You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by jo...@apache.org on 2019/12/18 22:34:40 UTC
[mesos] 11/11: SSL Socket: Guarded against downgrade while
unimplemented.
This is an automated email from the ASF dual-hosted git repository.
josephwu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 34bac34419ebec8441e69d3a5684381468352399
Author: Joseph Wu <jo...@apache.org>
AuthorDate: Tue Dec 17 15:23:27 2019 -0800
SSL Socket: Guarded against downgrade while unimplemented.
The SSL downgrade feature present in our libevent-SSL socket
is currently not supported on the plain-OpenSSL socket.
For this reason, we make sure to check the related flag and
prevent the related tests from running.
Review: https://reviews.apache.org/r/71923
---
3rdparty/libprocess/src/openssl.cpp | 6 ++++++
3rdparty/libprocess/src/tests/ssl_tests.cpp | 3 +++
2 files changed, 9 insertions(+)
diff --git a/3rdparty/libprocess/src/openssl.cpp b/3rdparty/libprocess/src/openssl.cpp
index ec7d6e8..b2dd2fe 100644
--- a/3rdparty/libprocess/src/openssl.cpp
+++ b/3rdparty/libprocess/src/openssl.cpp
@@ -550,8 +550,14 @@ void reinitialize()
// Notify users of the 'SSL_SUPPORT_DOWNGRADE' flag that this
// setting allows insecure connections.
if (ssl_flags->support_downgrade) {
+#ifdef USE_LIBEVENT
LOG(WARNING) <<
"Failed SSL connections will be downgraded to a non-SSL socket";
+#else
+ EXIT(EXIT_FAILURE)
+ << "Non-libevent SSL sockets do not support downgrade yet,"
+ << " see MESOS-10073";
+#endif // USE_LIBEVENT
}
// TODO(bevers): Remove the deprecated names for these flags after an
diff --git a/3rdparty/libprocess/src/tests/ssl_tests.cpp b/3rdparty/libprocess/src/tests/ssl_tests.cpp
index 3f1d103..a6563fb 100644
--- a/3rdparty/libprocess/src/tests/ssl_tests.cpp
+++ b/3rdparty/libprocess/src/tests/ssl_tests.cpp
@@ -483,6 +483,8 @@ TEST_F(SSLTest, ECDHESupport)
}
+// TODO(josephw): Support downgrades on the native OpenSSL socket (MESOS-10073).
+#ifdef USE_LIBEVENT
// Ensure we can communicate between a POLL based socket and an SSL
// socket if 'SSL_SUPPORT_DOWNGRADE' is enabled.
TEST_F(SSLTest, ValidDowngrade)
@@ -581,6 +583,7 @@ TEST_F(SSLTest, ValidDowngradeEachProtocol)
AWAIT_ASSERT_READY(await_subprocess(client.get(), 0));
}
}
+#endif // USE_LIBEVENT
// For each protocol: ensure we CANNOT communicate between a POLL