[
https://issues.apache.org/jira/browse/MESOS-5724?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15351722#comment-15351722
]
Till Toenshoff commented on MESOS-5724:
---------------------------------------
It is currently not entirely clear to me if adding an IP validation to
{{verify}} would not possibly add a new intrusion vector - there may be a
reason on why e.g. Python and some browsers do not fully support that RFC.
See [The Python Standard Library :: 18. Interprocess Communication and
Networking :: 18.2.1.4. Certificate
handling|https://docs.python.org/3.4/library/ssl.html#ssl.match_hostname]
So maybe it is a good idea to make such functionality optionally available by
an additional flag - e.g. {{LIBPROCESS_SSL_IP_VERIFY}}.
> SSL certificate validation should allow IP only verification.
> -------------------------------------------------------------
>
> Key: MESOS-5724
> URL: https://issues.apache.org/jira/browse/MESOS-5724
> Project: Mesos
> Issue Type: Bug
> Components: libprocess
> Affects Versions: 1.0.0
> Reporter: Till Toenshoff
> Priority: Blocker
> Labels: libprocess, mesosphere, security, ssl
>
> Our SSL certificate validation currently assumes that the host (on connect
> and on accept) does have a valid hostname. This however is not true for all
> environments.
> {{process::network::openssl::verify}} currently only allows the validation of
> a certificate against a hostname.
> See
> https://github.com/apache/mesos/blob/08866edd8a71d12f87f4f4dbefa292729efbf6ae/3rdparty/libprocess/src/openssl.cpp#L546
> RFC2818 however says that it should be perfectly valid to validate a
> certificate based on the IP address.
> See https://tools.ietf.org/html/rfc2818
> {noformat}
> In some cases, the URI is specified as an IP address rather than a
> hostname. In this case, the iPAddress subjectAltName must be present
> in the certificate and must exactly match the IP in the URI.
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
