You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by li...@apache.org on 2022/03/03 07:34:29 UTC
[pulsar] branch master updated: [Doc] Update the support of hostname verification in different clients (#14451)
This is an automated email from the ASF dual-hosted git repository.
liuyu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new 1a5c5db [Doc] Update the support of hostname verification in different clients (#14451)
1a5c5db is described below
commit 1a5c5db784f48479373bc117995c57df5b85a375
Author: momo-jun <60...@users.noreply.github.com>
AuthorDate: Thu Mar 3 15:31:43 2022 +0800
[Doc] Update the support of hostname verification in different clients (#14451)
---
site2/docs/security-tls-transport.md | 10 +++++++---
.../versioned_docs/version-2.7.0/security-tls-transport.md | 10 +++++++---
.../versioned_docs/version-2.7.1/security-tls-transport.md | 10 +++++++---
.../versioned_docs/version-2.7.2/security-tls-transport.md | 10 +++++++---
.../versioned_docs/version-2.7.3/security-tls-transport.md | 10 +++++++---
.../versioned_docs/version-2.7.4/security-tls-transport.md | 10 +++++++---
.../versioned_docs/version-2.8.0/security-tls-transport.md | 10 +++++++---
.../versioned_docs/version-2.8.1/security-tls-transport.md | 10 +++++++---
.../versioned_docs/version-2.8.2/security-tls-transport.md | 10 +++++++---
.../versioned_docs/version-2.9.0/security-tls-transport.md | 10 +++++++---
.../versioned_docs/version-2.9.1/security-tls-transport.md | 10 +++++++---
11 files changed, 77 insertions(+), 33 deletions(-)
diff --git a/site2/docs/security-tls-transport.md b/site2/docs/security-tls-transport.md
index e6ade2f..3fb9ca0 100644
--- a/site2/docs/security-tls-transport.md
+++ b/site2/docs/security-tls-transport.md
@@ -178,7 +178,7 @@ Moreover, as the administrator has full control of the certificate authority, a
One scenario where you may want to enable hostname verification is where you have multiple proxy nodes behind a VIP, and the VIP has a DNS record, for example, pulsar.mycompany.com. In this case, you can generate a TLS cert with pulsar.mycompany.com as the "CommonName," and then enable hostname verification on the client.
-The examples below show hostname verification being disabled for the Java client, though you can omit this as the client disables the hostname verification by default. C++/python/Node.js clients do now allow configuring this at the moment.
+The examples below show that hostname verification is disabled for the CLI tools/Java/Python/C++/Node.js/C# clients by default.
### CLI tools
@@ -215,7 +215,7 @@ PulsarClient client = PulsarClient.builder()
from pulsar import Client
client = Client("pulsar+ssl://broker.example.com:6651/",
- tls_hostname_verification=True,
+ tls_hostname_verification=False,
tls_trust_certs_file_path="/path/to/ca.cert.pem",
tls_allow_insecure_connection=False) // defaults to false from v2.2.0 onwards
```
@@ -230,7 +230,7 @@ config.setUseTls(true); // shouldn't be needed soon
config.setTlsTrustCertsFilePath(caPath);
config.setTlsAllowInsecureConnection(false);
config.setAuth(pulsar::AuthTls::create(clientPublicKeyPath, clientPrivateKeyPath));
-config.setValidateHostName(true);
+config.setValidateHostName(false);
```
#### Node.js client
@@ -242,6 +242,9 @@ const Pulsar = require('pulsar-client');
const client = new Pulsar.Client({
serviceUrl: 'pulsar+ssl://broker.example.com:6651/',
tlsTrustCertsFilePath: '/path/to/ca.cert.pem',
+ useTls: true,
+ tlsValidateHostname: false,
+ tlsAllowInsecureConnection: false,
});
})();
```
@@ -256,3 +259,4 @@ var client = PulsarClient.Builder()
.VerifyCertificateName(false) //Default is 'false'
.Build();
```
+> Note that `VerifyCertificateName` refers to the configuration of hostname verification in the C# client.
