mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Till Toenshoff (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (MESOS-6981) Allow disabling name based SSL checks
Date Thu, 26 Jan 2017 00:54:26 GMT

    [ https://issues.apache.org/jira/browse/MESOS-6981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15838929#comment-15838929
] 

Till Toenshoff edited comment on MESOS-6981 at 1/26/17 12:54 AM:
-----------------------------------------------------------------

The implementation should be straight-forward. We would add a new SSL-flag; e.g. `LIBPROCESS_SSL_WEAK_VERIFY`.

Then we add 
{noformat}
if (ssl_flags->weak_verify) {
  return Nothing();
}
{noformat}

here https://github.com/apache/mesos/blob/16f479d151d5a6554f8ebfcedfdc6b62dc7a0edb/3rdparty/libprocess/src/openssl.cpp#L646



was (Author: tillt):
The implementation should be straight-forward. We would add a new SSL-flag; e.g. `LIBPROCESS_SSL_WEAK_VERIFY`.

Then we add 
{noformat}
if (!ssl_flags->weak_verify) {
  return Nothing();
}
{noformat}

here https://github.com/apache/mesos/blob/16f479d151d5a6554f8ebfcedfdc6b62dc7a0edb/3rdparty/libprocess/src/openssl.cpp#L646


> Allow disabling name based SSL checks
> -------------------------------------
>
>                 Key: MESOS-6981
>                 URL: https://issues.apache.org/jira/browse/MESOS-6981
>             Project: Mesos
>          Issue Type: Improvement
>          Components: libprocess
>            Reporter: Kevin Cox
>              Labels: mesosphere, security
>
> Currently if you want to use verified certificates you need to enable validation by hostname
or IP. However if you are running your own CA for these certificates it is often sufficient
to verify solely based on the CA signature.
> For example if an admin wants to connect it is a pain to make sure that they always have
a valid certificate for their IP or reverse DNS. It would be nice if the admin could be given
a certificate that was trusted no matter where he is.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message