You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "Benno Evers (JIRA)" <ji...@apache.org> on 2019/07/05 13:59:00 UTC

[jira] [Assigned] (MESOS-9811) Don't use reverse DNS for hostname validation

     [ https://issues.apache.org/jira/browse/MESOS-9811?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Benno Evers reassigned MESOS-9811:
----------------------------------

       Resolution: Fixed
         Assignee: Benno Evers
    Fix Version/s: 1.9.0

{noformat}
commit 0a081e01a3f4af8141a8085ed2f97ee85ea48fe1
Author: Benno Evers <be...@mesosphere.com>
Date:   Wed Jun 19 15:49:11 2019 +0200

    Introduced RFC6125-compliant hostname validation scheme.
    
    This commit introduces a new libprocess SSL flag
    `hostname_validation_scheme`, which can be set to 'legacy'
    to select the previous hostname validation behaviour or to
    'openssl' to use standardized OpenSSL algorithms to handle
    hostname validation as part of the TLS handshake.
    
    As a nice side-effect, the new scheme gets rid of reverse DNS
    lookups during TLS connection establishment, which used to be
    a common source of hard-to-debug unresponsiveness in Mesos
    components.
    
    See `docs/ssl.md` in the follow-up commit for details of and
    differences between the schemes.
    
    Review: https://reviews.apache.org/r/70749
{noformat}

> Don't use reverse DNS for hostname validation
> ---------------------------------------------
>
>                 Key: MESOS-9811
>                 URL: https://issues.apache.org/jira/browse/MESOS-9811
>             Project: Mesos
>          Issue Type: Bug
>            Reporter: Benno Evers
>            Assignee: Benno Evers
>            Priority: Major
>              Labels: foundations, libprocess, ssl
>             Fix For: 1.9.0
>
>
> Upon connection we first resolve the hostname and forget about it
> https://github.com/apache/mesos/blob/master/3rdparty/libprocess/src/http.cpp#L1462-L1504
> then later use reverse DNS on the remote address to get back a hostname
> https://github.com/apache/mesos/blob/4708c2a368e12a89669135f47777d0dd05d9b0b2/3rdparty/libprocess/src/posix/libevent/libevent_ssl_socket.cpp#L548-L556
> and verify the server certificate against *that*.
> Instead, we should verify the server certificate against the hostname that was used by t he client to initiate the connection.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)