Till Toenshoff created MESOS-5724:
-------------------------------------
Summary: SSL certificate validation should allow IP only
verification.
Key: MESOS-5724
URL: https://issues.apache.org/jira/browse/MESOS-5724
Project: Mesos
Issue Type: Bug
Components: libprocess
Affects Versions: 1.0.0
Reporter: Till Toenshoff
Priority: Blocker
Our SSL certificate validation currently assumes that the host (on connect and
on accept) does have a valid hostname. This however is not true for all valid
environments.
{{process::network::openssl::verify}} currently only allows the validation of a
certificate against a hostname.
See
https://github.com/apache/mesos/blob/master/3rdparty/libprocess/src/openssl.cpp#L546
RFC2818 however says that it should be perfectly valid to validate a
certificate based on the IP address.
See https://tools.ietf.org/html/rfc2818
{noformat}
In some cases, the URI is specified as an IP address rather than a
hostname. In this case, the iPAddress subjectAltName must be present
in the certificate and must exactly match the IP in the URI.
{noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
