Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add cass_ssl_set_default_verify_paths API #474

Open
wants to merge 9 commits into
base: master
Choose a base branch
from

Conversation

m8mble
Copy link
Contributor

@m8mble m8mble commented Mar 26, 2020

Forwards SSL-configuration to use system default directories for finding certificate authorities.

Similar functionality is often desired / provided by similar SSL-context forwarding APIs, e.g. boost ssl context.

@mpenick
Copy link
Contributor

mpenick commented Apr 2, 2020

Sorry for the delay. Thanks for the PR. Looks great, very thorough.

Calling SSL_CTX_set_default_verify_paths() as default internally would be a bad idea because it might add CAs the application does not intend?

Would you be able to add a unit test for this? (Looks like it might be possible to control the default paths with env. variables e.g. SSL_CERT_DIR)

@m8mble
Copy link
Contributor Author

m8mble commented Apr 10, 2020

Thanks for your feedback.

I don't think SSL_CTX_set_default_verify_paths by default would be a good idea: For one, it would simply be a breaking change. And for two, it's probably preferable to stay as close as possible to the actual openssl API.

I've added a basic unit test to demonstrate the intended behavior. Thanks for the environment variable hint: I used SSL_CERT_FILE which should be simpler to use platform independently.

Happy easter, everyone!

@m8mble
Copy link
Contributor Author

m8mble commented Apr 12, 2020

I regret having mentioned platform independence ;).

Unfortunately, I don't have a windows box at hand to reproduce. But I'll try my best to make things work using your CI...

@m8mble
Copy link
Contributor Author

m8mble commented Apr 15, 2020

Ok, at this point I could use some help. Whats so special about the VS12 pipeline, that makes it succeed while all others fail? Any ideas?

@mpenick
Copy link
Contributor

mpenick commented Apr 15, 2020

Thanks for the test and trying to make it work on all platforms. I'll take a look.

@mpenick
Copy link
Contributor

mpenick commented May 7, 2020

I worked on this a bit yesterday on my local Windows machine. I thought I found the issue, and I'm able to get it working locally, but when I push it only one out of six CI builds works. I'll have to dig into this more.

@mpenick
Copy link
Contributor

mpenick commented May 7, 2020

Note: It works locally with many different versions of VS.

Forwards SSL-configuration to use system default directories for
finding certificate authorities.
Ensure certificate validation fails prior to calling said
function, and succeeds afterwards. The used certificate
is specified to openssl via environment variables.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants