New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(networking)!: Move all TLS support over to openssl #1986
Conversation
Signed-off-by: Bruce Guenter <bruce@timber.io>
Signed-off-by: Bruce Guenter <bruce@timber.io>
Signed-off-by: Bruce Guenter <bruce@timber.io>
Signed-off-by: Bruce Guenter <bruce@timber.io>
Signed-off-by: Bruce Guenter <bruce@timber.io>
Signed-off-by: Bruce Guenter <bruce@timber.io>
@bruceg for the verify stuff it looks like Otherwise, this is looking really good, once you have the error paths in I can give this the final look over. Great work! |
I've found the separate settings for verifying the hostname vs the certificate, but it will require a little bit of type reworking (the functions are in separate types). However, I've been hamstrung by a separate verification bug -- even with using |
The issue lies in the acceptor side's certificate verification setting, which actually points to a bit of a problem with our configuration defaults. We default
If we have a single |
It was requiring certificate verification, which has changed behavior now. Signed-off-by: Bruce Guenter <bruce@timber.io>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The bits I'm familiar with look reasonable 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, just one non blocking question.
This ends up *disabling* `verify_hostname` for all of the sinks that directly or indirectly use the `hyper_openssl::HttpsConnector::with_connector` method. Signed-off-by: Bruce Guenter <bruce@timber.io>
If this is a breaking change we should add a |
Signed-off-by: Bruce Guenter <bruce@timber.io>
Signed-off-by: Bruce Guenter <bruce@timber.io>
This restores the verification behavior prior to this change series. This effectively reverts e165c9a "Fix test `sources::socket::test::tcp_with_tls`" Signed-off-by: Bruce Guenter <bruce@timber.io>
Ok, I think the churn is done. I'd appreciate a re-review of the late commits, as there are some behavioural changes. |
@@ -128,15 +128,15 @@ pub struct IdentityStore(Vec<u8>, String); | |||
impl TlsSettings { | |||
pub fn from_config( | |||
config: &Option<TlsConfig>, | |||
require_ident: bool, | |||
for_server: bool, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this mean that this setting is for a server? aka if we are a server we set this to true?
Also looks like we are not updating any other rust files where before this boolean meant something else, just want to make sure that is correct?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct, setting this to true
is for servers. I renamed it because it controls both requiring an identity (certificate + key) in the configuration as well as changing the defaults for certificate verification. The only users of from_config
that would set this to true
are the server sources, so no changes to them were required.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just for the future, can we add a comment what these params mean since I feel like people stumbling across this in the future might be confused.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Absolutely, I was already thinking this as you were asking.
Signed-off-by: Bruce Guenter <bruce@timber.io>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for getting this done @bruceg! I know working with openssl is never fun but this should really ensure we have some good consistency with all our sinks/sources/transforms.
This is incomplete, as several error paths remain incomplete.
There is one possible user-visible configuration change. At this point, the
verify_hostname
setting is non-functional due to a difference (at least in my understanding) of howopenssl
handles verification as compared tonative_tls
. I am still investigating and may need to port some code over to accommodate the differences.Closes #1402
Closes #1929