Reason is explained in the Javadocs: "We want host verification, but depending on the httpclient jar caused unexplained performance regressions (even when the code was not used).”
Andor > On 2021. Jan 14., at 14:53, Damien Diederen <ddiede...@apache.org> wrote: > > > Hi Sampo, > >> The code for the ZKHostnameVerifier is copied from Apache HttpClient >> and the bug has been fixed there in this issue >> https://issues.apache.org/jira/browse/HTTPCLIENT-1906 >> (commit >> https://github.com/apache/httpcomponents-client/commit/56cc24525e5ba2a5ef8fa0de2385687e83589a71 >> ) > > I believe that issue has been fixed by ZOOKEEPER-3832, > "ZKHostnameVerifier rejects valid certificates with subjectAltNames": > > https://issues.apache.org/jira/browse/ZOOKEEPER-3832 > > The fix should be in 3.5.9 (soon), 3.6.2 (released) and 3.7.0 (soon). > >> It would be better not to need the copy pasting as there are several >> other commits to that HostNameVerifier that have not been applied to >> the ZKHostNameVerifier so there may exist other conditions too where >> ZKHostNameVerifier does not work as expected. > > I agree in general, but haven't investigated the full history of this, > but am sure it was done on purpose. In the meantime, are there other > specific commits you think we should consider? > >> Also, the Java Doc says that the code is copied from the HttpClient >> but does not canonically reference the class which it came from. > > Improving that (and providing an easier way to sync with upstream) would > definitely be a good idea. Would you mind opening a ticket? (And if > you have a solution in mind, a "pull request" would also be welcome!) > > Cheers, -D > > > > > Sampo Saarela <sampo.saar...@relex.fi> writes: >> Hello, >> >> The code for the ZKHostnameVerifier is copied from Apache HttpClient >> and the bug has been fixed there in this issue >> https://issues.apache.org/jira/browse/HTTPCLIENT-1906 >> (commit >> https://github.com/apache/httpcomponents-client/commit/56cc24525e5ba2a5ef8fa0de2385687e83589a71 >> ) >> >> Missing the above fix will cause a valid certificate to be rejected in >> case the certificate contains other alternative subject names than DNS >> or IP, for example OID 1.3.6.1.5.2.2 - KRB5PrincipalName and/or OID >> 1.3.6.1.4.1.311.20.2.3 - User Principal Name (UPN) . >> >> It would be better not to need the copy pasting as there are several >> other commits to that HostNameVerifier that have not been applied to >> the ZKHostNameVerifier so there may exist other conditions too where >> ZKHostNameVerifier does not work as expected. >> >> Also, the Java Doc says that the code is copied from the HttpClient >> but does not canonically reference the class which it came from. >> >> Brgs, >> Sampo Saarela >> Software developer
