chore(networking)!: Move all TLS support over to openssl #1986
Conversation
Signed-off-by: Bruce Guenter <bruce@timber.io>
Signed-off-by: Bruce Guenter <bruce@timber.io>
Signed-off-by: Bruce Guenter <bruce@timber.io>
Signed-off-by: Bruce Guenter <bruce@timber.io>
bruceg
added
type: tech debt
Signed-off-by: Bruce Guenter <bruce@timber.io>
Signed-off-by: Bruce Guenter <bruce@timber.io>
|
@bruceg for the verify stuff it looks like Otherwise, this is looking really good, once you have the error paths in I can give this the final look over. Great work! |
|
I've found the separate settings for verifying the hostname vs the certificate, but it will require a little bit of type reworking (the functions are in separate types). However, I've been hamstrung by a separate verification bug -- even with using |
|
The issue lies in the acceptor side's certificate verification setting, which actually points to a bit of a problem with our configuration defaults. We default
If we have a single |
It was requiring certificate verification, which has changed behavior now. Signed-off-by: Bruce Guenter <bruce@timber.io>
This ends up *disabling* `verify_hostname` for all of the sinks that directly or indirectly use the `hyper_openssl::HttpsConnector::with_connector` method. Signed-off-by: Bruce Guenter <bruce@timber.io>
|
If this is a breaking change we should add a |
bruceg
changed the title
Signed-off-by: Bruce Guenter <bruce@timber.io>
Signed-off-by: Bruce Guenter <bruce@timber.io>
This restores the verification behavior prior to this change series. This effectively reverts e165c9a "Fix test `sources::socket::test::tcp_with_tls`" Signed-off-by: Bruce Guenter <bruce@timber.io>
|
Ok, I think the churn is done. I'd appreciate a re-review of the late commits, as there are some behavioural changes. |
| @@ -128,15 +128,15 @@ pub struct IdentityStore(Vec<u8>, String); | |||
| impl TlsSettings { | |||
| pub fn from_config( | |||
| config: &Option<TlsConfig>, | |||
| require_ident: bool, | |||
| for_server: bool, | |||
There was a problem hiding this comment.
Does this mean that this setting is for a server? aka if we are a server we set this to true?
Also looks like we are not updating any other rust files where before this boolean meant something else, just want to make sure that is correct?
There was a problem hiding this comment.
Correct, setting this to true is for servers. I renamed it because it controls both requiring an identity (certificate + key) in the configuration as well as changing the defaults for certificate verification. The only users of from_config that would set this to true are the server sources, so no changes to them were required.
There was a problem hiding this comment.
Just for the future, can we add a comment what these params mean since I feel like people stumbling across this in the future might be confused.
There was a problem hiding this comment.
Absolutely, I was already thinking this as you were asking.
Signed-off-by: Bruce Guenter <bruce@timber.io>
There was a problem hiding this comment.
Thanks for getting this done @bruceg! I know working with openssl is never fun but this should really ensure we have some good consistency with all our sinks/sources/transforms.
This is incomplete, as several error paths remain incomplete.
There is one possible user-visible configuration change. At this point, the
verify_hostnamesetting is non-functional due to a difference (at least in my understanding) of howopensslhandles verification as compared tonative_tls. I am still investigating and may need to port some code over to accommodate the differences.Closes #1402
Closes #1929