[
https://issues.apache.org/jira/browse/MESOS-9339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16905433#comment-16905433
]
Benno Evers edited comment on MESOS-9339 at 8/12/19 5:54 PM:
-------------------------------------------------------------
This is partially resolved in Mesos 1.9 by https://reviews.apache.org/r/70749/
, which eliminates rDNS lookups for incoming TLS connections when setting
`LIBPROCESS_SSL_HOSTNAME_VALIDATION_SCHEME=openssl`.
We can probably close this once we change the default for that setting from
`legacy` to `openssl`.
was (Author: bennoe):
This is partially resolved in Mesos 1.9 by https://reviews.apache.org/r/70749/
, which eliminates rDNS lookups for incoming TLS connections when setting
`LIBPROCESS_SSL_HOSTNAME_VALIDATION_SCHEME=openssl`.
We can probably close this once we change the default for that ticket from
`legacy` to `openssl`.
> SSL (TLS) peer reverse DNS lookup can block the event loop thread.
> ------------------------------------------------------------------
>
> Key: MESOS-9339
> URL: https://issues.apache.org/jira/browse/MESOS-9339
> Project: Mesos
> Issue Type: Bug
> Components: libprocess
> Reporter: Benjamin Mahler
> Priority: Major
> Labels: foundations
>
> We currently look up the peer hostname in order to perform certificate
> verification while accepting SSL (TLS) connections. This blocks the event
> loop thread in cases where it has to go over the network. We saw one issue
> where a misconfiguration meant that this would block for 15 seconds.
> Once we add asynchronous DNS lookup facilities (MESOS-9338), we can use them
> to avoid blocking the event loop thread.
> We should consider logging slow DNS reverse lookups and adding timing metrics
> for them.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
