Andrew Noyes
fee9a5117f
Don't config TLS if OpenSSL is missing OPENSSL_INIT_NO_ATEXIT
2020-04-25 17:59:17 -07:00
Markus Pilman
d4542dbb5a
Delete old build system
2020-04-07 11:03:45 -07:00
mpilman
d09e07f1f5
Merge remote-tracking branch 'upstream/master' into features/icc
2020-02-04 10:26:18 -08:00
Evan Tschannen
3f9d9d8b84
Merge branch 'release-6.2'
...
# Conflicts:
# CMakeLists.txt
# cmake/FlowCommands.cmake
# documentation/sphinx/source/release-notes.rst
# fdbclient/StorageServerInterface.h
# fdbserver/DataDistributionTracker.actor.cpp
# fdbserver/MasterProxyServer.actor.cpp
# fdbserver/fdbserver.actor.cpp
# flow/Knobs.h
# flow/Platform.cpp
# versions.target
2020-01-16 18:37:47 -08:00
Balachandar Namasivayam
741aa523e6
Establishing TLS connection through the handshake process is expensive and the fdbserver process can get easily saturated with doing repeated TLS handshakes with only a few hundreds of clients have bad certificate. Hence throttle the number of handshakes done on the server per client ip if it has a bad certificate.
2020-01-10 16:19:41 -08:00
Alex Miller
3b9678356e
Make FDBLibTLS and thirdparty static libraries.
...
They're statically linked anyway, and this fixes an issue with CMake
complaining that there are cyclic dependencies that are non-static.
2019-09-30 18:32:24 -07:00
mpilman
ab019fbe41
More minor fixes, removed snapshots
2019-06-20 14:28:31 -07:00
Evan Tschannen
29b96414e2
Merge branch 'release-6.1'
...
# Conflicts:
# documentation/sphinx/source/release-notes.rst
# fdbclient/NativeAPI.actor.cpp
# fdbserver/Coordination.actor.cpp
# flow/Arena.h
# versions.target
2019-06-03 18:49:35 -07:00
Evan Tschannen
362c2bf1e6
improved the cpu efficiency of printable
2019-05-29 14:55:45 -07:00
sramamoorthy
d68a229772
makefile changes to accommodate boost/process.hpp
2019-05-28 22:07:46 -07:00
A.J. Beamon
d29c7e4c9b
Merge branch 'release-6.1' into merge-release-6.1-into-master
...
# Conflicts:
# documentation/sphinx/source/release-notes.rst
# fdbserver/QuietDatabase.actor.cpp
# versions.target
2019-05-23 09:28:45 -07:00
A.J. Beamon
63a145e6bb
Try adding flow as a link dependency
2019-05-21 13:20:41 -07:00
A.J. Beamon
d3c1f9afbd
Suppress 'TraceEventFieldNotFound' event. Don't suppress simultaneous FDBLibTLSVerifyFailure events (this requires including flow.h and removing the copied version of Reference/ReferenceCounted in FDBLibTLS).
2019-05-20 15:12:28 -07:00
Evan Tschannen
f4fbaac6b0
Merge branch 'release-6.1'
...
# Conflicts:
# documentation/sphinx/source/release-notes.rst
# versions.target
2019-05-19 10:27:59 -07:00
Alvin Moore
3acaa7343e
Enabled C++17 for all Windows projects
...
Set Visual Studio version to 2017 (first version to support C++17)
2019-05-16 17:44:13 -07:00
Alvin Moore
94aed513c7
Switched Windows tools within projects to 2017
2019-05-16 15:05:11 -07:00
A.J. Beamon
8077a428c0
Fix invalid trace suppression
2019-05-16 09:30:34 -07:00
Evan Tschannen
8c3516951a
Merge branch 'release-6.1'
...
# Conflicts:
# documentation/sphinx/source/release-notes.rst
# versions.target
2019-05-12 20:13:49 -07:00
A.J. Beamon
c328b15d36
TLS was creating trace events with invalid types (containing spaces).
2019-05-10 14:51:20 -07:00
Andrew Noyes
6207d724f8
Fix all -Wunused-variable warnings
2019-04-15 18:13:00 -07:00
mpilman
7d17e5797a
Fix dependency bug in FDBLibTLS
2019-02-07 15:37:04 -08:00
mpilman
00b25dcd08
Added missing boost dependency to FDBLibTLS
2019-02-07 15:37:04 -08:00
mpilman
e45295a1f5
Added support for TLS
2019-02-07 15:37:04 -08:00
Evan Tschannen
4b5d0b4e2c
Merge branch 'release-6.0'
...
# Conflicts:
# documentation/sphinx/source/release-notes.rst
# fdbclient/AsyncFileBlobStore.actor.cpp
# fdbclient/AsyncFileBlobStore.actor.h
# fdbclient/BlobStore.actor.cpp
# fdbclient/BlobStore.h
# fdbclient/HTTP.actor.cpp
# fdbclient/ManagementAPI.actor.cpp
# fdbclient/NativeAPI.actor.cpp
# fdbrpc/LoadBalance.actor.h
# fdbrpc/batcher.actor.h
# fdbrpc/fdbrpc.vcxproj
# fdbrpc/sim2.actor.cpp
# fdbserver/DataDistribution.actor.cpp
# fdbserver/DataDistributionTracker.actor.cpp
# fdbserver/SimulatedCluster.actor.cpp
# fdbserver/TLogServer.actor.cpp
# fdbserver/masterserver.actor.cpp
2018-11-10 13:04:24 -08:00
Evan Tschannen
fb9d05a4e2
suppressed a spammy trace event
2018-11-07 21:05:49 -08:00
Alex Miller
e2fc1c9b95
Remove specifying non-root directory as a path to search for includes.
