Till Toenshoff created MESOS-5724: ------------------------------------- Summary: SSL certificate validation should allow IP only verification. Key: MESOS-5724 URL: https://issues.apache.org/jira/browse/MESOS-5724 Project: Mesos Issue Type: Bug Components: libprocess Affects Versions: 1.0.0 Reporter: Till Toenshoff Priority: Blocker
Our SSL certificate validation currently assumes that the host (on connect and on accept) does have a valid hostname. This however is not true for all valid environments. {{process::network::openssl::verify}} currently only allows the validation of a certificate against a hostname. See https://github.com/apache/mesos/blob/master/3rdparty/libprocess/src/openssl.cpp#L546 RFC2818 however says that it should be perfectly valid to validate a certificate based on the IP address. See https://tools.ietf.org/html/rfc2818 {noformat} In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI. {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)