[
https://issues.apache.org/jira/browse/MESOS-9790?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16855123#comment-16855123
]
Benno Evers commented on MESOS-9790:
------------------------------------
Since `X509_check_host()` is disencouraged by the OpenSSL documentation, this
will be implemented by MESOS-9809 instead.
> Libprocess does not use standard tooling for hostname validation.
> ------------------------------------------------------------------
>
> Key: MESOS-9790
> URL: https://issues.apache.org/jira/browse/MESOS-9790
> Project: Mesos
> Issue Type: Improvement
> Components: libprocess
> Reporter: Alexander Rukletsov
> Priority: Major
> Labels: foundations, mesosphere, security, ssl, tls
>
> Libprocess currently uses [custom
> code|https://github.com/apache/mesos/blob/eecb82c77117998af0c67a53c64e9b1e975acfa4/3rdparty/libprocess/src/openssl.cpp#L755-L863]
> for hostname validation in its SSL certificate verification workflow.
> However openssl provides a function for this, [{{X509_check_host()}}
> |https://www.openssl.org/docs/manmaster/man3/X509_check_host.html].
> For safety and reliability, we should enable an option to use
> {{X509_check_host()}} for hostname validation instead of our custom code, but
> preserve the custom code for backward compatibility.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