\ No newline at end of file
diff --git a/site2/website/versioned_docs/version-2.7.0/security-tls-transport.md b/site2/website/versioned_docs/version-2.7.0/security-tls-transport.md
index e0f8ddc..f8b98cb 100644
--- a/site2/website/versioned_docs/version-2.7.0/security-tls-transport.md
+++ b/site2/website/versioned_docs/version-2.7.0/security-tls-transport.md
@@ -177,7 +177,7 @@ Moreover, as the administrator has full control of the certificate authority, a
One scenario where you may want to enable hostname verification is where you have multiple proxy nodes behind a VIP, and the VIP has a DNS record, for example, pulsar.mycompany.com. In this case, you can generate a TLS cert with pulsar.mycompany.com as the "CommonName," and then enable hostname verification on the client.
-The examples below show hostname verification being disabled for the Java client, though you can omit this as the client disables the hostname verification by default. C++/python/Node.js clients do now allow configuring this at the moment.
+The examples below show that hostname verification is disabled for the CLI tools/Java/Python/C++/Node.js/C# clients by default.
### CLI tools
@@ -214,7 +214,7 @@ PulsarClient client = PulsarClient.builder()
from pulsar import Client
client = Client("pulsar+ssl://broker.example.com:6651/",
- tls_hostname_verification=True,
+ tls_hostname_verification=False,
tls_trust_certs_file_path="/path/to/ca.cert.pem",
tls_allow_insecure_connection=False) // defaults to false from v2.2.0 onwards
```
@@ -229,7 +229,7 @@ config.setUseTls(true); // shouldn't be needed soon
config.setTlsTrustCertsFilePath(caPath);
config.setTlsAllowInsecureConnection(false);
config.setAuth(pulsar::AuthTls::create(clientPublicKeyPath, clientPrivateKeyPath));
-config.setValidateHostName(true);
+config.setValidateHostName(false);
```
#### Node.js client
@@ -241,6 +241,9 @@ const Pulsar = require('pulsar-client');
const client = new Pulsar.Client({
serviceUrl: 'pulsar+ssl://broker.example.com:6651/',
tlsTrustCertsFilePath: '/path/to/ca.cert.pem',
+ useTls: true,
+ tlsValidateHostname: false,
+ tlsAllowInsecureConnection: false,
});
})();
```
@@ -255,3 +258,4 @@ var client = PulsarClient.Builder()
.VerifyCertificateName(false) //Default is 'false'
.Build();
```
+> Note that `VerifyCertificateName` refers to the configuration of hostname verification in the C# client.
\ No newline at end of file
diff --git a/site2/website/versioned_docs/version-2.7.1/security-tls-transport.md b/site2/website/versioned_docs/version-2.7.1/security-tls-transport.md
index b0a5b53..d59e57b 100644
--- a/site2/website/versioned_docs/version-2.7.1/security-tls-transport.md
+++ b/site2/website/versioned_docs/version-2.7.1/security-tls-transport.md
@@ -177,7 +177,7 @@ Moreover, as the administrator has full control of the certificate authority, a
One scenario where you may want to enable hostname verification is where you have multiple proxy nodes behind a VIP, and the VIP has a DNS record, for example, pulsar.mycompany.com. In this case, you can generate a TLS cert with pulsar.mycompany.com as the "CommonName," and then enable hostname verification on the client.
-The examples below show hostname verification being disabled for the Java client, though you can omit this as the client disables the hostname verification by default. C++/python/Node.js clients do now allow configuring this at the moment.
+The examples below show that hostname verification is disabled for the CLI tools/Java/Python/C++/Node.js/C# clients by default.
### CLI tools
@@ -214,7 +214,7 @@ PulsarClient client = PulsarClient.builder()
from pulsar import Client
client = Client("pulsar+ssl://broker.example.com:6651/",
- tls_hostname_verification=True,
+ tls_hostname_verification=False,
tls_trust_certs_file_path="/path/to/ca.cert.pem",
tls_allow_insecure_connection=False) // defaults to false from v2.2.0 onwards
```
@@ -229,7 +229,7 @@ config.setUseTls(true); // shouldn't be needed soon
config.setTlsTrustCertsFilePath(caPath);
config.setTlsAllowInsecureConnection(false);
config.setAuth(pulsar::AuthTls::create(clientPublicKeyPath, clientPrivateKeyPath));
-config.setValidateHostName(true);
+config.setValidateHostName(false);
```
#### Node.js client
@@ -241,6 +241,9 @@ const Pulsar = require('pulsar-client');
const client = new Pulsar.Client({
serviceUrl: 'pulsar+ssl://broker.example.com:6651/',
tlsTrustCertsFilePath: '/path/to/ca.cert.pem',
+ useTls: true,
+ tlsValidateHostname: false,
+ tlsAllowInsecureConnection: false,
});
})();
```
@@ -255,3 +258,4 @@ var client = PulsarClient.Builder()
.VerifyCertificateName(false) //Default is 'false'
.Build();
```
+> Note that `VerifyCertificateName` refers to the configuration of hostname verification in the C# client.
\ No newline at end of file
diff --git a/site2/website/versioned_docs/version-2.7.2/security-tls-transport.md b/site2/website/versioned_docs/version-2.7.2/security-tls-transport.md
index 965a814..dd8055a 100644
--- a/site2/website/versioned_docs/version-2.7.2/security-tls-transport.md
+++ b/site2/website/versioned_docs/version-2.7.2/security-tls-transport.md
@@ -177,7 +177,7 @@ Moreover, as the administrator has full control of the certificate authority, a
One scenario where you may want to enable hostname verification is where you have multiple proxy nodes behind a VIP, and the VIP has a DNS record, for example, pulsar.mycompany.com. In this case, you can generate a TLS cert with pulsar.mycompany.com as the "CommonName," and then enable hostname verification on the client.
-The examples below show hostname verification being disabled for the Java client, though you can omit this as the client disables the hostname verification by default. C++/python/Node.js clients do now allow configuring this at the moment.
+The examples below show that hostname verification is disabled for the CLI tools/Java/Python/C++/Node.js/C# clients by default.
### CLI tools
@@ -214,7 +214,7 @@ PulsarClient client = PulsarClient.builder()
from pulsar import Client
client = Client("pulsar+ssl://broker.example.com:6651/",
- tls_hostname_verification=True,
+ tls_hostname_verification=False,
tls_trust_certs_file_path="/path/to/ca.cert.pem",
tls_allow_insecure_connection=False) // defaults to false from v2.2.0 onwards
```
@@ -229,7 +229,7 @@ config.setUseTls(true); // shouldn't be needed soon
config.setTlsTrustCertsFilePath(caPath);
config.setTlsAllowInsecureConnection(false);
config.setAuth(pulsar::AuthTls::create(clientPublicKeyPath, clientPrivateKeyPath));
-config.setValidateHostName(true);
+config.setValidateHostName(false);
```
#### Node.js client
@@ -241,6 +241,9 @@ const Pulsar = require('pulsar-client');
const client = new Pulsar.Client({
serviceUrl: 'pulsar+ssl://broker.example.com:6651/',
tlsTrustCertsFilePath: '/path/to/ca.cert.pem',
+ useTls: true,
+ tlsValidateHostname: false,
+ tlsAllowInsecureConnection: false,
});
})();
```
@@ -255,3 +258,4 @@ var client = PulsarClient.Builder()
.VerifyCertificateName(false) //Default is 'false'
.Build();
```
+> Note that `VerifyCertificateName` refers to the configuration of hostname verification in the C# client.
\ No newline at end of file
diff --git a/site2/website/versioned_docs/version-2.7.3/security-tls-transport.md b/site2/website/versioned_docs/version-2.7.3/security-tls-transport.md
index d5f690a..ab45297 100644
--- a/site2/website/versioned_docs/version-2.7.3/security-tls-transport.md
+++ b/site2/website/versioned_docs/version-2.7.3/security-tls-transport.md
@@ -177,7 +177,7 @@ Moreover, as the administrator has full control of the certificate authority, a
One scenario where you may want to enable hostname verification is where you have multiple proxy nodes behind a VIP, and the VIP has a DNS record, for example, pulsar.mycompany.com. In this case, you can generate a TLS cert with pulsar.mycompany.com as the "CommonName," and then enable hostname verification on the client.
-The examples below show hostname verification being disabled for the Java client, though you can omit this as the client disables the hostname verification by default. C++/python/Node.js clients do now allow configuring this at the moment.
