[
https://issues.apache.org/jira/browse/GEODE-9135?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bruce J Schuchardt updated GEODE-9135:
--------------------------------------
Issue Type: Bug (was: Test)
> Remove reverse DNS lookup in Connection.java for accepted connections
> ---------------------------------------------------------------------
>
> Key: GEODE-9135
> URL: https://issues.apache.org/jira/browse/GEODE-9135
> Project: Geode
> Issue Type: Bug
> Components: membership
> Reporter: Bruce J Schuchardt
> Assignee: Bruce J Schuchardt
> Priority: Major
>
> Prior to the introduction of SSLEngine use in the
> org.apache.geode.internal.tcp package we used SSLSockets. During a handshake
> we would set the SNIHostName on the client side of the connection and have it
> validate the hostname returned by the server side of the handshake.
> When we introduced SSLEngine we changed this to set the SNIHostName on both
> sides. We should revert this so that it only does it on the client side.
> The server side of the connection does not have a hostname for the client
> side of the connection in this case and it is currently doing a reverse DNS
> lookup to get the name. That's a potentially expensive operation, and even
> then we don't know whether to use the fully qualified domain name (FQDN) or a
> simple host name. This matters because endpoint verification requires that
> the name we choose be presented in the certificate of the other server. If
> we choose the FQDN and the cert only has a simple host name the handshake
> will fail.
> SSLEngine requires a host name when it's constructed but most algorithms
> don't use it. Documentation mentions Kerberos possibly needing it, so we'd
> have to have a way for the reverse lookup to be enabled or find some other
> way to get the host name, like SocketCreator.getHostName()'s reverse-lookup
> cache.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