2018-10-19 18:56:45 -07:00
Alex Miller
7cd73468f1
Fix FDBLibTLS to specify includes from the root.
2018-10-19 18:56:36 -07:00
Alex Miller
896bde4a48
Fix fdbserver segfaulting if a mismatched certificate and key set.
...
This turned out to be a simple typo of two similar variables. fdbserver
will still die as a result of this error, but it will die gracefully and
print out a slightly helpful error message.
2018-08-09 14:50:55 -07:00
Evan Tschannen
1c29275672
call all methods which could disable a trace event before it is initialized. In practice this means calling .error first, then .suppressFor, then all your details.
2018-08-01 14:30:57 -07:00
Alvin Moore
bbee12f372
Moved includes to source files
2018-07-12 17:34:08 -07:00
Alvin Moore
6e4265fcc7
Changed logging to call TraceEvent directly
2018-07-12 13:24:40 -07:00
Alvin Moore
a034acf3bd
Replaced separate TLS Log function with FDB TraceEvent logger
2018-07-11 18:41:46 -07:00
Alex Miller
29f560bafe
Fix a warning-turned-error about not returning from an unreachable point.
2018-07-02 14:31:06 -07:00
Alvin Moore
c3f88dbfe1
Merge branch 'master' of github.com:apple/foundationdb into tls-static
2018-07-01 23:13:57 -07:00
Alex Miller
44694607e8
Fix Subject Alternative Name matching and add test cases.
...
The previous change was done in the optimistic hope that NID_subject_alt_name
could be handled in the same fashion as all the rest of the attributes we match
against. However, X509 is not a place for optimisim. Instead, it turns out
that the Subject Alternative Name is an X509v3 extension, and needs to be
handled separately.
Therefore, this change...
* Introduces the idea of Criteria matching against a location in the
certificate, and not just against the entirety of the certificate.
* Extracts the Subject Alternative Name extension, and allows iteration and
matching against its components.
* Extends our constraint language to sensibly match against SubjectAlternativeNames.
The `S.subjectAltName` syntax has been kept, but the value is now required to
provide what type of field the rest of the value is intended to match against.
The code currently supports DNS, EMAIL, URI, and IP. Prefix and suffix
matching is supported.
Both verify-test and plugin-test were updated to cover Subject Alternative Name
matching. I've additionally run plugin-test under valgrind to verify that I've
understood object lifetimes correctly.
2018-06-29 17:17:58 -07:00
Alex Miller
70d078021f
Implement prefix and suffix matching for TLS certificate verification.
...
This extends our language for specifying verification rules from, e.g.
S.O=XYZCorp
to also include two more operators
S.O>=XYZ # Prefix
S.O<=Corp # Suffix
both of which would match against an Organization of XYZCorp (among others).
2018-06-27 18:11:07 -07:00
Alex Miller
e39d2c702d
Support Subject Alternative Name verification in TLS Plugin.
...
The TLS code understands three different things it can verify: the subject, the
issuer, and the root. The existing code assumes that any attribute we can
verify against one of these is also verifyable against the others.
For Subject Alternative Name, this might not be true. There exists both
Subject Alternative Name and Issuer Alternative Name. This code change allows
one to write "I.subjectAltName=Foo", and we'll verifiy a Subject Alt Name
against the Issuer, which wouldn't be right. Issuer Alternative Name isn't a
requested feature (yet?), so I'm punting on this problem.
2018-06-27 16:14:34 -07:00
Alvin Moore
65d8b38ae9
Changed generic plugin code to work as expected plugin code except for TLS use case
...
Defined TLS plugin name constant
Changed TLS plugin name to get_tls_plugin
Fixed link script
Removed compilation flags from info make target
2018-06-26 16:01:25 -07:00
Alvin Moore
f8ce1de601
Added support for compiling TLS into binaries
2018-06-20 09:21:23 -07:00
Richard Low
e0c72b31f4
Add UID and DC as additional subject fields for TLS peer validation
2018-06-19 13:42:18 -07:00
Evan Tschannen
b071c5d81c
fix: incorrect parsing logic
2018-06-11 15:56:22 -07:00
Evan Tschannen
69515e6b4d
set_verify_peers now splits input based on the ‘|’ character
2018-06-11 15:52:04 -07:00
A.J. Beamon
026458baf3
Merge release-5.2 into master
2018-05-23 15:32:56 -07:00
Richard Low
84ed35b01f
Only log TLS verify failures if all verification fails; log failures at SevInfo
2018-05-21 10:58:59 -07:00
Richard Low
b6abd69596
Fix server/client cert check
2018-05-21 10:53:21 -07:00
Evan Tschannen
d3450ce5b0
Merge pull request #343 from bnamasivayam/tls-plugin
...
Tls plugin
2018-05-09 16:35:53 -07:00
Balachandar Namasivayam
479dbf4c04
Addressed review comments.
...
Remove redundant FDBLibTLS/ITLSPlugin.h.
2018-05-09 16:16:09 -07:00
Balachandar Namasivayam
788e6acb32
Add FDBLibTLSVerify files to build system.
2018-05-08 16:45:57 -07:00
Balachandar Namasivayam
f71e13fa4d
TLS Plugin Changes.
2018-05-08 16:27:21 -07:00
Alvin Moore
05c1a887f2
Changed the name of the TLS artifact to fdb-libressl-plugin.so
2018-05-07 16:47:46 -07:00