+The examples below show that hostname verification is disabled for the CLI tools/Java/Python/C++/Node.js/C# clients by default.
### CLI tools
@@ -214,7 +214,7 @@ PulsarClient client = PulsarClient.builder()
from pulsar import Client
client = Client("pulsar+ssl://broker.example.com:6651/",
- tls_hostname_verification=True,
+ tls_hostname_verification=False,
tls_trust_certs_file_path="/path/to/ca.cert.pem",
tls_allow_insecure_connection=False) // defaults to false from v2.2.0 onwards
```
@@ -229,7 +229,7 @@ config.setUseTls(true); // shouldn't be needed soon
config.setTlsTrustCertsFilePath(caPath);
config.setTlsAllowInsecureConnection(false);
config.setAuth(pulsar::AuthTls::create(clientPublicKeyPath, clientPrivateKeyPath));
-config.setValidateHostName(true);
+config.setValidateHostName(false);
```
#### Node.js client
@@ -241,6 +241,9 @@ const Pulsar = require('pulsar-client');
const client = new Pulsar.Client({
serviceUrl: 'pulsar+ssl://broker.example.com:6651/',
tlsTrustCertsFilePath: '/path/to/ca.cert.pem',
+ useTls: true,
+ tlsValidateHostname: false,
+ tlsAllowInsecureConnection: false,
});
})();
```
@@ -255,3 +258,4 @@ var client = PulsarClient.Builder()
.VerifyCertificateName(false) //Default is 'false'
.Build();
```
+> Note that `VerifyCertificateName` refers to the configuration of hostname verification in the C# client.
\ No newline at end of file
diff --git a/site2/website/versioned_docs/version-2.7.4/security-tls-transport.md b/site2/website/versioned_docs/version-2.7.4/security-tls-transport.md
index a73990c..9161f4b 100644
--- a/site2/website/versioned_docs/version-2.7.4/security-tls-transport.md
+++ b/site2/website/versioned_docs/version-2.7.4/security-tls-transport.md
@@ -177,7 +177,7 @@ Moreover, as the administrator has full control of the certificate authority, a
One scenario where you may want to enable hostname verification is where you have multiple proxy nodes behind a VIP, and the VIP has a DNS record, for example, pulsar.mycompany.com. In this case, you can generate a TLS cert with pulsar.mycompany.com as the "CommonName," and then enable hostname verification on the client.
-The examples below show hostname verification being disabled for the Java client, though you can omit this as the client disables the hostname verification by default. C++/python/Node.js clients do now allow configuring this at the moment.
+The examples below show that hostname verification is disabled for the CLI tools/Java/Python/C++/Node.js/C# clients by default.
### CLI tools
@@ -214,7 +214,7 @@ PulsarClient client = PulsarClient.builder()
from pulsar import Client
client = Client("pulsar+ssl://broker.example.com:6651/",
- tls_hostname_verification=True,
+ tls_hostname_verification=False,
tls_trust_certs_file_path="/path/to/ca.cert.pem",
tls_allow_insecure_connection=False) // defaults to false from v2.2.0 onwards
```
@@ -229,7 +229,7 @@ config.setUseTls(true); // shouldn't be needed soon
config.setTlsTrustCertsFilePath(caPath);
config.setTlsAllowInsecureConnection(false);
config.setAuth(pulsar::AuthTls::create(clientPublicKeyPath, clientPrivateKeyPath));
-config.setValidateHostName(true);
+config.setValidateHostName(false);
```
#### Node.js client
@@ -241,6 +241,9 @@ const Pulsar = require('pulsar-client');
const client = new Pulsar.Client({
serviceUrl: 'pulsar+ssl://broker.example.com:6651/',
tlsTrustCertsFilePath: '/path/to/ca.cert.pem',
+ useTls: true,
+ tlsValidateHostname: false,
+ tlsAllowInsecureConnection: false,
});
})();
```
@@ -255,3 +258,4 @@ var client = PulsarClient.Builder()
.VerifyCertificateName(false) //Default is 'false'
.Build();
```
+> Note that `VerifyCertificateName` refers to the configuration of hostname verification in the C# client.
