST_P(SSLTestStringParameter, VerifyBadCA)
// Ensure that a certificate that WAS generated using the certificate
// authority IS allowed to communicate when the
-// LIBPROCESS_SSL_VERIFY_CERT and LIBPROCESS_SSL_REQUIRE_CERT flags are
-// enabled.
+// LIBPROCESS_SSL_VERIFY_SERVER_CERT and LIBPROCESS_SSL_REQUIRE_CLIENT_CERT
+// flags are enabled.
//
// NOTE: If this test is failing for the 'legacy' scheme, subsequent
// tests may be affected due to MESOS-9867.
@@ -337,7 +337,7 @@ TEST_P(SSLTestStringParameter, VerifyCertificate)
{"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
{"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()},
{"LIBPROCESS_SSL_CA_FILE", certificate_path().string()},
- {"LIBPROCESS_SSL_REQUIRE_CERT", "true"},
+ {"LIBPROCESS_SSL_REQUIRE_CLIENT_CERT", "true"},
{"LIBPROCESS_SSL_HOSTNAME_VALIDATION_SCHEME", GetParam()}});
ASSERT_SOME(server);
@@ -352,7 +352,7 @@ TEST_P(SSLTestStringParameter, VerifyCertificate)
{"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
{"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()},
{"LIBPROCESS_SSL_CA_FILE", certificate_path().string()},
- {"LIBPROCESS_SSL_VERIFY_CERT", "true"},
+ {"LIBPROCESS_SSL_VERIFY_SERVER_CERT", "true"},
{"LIBPROCESS_SSL_HOSTNAME_VALIDATION_SCHEME", GetParam()}},
*hostname,
address->ip,
@@ -393,7 +393,7 @@ TEST_F(SSLTest, HostnameMismatch)
{"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
{"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()},
{"LIBPROCESS_SSL_CA_FILE", certificate_path().string()},
- {"LIBPROCESS_SSL_VERIFY_CERT", "true"},
+ {"LIBPROCESS_SSL_VERIFY_SERVER_CERT", "true"},
{"LIBPROCESS_SSL_HOSTNAME_VALIDATION_SCHEME", "openssl"}},
"invalid.example.org",
address->ip,
@@ -410,7 +410,7 @@ TEST_F(SSLTest, HostnameMismatch)
// Ensure that a server that attempts to present no certificate at all
-// is NOT allowed to communicate when the LIBPROCESS_SSL_VERIFY_CERT
+// is NOT allowed to communicate when the LIBPROCESS_SSL_VERIFY_SERVER_CERT
// flag is enabled in the client.
TEST_F(SSLTest, NoAnonymousCipherIfVerify)
{
@@ -427,7 +427,7 @@ TEST_F(SSLTest, NoAnonymousCipherIfVerify)
{"LIBPROCESS_SSL_ENABLED", "true"},
{"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
{"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()},
- {"LIBPROCESS_SSL_VERIFY_CERT", "true"},
+ {"LIBPROCESS_SSL_VERIFY_SERVER_CERT", "true"},
{"LIBPROCESS_SSL_CIPHERS", "ADH-AES256-SHA"}},
server.get(),
true);
@@ -492,7 +492,7 @@ TEST_F(SSLTest, ValidDowngrade)
{"LIBPROCESS_SSL_SUPPORT_DOWNGRADE", "true"},
{"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
{"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()},
- {"LIBPROCESS_SSL_REQUIRE_CERT", "true"}});
+ {"LIBPROCESS_SSL_REQUIRE_CLIENT_CERT", "true"}});
ASSERT_SOME(server);
Try<Subprocess> client = launch_client({
@@ -521,7 +521,7 @@ TEST_F(SSLTest, NoValidDowngrade)
{"LIBPROCESS_SSL_SUPPORT_DOWNGRADE", "false"},
{"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
{"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()},
- {"LIBPROCESS_SSL_REQUIRE_CERT", "true"}});
+ {"LIBPROCESS_SSL_REQUIRE_CLIENT_CERT", "true"}});
ASSERT_SOME(server);
Try<Subprocess> client = launch_client({
@@ -864,7 +864,7 @@ TEST_P(SSLVerifyIPAddTest, BasicSameProcess)
os::setenv("LIBPROCESS_SSL_ENABLED", "true");
os::setenv("LIBPROCESS_SSL_KEY_FILE", key_path().string());
os::setenv("LIBPROCESS_SSL_CERT_FILE", certificate_path().string());
- os::setenv("LIBPROCESS_SSL_REQUIRE_CERT", "true");
+ os::setenv("LIBPROCESS_SSL_REQUIRE_CLIENT_CERT", "true");
os::setenv("LIBPROCESS_SSL_CA_DIR", os::getcwd());
os::setenv("LIBPROCESS_SSL_CA_FILE", certificate_path().string());
os::setenv("LIBPROCESS_SSL_VERIFY_IPADD", GetParam());
@@ -920,9 +920,9 @@ TEST_P(SSLVerifyIPAddTest, BasicSameProcessUnix)
os::setenv("LIBPROCESS_SSL_ENABLED", "true");
os::setenv("LIBPROCESS_SSL_KEY_FILE", key_path().string());
os::setenv("LIBPROCESS_SSL_CERT_FILE", certificate_path().string());
- // NOTE: we must set LIBPROCESS_SSL_REQUIRE_CERT to false because we
+ // NOTE: we must set LIBPROCESS_SSL_REQUIRE_CLIENT_CERT to false because we
// don't have a hostname or IP to verify!
