Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MINIFICPP-2170 Fix system certificate store usage in SSLContextService on Linux #1620

Closed
wants to merge 8 commits into from
Closed

MINIFICPP-2170 Fix system certificate store usage in SSLContextService on Linux #1620

wants to merge 8 commits into from

Conversation

fgerlits
Copy link
Contributor

https://issues.apache.org/jira/browse/MINIFICPP-2170

Use utils::getDefaultCAFile() in the SSLContextService to find the system CA certificate store file, as the compiled-in default value is usually wrong. If the system CA certificate store file is still not found, you can set the SSL_CERT_DIR or SSL_CERT_FILE environment variables to tell OpenSSL where the certificates are.

Also: fix the incorrect handling of InvokeHTTP::DisablePeerVerification.

Thank you for submitting a contribution to Apache NiFi - MiNiFi C++.

In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:

For all changes:

  • Is there a JIRA ticket associated with this PR? Is it referenced
    in the commit message?

  • Does your PR title start with MINIFICPP-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.

  • Has your PR been rebased against the latest commit within the target branch (typically main)?

  • Is your initial contribution a single, squashed commit?

For code changes:

  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
  • If applicable, have you updated the LICENSE file?
  • If applicable, have you updated the NOTICE file?

For documentation related changes:

  • Have you ensured that format looks appropriate for the output in which it is rendered?

Note:

Please ensure that once the PR is submitted, you check GitHub Actions CI results for build issues and submit an update to your PR as soon as possible.

@fgerlits fgerlits marked this pull request as draft July 31, 2023 07:04
@fgerlits fgerlits force-pushed the MINIFICPP-2170_Fix-client-cert-usage-in-SSLContextService-on-Linux branch from 9bd574b to d707744 Compare July 31, 2023 12:36
@fgerlits fgerlits marked this pull request as ready for review August 2, 2023 11:48
@fgerlits fgerlits force-pushed the MINIFICPP-2170_Fix-client-cert-usage-in-SSLContextService-on-Linux branch 2 times, most recently from 9d2cb5c to 784bb18 Compare August 3, 2023 08:23
@lordgamez
Copy link
Contributor

Could we document the SSL_CERT_DIR and SSL_CERT_FILE environment variable options for setting the certificate somewhere? Maybe write a test using those variables as well?

@fgerlits
Copy link
Contributor Author

fgerlits commented Aug 4, 2023
edited
Loading

Could we document the SSL_CERT_DIR and SSL_CERT_FILE environment variable options for setting the certificate somewhere? Maybe write a test using those variables as well?

I was planning to do that, but it would take quite a bit of additional code to create automatic tests for this, as it requires that none of the files listed in utils::getDefaultCAFile() exists (so we'd have to remove it), and also we'd need to create a mechanism for setting environment variables in the MiNiFi container.

I don't think we want to encourage people to use the SSL_CERT_DIR and SSL_CERT_FILE environment variables; setting the CA Certificate property in SSLContextService or the SSL Certificate Authority property in ListenHTTP is a better option.

I have tested these manually because in case there is a production issue we need a quick temporary solution for, it's good to know we have this option.

@fgerlits fgerlits force-pushed the MINIFICPP-2170_Fix-client-cert-usage-in-SSLContextService-on-Linux branch from 83edabe to d0c45f4 Compare August 9, 2023 07:48
@fgerlits
upgrade PyYAML requirement, as the old one stopped working on jammy
b9ffed3
@fgerlits
MINIFICPP-2170 Fix system certificate store usage in SSLContextServic…
b41e193 
…e on Linux

Use utils::getDefaultCAFile() in the SSLContextService to find the system CA
certificate store file, as the compiled-in default value is usually wrong.
If the system CA certificate store file is still not found, you can set the
SSL_CERT_DIR or SSL_CERT_FILE environment variables to tell OpenSSL where
the certificates are.

Also: fix the incorrect handling of InvokeHTTP::DisablePeerVerification.
@fgerlits
Log a warning if https peer verification is disabled
0908708
@fgerlits
move the property logging to onEnable, after the properties have been…
02d5b4f 
… set
@fgerlits
fix indentation in Python code
f935fe7
@fgerlits
change the system cert store location in docker tests
430d9d7 
... because /etc/ssl/certs is used by kind internally
@fgerlits
clang-tidy fix
3616f86
@fgerlits
move <filesystem> include from the header to the cpp file
a6efd56
@fgerlits fgerlits force-pushed the MINIFICPP-2170_Fix-client-cert-usage-in-SSLContextService-on-Linux branch from d0c45f4 to a6efd56 Compare August 16, 2023 15:33
@lordgamez lordgamez closed this in 14e2586 Aug 16, 2023
@fgerlits fgerlits deleted the MINIFICPP-2170_Fix-client-cert-usage-in-SSLContextService-on-Linux branch January 10, 2024 10:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@martinzink martinzink martinzink approved these changes

@lordgamez lordgamez lordgamez approved these changes

@szaszm szaszm szaszm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@fgerlits @lordgamez @szaszm @martinzink