\ No newline at end of file
diff --git a/site2/website/versioned_docs/version-2.8.0/security-tls-transport.md b/site2/website/versioned_docs/version-2.8.0/security-tls-transport.md
index 10ea992..a1907ab 100644
--- a/site2/website/versioned_docs/version-2.8.0/security-tls-transport.md
+++ b/site2/website/versioned_docs/version-2.8.0/security-tls-transport.md
@@ -178,7 +178,7 @@ Moreover, as the administrator has full control of the certificate authority, a
One scenario where you may want to enable hostname verification is where you have multiple proxy nodes behind a VIP, and the VIP has a DNS record, for example, pulsar.mycompany.com. In this case, you can generate a TLS cert with pulsar.mycompany.com as the "CommonName," and then enable hostname verification on the client.
-The examples below show hostname verification being disabled for the Java client, though you can omit this as the client disables the hostname verification by default. C++/python/Node.js clients do now allow configuring this at the moment.
+The examples below show that hostname verification is disabled for the CLI tools/Java/Python/C++/Node.js/C# clients by default.
### CLI tools
@@ -215,7 +215,7 @@ PulsarClient client = PulsarClient.builder()
from pulsar import Client
client = Client("pulsar+ssl://broker.example.com:6651/",
- tls_hostname_verification=True,
+ tls_hostname_verification=False,
tls_trust_certs_file_path="/path/to/ca.cert.pem",
tls_allow_insecure_connection=False) // defaults to false from v2.2.0 onwards
```
@@ -230,7 +230,7 @@ config.setUseTls(true); // shouldn't be needed soon
config.setTlsTrustCertsFilePath(caPath);
config.setTlsAllowInsecureConnection(false);
config.setAuth(pulsar::AuthTls::create(clientPublicKeyPath, clientPrivateKeyPath));
-config.setValidateHostName(true);
+config.setValidateHostName(false);
```
#### Node.js client
@@ -242,6 +242,9 @@ const Pulsar = require('pulsar-client');
const client = new Pulsar.Client({
serviceUrl: 'pulsar+ssl://broker.example.com:6651/',
tlsTrustCertsFilePath: '/path/to/ca.cert.pem',
+ useTls: true,
+ tlsValidateHostname: false,
+ tlsAllowInsecureConnection: false,
});
})();
```
@@ -256,3 +259,4 @@ var client = PulsarClient.Builder()
.VerifyCertificateName(false) //Default is 'false'
.Build();
```
+> Note that `VerifyCertificateName` refers to the configuration of hostname verification in the C# client.
\ No newline at end of file
diff --git a/site2/website/versioned_docs/version-2.8.1/security-tls-transport.md b/site2/website/versioned_docs/version-2.8.1/security-tls-transport.md
index 271db68..4c09ad7 100644
--- a/site2/website/versioned_docs/version-2.8.1/security-tls-transport.md
+++ b/site2/website/versioned_docs/version-2.8.1/security-tls-transport.md
@@ -178,7 +178,7 @@ Moreover, as the administrator has full control of the certificate authority, a
One scenario where you may want to enable hostname verification is where you have multiple proxy nodes behind a VIP, and the VIP has a DNS record, for example, pulsar.mycompany.com. In this case, you can generate a TLS cert with pulsar.mycompany.com as the "CommonName," and then enable hostname verification on the client.
-The examples below show hostname verification being disabled for the Java client, though you can omit this as the client disables the hostname verification by default. C++/python/Node.js clients do now allow configuring this at the moment.
+The examples below show that hostname verification is disabled for the CLI tools/Java/Python/C++/Node.js/C# clients by default.