- os::setenv("LIBPROCESS_SSL_REQUIRE_CERT", "false");
+ os::setenv("LIBPROCESS_SSL_REQUIRE_CLIENT_CERT", "false");
os::setenv("LIBPROCESS_SSL_CA_DIR", os::getcwd());
os::setenv("LIBPROCESS_SSL_CA_FILE", certificate_path().string());
os::setenv("LIBPROCESS_SSL_VERIFY_IPADD", GetParam());
@@ -975,7 +975,7 @@ TEST_P(SSLVerifyIPAddTest, BasicSameProcessUnix)
// Ensure that a certificate that WAS generated using the certificate
// authority IS allowed to communicate when the
-// LIBPROCESS_SSL_REQUIRE_CERT flag is enabled.
+// LIBPROCESS_SSL_REQUIRE_CLIENT_CERT flag is enabled.
TEST_P(SSLVerifyIPAddTest, RequireCertificate)
{
Try<Socket> server = setup_server({
@@ -983,7 +983,7 @@ TEST_P(SSLVerifyIPAddTest, RequireCertificate)
{"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
{"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()},
{"LIBPROCESS_SSL_CA_FILE", certificate_path().string()},
- {"LIBPROCESS_SSL_REQUIRE_CERT", "true"},
+ {"LIBPROCESS_SSL_REQUIRE_CLIENT_CERT", "true"},
{"LIBPROCESS_SSL_VERIFY_IPADD", GetParam()}});
ASSERT_SOME(server);
@@ -992,7 +992,7 @@ TEST_P(SSLVerifyIPAddTest, RequireCertificate)
{"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
{"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()},
{"LIBPROCESS_SSL_CA_FILE", certificate_path().string()},
- {"LIBPROCESS_SSL_REQUIRE_CERT", "true"},
+ {"LIBPROCESS_SSL_REQUIRE_CLIENT_CERT", "true"},
{"LIBPROCESS_SSL_VERIFY_IPADD", GetParam()}},
server.get(),
true);
diff --git a/docs/ssl.md b/docs/ssl.md
index 90a2eb9..f6beb42 100644
--- a/docs/ssl.md
+++ b/docs/ssl.md
@@ -31,7 +31,7 @@ providing additional security guarantees but also increasing the deployment comp
connect to Mesos HTTP endpoints securely via TLS, verifying that the server certificate is valid
and trusted.
-2) `LIBPROCESS_SSL_VERIFY_CERT=true`. In addition to the above, this ensures that Mesos components
+2) `LIBPROCESS_SSL_VERIFY_SERVER_CERT=true`. In addition to the above, this ensures that Mesos components
themselves are verifying the presence of valid and trusted server certificates when making
outgoing connections. This prevents man-in-the-middle attacks on communications between Mesos
components, and on communications between a Mesos component and an external server.
@@ -40,7 +40,7 @@ providing additional security guarantees but also increasing the deployment comp
to `false`, otherwise a malicious actor can simply bypass certificate verification by
downgrading to a non-TLS connection.
-3) `LIBPROCESS_SSL_REQUIRE_CERT=true`. In addition to the above, this enforces the use of TLS
+3) `LIBPROCESS_SSL_REQUIRE_CLIENT_CERT=true`. In addition to the above, this enforces the use of TLS
client certificates on all connections to any Mesos component. This ensures that only trusted
clients can connect to any Mesos component, preventing reception of forged or malformed messages.
@@ -53,12 +53,12 @@ providing additional security guarantees but also increasing the deployment comp
For secure usage, it is recommended to set `LIBPROCESS_SSL_ENABLED=true`,
-`LIBPROCESS_SSL_VERIFY_CERT=true`, `LIBPROCESS_SSL_HOSTNAME_VALIDATION_SCHEME=openssl`
+`LIBPROCESS_SSL_VERIFY_SERVER_CERT=true`, `LIBPROCESS_SSL_HOSTNAME_VALIDATION_SCHEME=openssl`
and `LIBPROCESS_SSL_ENABLE_DOWNGRADE=false`. This provides a good trade-off
between security and usability.
