[DRILL-6581] C++ Client SSL Implementation Fixes/Improvements #1366
Conversation
superbstreak
force-pushed
the
DRILL-6581
branch
3 times, most recently
from
69dc0e3
to
786c026
Compare
| /// @brief Check the certiticate hostname verification status. | ||
| /// | ||
| /// @return if the verification has failed. | ||
| const bool HasCertHostnameVerificationError() const {return m_hasCertHostnameVerificationErr;} |
There was a problem hiding this comment.
I think we should put these inside SSLChannelContext since these are SSL related items
| @@ -170,7 +190,22 @@ class UserProperties; | |||
| try{ | |||
| m_pSocket->protocolHandshake(useSystemConfig); | |||
| } catch (boost::system::system_error e) { | |||
| status = handleError(CONN_HANDSHAKE_FAILED, e.what()); | |||
| const std::string errmsg(e.what()); | |||
| if (m_pContext->HasCertHostnameVerificationError()){ | |||
There was a problem hiding this comment.
make sure m_psocket is actually ssl socket before we check for ssl specific exceptions. Currently, there is no impact since the normal socket's protoHandshake doesn't do any task. But should take care of it.
superbstreak
force-pushed
the
DRILL-6581
branch
3 times, most recently
from
d2415a4
to
2fa865a
Compare
|
@parthchandra can you please review this? |
| @@ -211,6 +211,21 @@ ChannelContext* ChannelFactory::getChannelContext(channelType_t t, DrillUserProp | |||
| } | |||
|
|
|||
| pChannelContext = new SSLChannelContext(props, tlsVersion, verifyMode); | |||
|
|
|||
| if (props->isPropSet(USERPROP_CUSTOM_SSLCTXOPTIONS)){ | |||
There was a problem hiding this comment.
No need to check isPropSet since you are already checking for !sslOptions.empty() below.
Also I have a question regarding these custom SSL Context options. Based on documentation here it helps to achieve workaround for listed bugs. But that depends upon the internal implementation of SSL if handling for those work around is available or not. If the handling is available then it will be used since this option is set during m_SSLContext creation (See here). So it doesn't look like we need to have this separate custom option setter ?
There was a problem hiding this comment.
This is an optional settings that the client application can set on top of the default. And also based on the version of boost the client is compiled against, some configurations are not available. So the user using this function should be aware of the limitation of the version of boost the client is compiled against and set the flags accordingly.
|
|
||
| // Sets the result back to the context. | ||
| context->SetCertHostnameVerificationStatus(verified); | ||
| return verified && in_preverified; |
There was a problem hiding this comment.
I think we should just return the verified status here not (verified && in_preverified)
There was a problem hiding this comment.
Oh yes, redundant! Thanks!
| if (!(((SSLChannelContext_t *)m_pContext)->GetCertificateHostnameVerificationStatus())){ | ||
| return handleError( | ||
| CONN_HANDSHAKE_FAILED, | ||
| getMessage(ERR_CONN_SSL_CN)); |
There was a problem hiding this comment.
Would be useful to preserve the original error message in this case as well. Please change to getMessage(ERR_CONN_SSL_CN, errmsg)
There was a problem hiding this comment.
Will do Thanks!
| namespace | ||
| { | ||
| // The error message to indicate certificate verification failure. | ||
| #define DRILL_BOOST_SSL_CERT_VERIFY_FAILED "handshake: certificate verify failed\0" |
There was a problem hiding this comment.
I don't think we can rely on this error string. Instead it would be good to use something like below for decoding ssl errors.
https://stackoverflow.com/questions/9828066/how-to-decipher-a-boost-asio-ssl-error-code
There was a problem hiding this comment.
Yup, I was concern about this bit, too. Will do, thanks!
superbstreak
force-pushed
the
DRILL-6581
branch
2 times, most recently
from
d3fc5cf
to
de8478b
Compare
|
@sohami updated. Please review. |
superbstreak
force-pushed
the
DRILL-6581
branch
2 times, most recently
from
1f05410
to
4df6745
Compare
> Host and port passed in to the callback are always empty. Parsing the connection string before we use the host name.
> Connection string port (31010) is not required for the hostname verification.
> Disabled SSLv2 and SSLv3.
> Separated them to allow better user error handling/debugging.