[ https://issues.apache.org/jira/browse/MESOS-9811?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Benno Evers reassigned MESOS-9811: ---------------------------------- Resolution: Fixed Assignee: Benno Evers Fix Version/s: 1.9.0 {noformat} commit 0a081e01a3f4af8141a8085ed2f97ee85ea48fe1 Author: Benno Evers <bev...@mesosphere.com> Date: Wed Jun 19 15:49:11 2019 +0200 Introduced RFC6125-compliant hostname validation scheme. This commit introduces a new libprocess SSL flag `hostname_validation_scheme`, which can be set to 'legacy' to select the previous hostname validation behaviour or to 'openssl' to use standardized OpenSSL algorithms to handle hostname validation as part of the TLS handshake. As a nice side-effect, the new scheme gets rid of reverse DNS lookups during TLS connection establishment, which used to be a common source of hard-to-debug unresponsiveness in Mesos components. See `docs/ssl.md` in the follow-up commit for details of and differences between the schemes. Review: https://reviews.apache.org/r/70749 {noformat} > Don't use reverse DNS for hostname validation > --------------------------------------------- > > Key: MESOS-9811 > URL: https://issues.apache.org/jira/browse/MESOS-9811 > Project: Mesos > Issue Type: Bug > Reporter: Benno Evers > Assignee: Benno Evers > Priority: Major > Labels: foundations, libprocess, ssl > Fix For: 1.9.0 > > > Upon connection we first resolve the hostname and forget about it > https://github.com/apache/mesos/blob/master/3rdparty/libprocess/src/http.cpp#L1462-L1504 > then later use reverse DNS on the remote address to get back a hostname > https://github.com/apache/mesos/blob/4708c2a368e12a89669135f47777d0dd05d9b0b2/3rdparty/libprocess/src/posix/libevent/libevent_ssl_socket.cpp#L548-L556 > and verify the server certificate against *that*. > Instead, we should verify the server certificate against the hostname that > was used by t he client to initiate the connection. -- This message was sent by Atlassian JIRA (v7.6.3#76005)