### CLI tools
@@ -215,7 +215,7 @@ PulsarClient client = PulsarClient.builder()
from pulsar import Client
client = Client("pulsar+ssl://broker.example.com:6651/",
- tls_hostname_verification=True,
+ tls_hostname_verification=False,
tls_trust_certs_file_path="/path/to/ca.cert.pem",
tls_allow_insecure_connection=False) // defaults to false from v2.2.0 onwards
```
@@ -230,7 +230,7 @@ config.setUseTls(true); // shouldn't be needed soon
config.setTlsTrustCertsFilePath(caPath);
config.setTlsAllowInsecureConnection(false);
config.setAuth(pulsar::AuthTls::create(clientPublicKeyPath, clientPrivateKeyPath));
-config.setValidateHostName(true);
+config.setValidateHostName(false);
```
#### Node.js client
@@ -242,6 +242,9 @@ const Pulsar = require('pulsar-client');
const client = new Pulsar.Client({
serviceUrl: 'pulsar+ssl://broker.example.com:6651/',
tlsTrustCertsFilePath: '/path/to/ca.cert.pem',
+ useTls: true,
+ tlsValidateHostname: false,
+ tlsAllowInsecureConnection: false,
});
})();
```
@@ -256,3 +259,4 @@ var client = PulsarClient.Builder()
.VerifyCertificateName(false) //Default is 'false'
.Build();
```
+> Note that `VerifyCertificateName` refers to the configuration of hostname verification in the C# client.
\ No newline at end of file
diff --git a/site2/website/versioned_docs/version-2.8.2/security-tls-transport.md b/site2/website/versioned_docs/version-2.8.2/security-tls-transport.md
index 9267809..7e7e28b 100644
--- a/site2/website/versioned_docs/version-2.8.2/security-tls-transport.md
+++ b/site2/website/versioned_docs/version-2.8.2/security-tls-transport.md
@@ -178,7 +178,7 @@ Moreover, as the administrator has full control of the certificate authority, a
One scenario where you may want to enable hostname verification is where you have multiple proxy nodes behind a VIP, and the VIP has a DNS record, for example, pulsar.mycompany.com. In this case, you can generate a TLS cert with pulsar.mycompany.com as the "CommonName," and then enable hostname verification on the client.
-The examples below show hostname verification being disabled for the Java client, though you can omit this as the client disables the hostname verification by default. C++/python/Node.js clients do now allow configuring this at the moment.
+The examples below show that hostname verification is disabled for the CLI tools/Java/Python/C++/Node.js/C# clients by default.
### CLI tools
@@ -215,7 +215,7 @@ PulsarClient client = PulsarClient.builder()
from pulsar import Client
client = Client("pulsar+ssl://broker.example.com:6651/",
- tls_hostname_verification=True,
+ tls_hostname_verification=False,
tls_trust_certs_file_path="/path/to/ca.cert.pem",
tls_allow_insecure_connection=False) // defaults to false from v2.2.0 onwards
```
@@ -230,7 +230,7 @@ config.setUseTls(true); // shouldn't be needed soon
config.setTlsTrustCertsFilePath(caPath);
config.setTlsAllowInsecureConnection(false);
config.setAuth(pulsar::AuthTls::create(clientPublicKeyPath, clientPrivateKeyPath));
-config.setValidateHostName(true);
+config.setValidateHostName(false);
```
#### Node.js client
@@ -242,6 +242,9 @@ const Pulsar = require('pulsar-client');
const client = new Pulsar.Client({
serviceUrl: 'pulsar+ssl://broker.example.com:6651/',
tlsTrustCertsFilePath: '/path/to/ca.cert.pem',
+ useTls: true,
+ tlsValidateHostname: false,
+ tlsAllowInsecureConnection: false,
});
})();
```
@@ -256,3 +259,4 @@ var client = PulsarClient.Builder()
.VerifyCertificateName(false) //Default is 'false'
.Build();
```
+> Note that `VerifyCertificateName` refers to the configuration of hostname verification in the C# client.
\ No newline at end of file
diff --git a/site2/website/versioned_docs/version-2.9.0/security-tls-transport.md b/site2/website/versioned_docs/version-2.9.0/security-tls-transport.md
index adb5754..7938962 100644
--- a/site2/website/versioned_docs/version-2.9.0/security-tls-transport.md
+++ b/site2/website/versioned_docs/version-2.9.0/security-tls-transport.md
@@ -178,7 +178,7 @@ Moreover, as the administrator has full control of the certificate authority, a
One scenario where you may want to enable hostname verification is where you have multiple proxy nodes behind a VIP, and the VIP has a DNS record, for example, pulsar.mycompany.com. In this case, you can generate a TLS cert with pulsar.mycompany.com as the "CommonName," and then enable hostname verification on the client.
-The examples below show hostname verification being disabled for the Java client, though you can omit this as the client disables the hostname verification by default. C++/python/Node.js clients do now allow configuring this at the moment.
