Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add cass_ssl_set_default_verify_paths API #474

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

Add cass_ssl_set_default_verify_paths API #474

wants to merge 9 commits into from

Conversation

m8mble
Copy link
Contributor

@m8mble m8mble commented Mar 26, 2020

Forwards SSL-configuration to use system default directories for finding certificate authorities.

Similar functionality is often desired / provided by similar SSL-context forwarding APIs, e.g. boost ssl context.

@mpenick
Copy link
Contributor

mpenick commented Apr 2, 2020

Sorry for the delay. Thanks for the PR. Looks great, very thorough.

Calling SSL_CTX_set_default_verify_paths() as default internally would be a bad idea because it might add CAs the application does not intend?

Would you be able to add a unit test for this? (Looks like it might be possible to control the default paths with env. variables e.g. SSL_CERT_DIR)

@m8mble
Copy link
Contributor Author

m8mble commented Apr 10, 2020

Thanks for your feedback.

I don't think SSL_CTX_set_default_verify_paths by default would be a good idea: For one, it would simply be a breaking change. And for two, it's probably preferable to stay as close as possible to the actual openssl API.

I've added a basic unit test to demonstrate the intended behavior. Thanks for the environment variable hint: I used SSL_CERT_FILE which should be simpler to use platform independently.

Happy easter, everyone!

@m8mble
Copy link
Contributor Author

m8mble commented Apr 12, 2020

I regret having mentioned platform independence ;).

Unfortunately, I don't have a windows box at hand to reproduce. But I'll try my best to make things work using your CI...

@m8mble
Copy link
Contributor Author

m8mble commented Apr 15, 2020

Ok, at this point I could use some help. Whats so special about the VS12 pipeline, that makes it succeed while all others fail? Any ideas?

@mpenick
Copy link
Contributor

mpenick commented Apr 15, 2020
edited

Thanks for the test and trying to make it work on all platforms. I'll take a look.

@mpenick
Copy link
Contributor

mpenick commented May 7, 2020

I worked on this a bit yesterday on my local Windows machine. I thought I found the issue, and I'm able to get it working locally, but when I push it only one out of six CI builds works. I'll have to dig into this more.

@mpenick
Copy link
Contributor

mpenick commented May 7, 2020
edited

Note: It works locally with many different versions of VS.

@m8mble
Add cass_ssl_set_default_verify_paths API
3bea742 
Forwards SSL-configuration to use system default directories for
finding certificate authorities.
@m8mble
Add unit test for cass_ssl_set_default_verify_paths
b5ce7e3 
Ensure certificate validation fails prior to calling said
function, and succeeds afterwards. The used certificate
is specified to openssl via environment variables.
@m8mble
Use absolute path for SSL_CERT_FILE
c133d3d
@m8mble
Add environment debut output
685cb7f
@m8mble
Try setenv instead of us_os_setenv
7172797
@m8mble
... with double colon
53776dc
@m8mble
... use putenv on windows
50c96ee
@m8mble
... use _putenv / delay cert removal
0e9b95a
@m8mble
... with local cert and SSL_CERT_DIR
b6c59d7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bovine bovine bovine left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@m8mble @mpenick @bovine