It is not recommended in general to expose Mesos components to the public internet, but in cases
-where they are the use of `LIBPROCESS_SSL_REQUIRE_CERT` is strongly suggested.
+where they are the use of `LIBPROCESS_SSL_REQUIRE_CLIENT_CERT` is strongly suggested.
# Environment Variables
@@ -97,6 +97,9 @@ openssl req -new -x509 -passin pass:some_password -days 365 -keyout key.pem -out
~~~
#### LIBPROCESS_SSL_VERIFY_CERT=(false|0,true|1) [default=false|0]
+This is a legacy alias for the `LIBPROCESS_SSL_VERIFY_SERVER_CERT` setting.
+
+#### LIBPROCESS_SSL_VERIFY_SERVER_CERT=(false|0,true|1) [default=false|0]
This setting only affects the behaviour of libprocess in TLS client mode.
If this is true, a remote server is required to present a server certificate,
@@ -111,6 +114,9 @@ an anonymous cipher is used), but the presented server certificates will not be
set to true for backwards compatibility reasons.
#### LIBPROCESS_SSL_REQUIRE_CERT=(false|0,true|1) [default=false|0]
+This is a legacy alias for the `LIBPROCESS_SSL_REQUIRE_CLIENT_CERT` setting.
+
+#### LIBPROCESS_SSL_REQUIRE_CLIENT_CERT=(false|0,true|1) [default=false|0]
This setting only affects the behaviour of libprocess in TLS server mode.
If this is true, enforce that certificates must be presented by connecting clients. This means all
@@ -160,7 +166,7 @@ OpenSSL versions prior to `1.0.2` allow for the use of only one curve; in those
This flag is used to select the scheme by which the hostname validation check works.
Since hostname validation is part of certificate verification, this flag has no
-effect unless one of `LIBPROCESS_SSL_VERIFY_CERT` or `LIBPROCESS_SSL_REQUIRE_CERT`
+effect unless one of `LIBPROCESS_SSL_VERIFY_SERVER_CERT` or `LIBPROCESS_SSL_REQUIRE_CLIENT_CERT`
is set to true.
Currently, it is possible to choose between two schemes:
diff --git a/docs/upgrades.md b/docs/upgrades.md
index e630731..afd9dbb 100644
--- a/docs/upgrades.md
+++ b/docs/upgrades.md
@@ -43,6 +43,38 @@ We categorize the changes as follows:
</thead>
<tr>
<td style="word-wrap: break-word; overflow-wrap: break-word;"><!--Version-->
+ 1.10.x
+ </td>
+
+ <td style="word-wrap: break-word; overflow-wrap: break-word;"><!--Mesos Core-->
+ <ul style="padding-left:10px;">
+ <li>D <a href="#1-10-x-ssl-env-var-rename">Renamed LIBPROCESS_SSL_VERIFY_CERT and LIBPROCESS_SSL_REQUIRE_CERT environment variables.</a></li>
+ </ul>
+ </td>
+
+ <td style="word-wrap: break-word; overflow-wrap: break-word;"><!--Flags-->
+ <ul style="padding-left:10px;">
+ </ul>
+ </td>
+
+ <td style="word-wrap: break-word; overflow-wrap: break-word;"><!--Framework API-->
+ <ul style="padding-left:10px;">
+ </ul>
+ </td>
+
+ <td style="word-wrap: break-word; overflow-wrap: break-word;"><!--Module API-->
+ <ul style="padding-left:10px;">
+ </ul>
+ </td>
+
+ <td style="word-wrap: break-word; overflow-wrap: break-word;"><!--Endpoints-->
+ <ul style="padding-left:10px;">
+ </ul>
+ </td>
+</tr>
+
+<tr>
+ <td style="word-wrap: break-word; overflow-wrap: break-word;"><!--Version-->
1.9.x
</td>
@@ -518,6 +550,14 @@ We categorize the changes as follows:
</tr>
</table>
+## Upgrading from 1.9.x to 1.10.x ##
+
+<a name="1-10-x-ssl-env-var-rename"></a>
+
+* The canonical name for the environment variable `LIBPROCESS_SSL_VERIFY_CERT` was changed to `LIBPROCESS_SSL_VERIFY_SERVER_CERT`.
+ The canonical name for the environment variable `LIBPROCESS_SSL_REQUIRE_CERT` was changed to `LIBPROCESS_SSL_REQUIRE_CLIENT_CERT`.
+ The old names will continue to work as before, but operators are encouraged to update their configuration to reduce confusion.
+
## Upgrading from 1.8.x to 1.9.x ##
<a name="1-9-x-automatic-agent-draining"></a>