[jira] [Commented] (CASSJAVA-80) Support configuration to disable DNS reverse-lookups for SAN validation

Fri, 21 Feb 2025 10:01:37 -0800 


    [ 
https://issues.apache.org/jira/browse/CASSJAVA-80?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17929220#comment-17929220
 ] 

Bret McGuire commented on CASSJAVA-80:
--------------------------------------

I need to test this to confirm absolutely but I'm pretty sure that the DNS 
reverse-lookup is absolutely required to access DataStax Astra.  I'll need to 
do some follow-up testing to confirm that.

> Support configuration to disable DNS reverse-lookups for SAN validation
> -----------------------------------------------------------------------
>
>                 Key: CASSJAVA-80
>                 URL: https://issues.apache.org/jira/browse/CASSJAVA-80
>             Project: Apache Cassandra Java driver
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Abe Ratnofsky
>            Assignee: Abe Ratnofsky
>            Priority: Normal
>             Fix For: 4.19.1
>
>          Time Spent: 1h
>  Remaining Estimate: 0h
>
> Currently, apache/cassandra-java-driver uses InetSocketAddress.getHostName to 
> configure the SSLEngine for server certificate verification:
> [https://github.com/apache/cassandra-java-driver/blob/90612f6758eb0f0ba964daf054f397a47a90a736/core/src/main/java/com/datastax/oss/driver/internal/core/ssl/DefaultSslEngineFactory.java#L100]
>  
> InetSocketAddress.getHostName does a DNS reverse-lookup when given a literal 
> IP. This can cause issues in very specific environments where the client's 
> environment DNS returns an IP address for a reverse-lookup that's not 
> mentioned in the server certificates Subject Alternative Names field.
>  
> Most environments should include SANs that match user-specified server 
> addresses, so we shouldn't require a DNS reverse-lookup to find an address 
> with a matching SAN, so this configuration should typically be false, but 
> since we currently do a reverse-lookup and don't want to break any existing 
> users, we'll default it to true.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to