Ravi Bhardwaj created ZOOKEEPER-3860:
----------------------------------------
Summary: Avoid DNS reverse lookup for hostname verification when
hostnames are provided in the connection url
Key: ZOOKEEPER-3860
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3860
Project: ZooKeeper
Issue Type: Improvement
Components: security
Affects Versions: 3.5.7
Reporter: Ravi Bhardwaj
The current implementation of ZKTrustManager [1], zookeeper tries to verify
hostname using the IP first and then performs a reverse DNS lookup.
This could be a problem when IP address can not be resolved to the hostname
added in DN/SAN.
The functionality can be improved by matching the hostname provided in the
connection url against DN/SAN. It that can not be matched, try to match the IP
address. If that fails then perform a reverse DNS lookup.
An alternative approach could to match the only hostname against DN/SAN when
hostname is provided in the connection url.
If IP address is provided, then check with the IP address first. If that fails,
perform a reverse DNS lookup and match the hostname returned against DN/SAN.
[1]
https://zookeeper.apache.org/doc/r3.5.7/apidocs/zookeeper-server/org/apache/zookeeper/common/ZKTrustManager.html
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