+The examples below show that hostname verification is disabled for the CLI tools/Java/Python/C++/Node.js/C# clients by default.
### CLI tools
@@ -215,7 +215,7 @@ PulsarClient client = PulsarClient.builder()
from pulsar import Client
client = Client("pulsar+ssl://broker.example.com:6651/",
- tls_hostname_verification=True,
+ tls_hostname_verification=False,
tls_trust_certs_file_path="/path/to/ca.cert.pem",
tls_allow_insecure_connection=False) // defaults to false from v2.2.0 onwards
```
@@ -230,7 +230,7 @@ config.setUseTls(true); // shouldn't be needed soon
config.setTlsTrustCertsFilePath(caPath);
config.setTlsAllowInsecureConnection(false);
config.setAuth(pulsar::AuthTls::create(clientPublicKeyPath, clientPrivateKeyPath));
-config.setValidateHostName(true);
+config.setValidateHostName(false);
```
#### Node.js client
@@ -242,6 +242,9 @@ const Pulsar = require('pulsar-client');
const client = new Pulsar.Client({
serviceUrl: 'pulsar+ssl://broker.example.com:6651/',
tlsTrustCertsFilePath: '/path/to/ca.cert.pem',
+ useTls: true,
+ tlsValidateHostname: false,
+ tlsAllowInsecureConnection: false,
});
})();
```
@@ -256,3 +259,4 @@ var client = PulsarClient.Builder()
.VerifyCertificateName(false) //Default is 'false'
.Build();
```
+> Note that `VerifyCertificateName` refers to the configuration of hostname verification in the C# client.
\ No newline at end of file
diff --git a/site2/website/versioned_docs/version-2.9.1/security-tls-transport.md b/site2/website/versioned_docs/version-2.9.1/security-tls-transport.md
index d7d9436..f511596 100644
--- a/site2/website/versioned_docs/version-2.9.1/security-tls-transport.md
+++ b/site2/website/versioned_docs/version-2.9.1/security-tls-transport.md
@@ -178,7 +178,7 @@ Moreover, as the administrator has full control of the certificate authority, a
One scenario where you may want to enable hostname verification is where you have multiple proxy nodes behind a VIP, and the VIP has a DNS record, for example, pulsar.mycompany.com. In this case, you can generate a TLS cert with pulsar.mycompany.com as the "CommonName," and then enable hostname verification on the client.
-The examples below show hostname verification being disabled for the Java client, though you can omit this as the client disables the hostname verification by default. C++/python/Node.js clients do now allow configuring this at the moment.
+The examples below show that hostname verification is disabled for the CLI tools/Java/Python/C++/Node.js/C# clients by default.
### CLI tools
@@ -215,7 +215,7 @@ PulsarClient client = PulsarClient.builder()
from pulsar import Client
client = Client("pulsar+ssl://broker.example.com:6651/",
- tls_hostname_verification=True,
+ tls_hostname_verification=False,
tls_trust_certs_file_path="/path/to/ca.cert.pem",
tls_allow_insecure_connection=False) // defaults to false from v2.2.0 onwards
```
@@ -230,7 +230,7 @@ config.setUseTls(true); // shouldn't be needed soon
config.setTlsTrustCertsFilePath(caPath);
config.setTlsAllowInsecureConnection(false);
config.setAuth(pulsar::AuthTls::create(clientPublicKeyPath, clientPrivateKeyPath));
-config.setValidateHostName(true);
+config.setValidateHostName(false);
```
#### Node.js client
@@ -242,6 +242,9 @@ const Pulsar = require('pulsar-client');
const client = new Pulsar.Client({
serviceUrl: 'pulsar+ssl://broker.example.com:6651/',
tlsTrustCertsFilePath: '/path/to/ca.cert.pem',
+ useTls: true,
+ tlsValidateHostname: false,
+ tlsAllowInsecureConnection: false,
});
})();
```
@@ -256,3 +259,4 @@ var client = PulsarClient.Builder()
.VerifyCertificateName(false) //Default is 'false'
.Build();
```
+> Note that `VerifyCertificateName` refers to the configuration of hostname verification in the C# client.
\ No newline at end of file