[ https://issues.apache.org/jira/browse/MESOS-5724?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Till Toenshoff reassigned MESOS-5724: ------------------------------------- Assignee: Till Toenshoff > SSL certificate validation should allow IP only verification. > ------------------------------------------------------------- > > Key: MESOS-5724 > URL: https://issues.apache.org/jira/browse/MESOS-5724 > Project: Mesos > Issue Type: Bug > Components: libprocess > Affects Versions: 0.23.0, 0.23.1, 0.24.0, 0.24.1, 0.24.2, 0.25.0, 0.25.1, > 0.26.0, 0.26.1, 0.27.0, 0.27.1, 0.27.2, 0.27.3, 0.28.0, 0.28.1, 0.28.2, 1.0.0 > Reporter: Till Toenshoff > Assignee: Till Toenshoff > Priority: Blocker > Labels: libprocess, mesosphere, security, ssl > Fix For: 1.0.0 > > > Our SSL certificate validation currently assumes that the host (on connect > and on accept) does have a valid hostname. This however is not true for all > environments. > {{process::network::openssl::verify}} currently only allows the validation of > a certificate against a hostname. > See > https://github.com/apache/mesos/blob/08866edd8a71d12f87f4f4dbefa292729efbf6ae/3rdparty/libprocess/src/openssl.cpp#L546 > RFC2818 however says that it should be perfectly valid to validate a > certificate based on the IP address. > See https://tools.ietf.org/html/rfc2818 > {noformat} > In some cases, the URI is specified as an IP address rather than a > hostname. In this case, the iPAddress subjectAltName must be present > in the certificate and must exactly match the IP in the URI. > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)