Jens-G opened a new pull request, #3396: URL: https://github.com/apache/thrift/pull/3396
## Summary - Sets `EndpointIdentificationAlgorithm` to `HTTPS` on the `SSLEngine` parameters in the `TNonblockingSSLSocket` constructor, so the server certificate CN/SAN is validated against the target hostname during the TLS handshake. - Follow-up to #3390, which added the same behavior to the sync client in `TSSLTransportFactory.createClient()`. Before this change, the async SSL client path (via `SSLEngine`) did not set the endpoint identification algorithm, leaving the two client paths inconsistent. This was pointed out in [#3390 (comment)](https://github.com/apache/thrift/pull/3390#issuecomment-4233338180). Client: java ## Test plan - [ ] Existing Java SSL/nonblocking tests pass - [ ] Manual smoke test: async SSL client connects to a server whose certificate matches the target hostname - [ ] Manual smoke test: async SSL client rejects a server whose certificate CN/SAN does not match the target hostname Co-Authored-By: Claude Opus 4.6 <[email protected]> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
