[ https://issues.apache.org/jira/browse/MESOS-9790?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16855123#comment-16855123 ]
Benno Evers commented on MESOS-9790: ------------------------------------ Since `X509_check_host()` is disencouraged by the OpenSSL documentation, this will be implemented by MESOS-9809 instead. > Libprocess does not use standard tooling for hostname validation. > ------------------------------------------------------------------ > > Key: MESOS-9790 > URL: https://issues.apache.org/jira/browse/MESOS-9790 > Project: Mesos > Issue Type: Improvement > Components: libprocess > Reporter: Alexander Rukletsov > Priority: Major > Labels: foundations, mesosphere, security, ssl, tls > > Libprocess currently uses [custom > code|https://github.com/apache/mesos/blob/eecb82c77117998af0c67a53c64e9b1e975acfa4/3rdparty/libprocess/src/openssl.cpp#L755-L863] > for hostname validation in its SSL certificate verification workflow. > However openssl provides a function for this, [{{X509_check_host()}} > |https://www.openssl.org/docs/manmaster/man3/X509_check_host.html]. > For safety and reliability, we should enable an option to use > {{X509_check_host()}} for hostname validation instead of our custom code, but > preserve the custom code for backward compatibility. -- This message was sent by Atlassian JIRA (v7.6.3#76005)