[
https://issues.apache.org/jira/browse/CASSJAVA-80?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17929918#comment-17929918
]
Bret McGuire commented on CASSJAVA-80:
--------------------------------------
This came up in Slack and in a recent video call, but the context is important
enough that it really should be documented here.
There are really three options to consider when considering SSLEngine creation
of SNI:
# Provide a fallback hint, attempt to resolve the host/IP string in that hint
via DNS
# Provide a fallback hint, do not attempt to resolve the host/IP string in
that hint via DNS
# Provide no fallback hint: only the IP address specified in the SNI extension
of the cert will be allowed
The original impl supported option (1) above. The change proposed by
[~aratnofsky] here is to enable option (2) via a config change. This
represents an extension of the current behaviour without providing access to
all possible options, but there's no problem with that; there's no need to
implement every available option here.
> Support configuration to disable DNS reverse-lookups for SAN validation
> -----------------------------------------------------------------------
>
> Key: CASSJAVA-80
> URL: https://issues.apache.org/jira/browse/CASSJAVA-80
> Project: Apache Cassandra Java driver
> Issue Type: Improvement
> Components: Core
> Reporter: Abe Ratnofsky
> Assignee: Abe Ratnofsky
> Priority: Normal
> Fix For: 4.19.1
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> Currently, apache/cassandra-java-driver uses InetSocketAddress.getHostName to
> configure the SSLEngine for server certificate verification:
> [https://github.com/apache/cassandra-java-driver/blob/90612f6758eb0f0ba964daf054f397a47a90a736/core/src/main/java/com/datastax/oss/driver/internal/core/ssl/DefaultSslEngineFactory.java#L100]
>
> InetSocketAddress.getHostName does a DNS reverse-lookup when given a literal
> IP. This can cause issues in very specific environments where the client's
> environment DNS returns an IP address for a reverse-lookup that's not
> mentioned in the server certificates Subject Alternative Names field.
>
> Most environments should include SANs that match user-specified server
> addresses, so we shouldn't require a DNS reverse-lookup to find an address
> with a matching SAN, so this configuration should typically be false, but
> since we currently do a reverse-lookup and don't want to break any existing
> users, we'll default it to true.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
