You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Benno Evers (JIRA)" <ji...@apache.org> on 2019/06/03 22:46:00 UTC
[jira] [Commented] (MESOS-9790) Libprocess does not use standard
tooling for hostname validation.
[ https://issues.apache.org/jira/browse/MESOS-9790?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16855123#comment-16855123 ]
Benno Evers commented on MESOS-9790:
------------------------------------
Since `X509_check_host()` is disencouraged by the OpenSSL documentation, this will be implemented by MESOS-9809 instead.
> Libprocess does not use standard tooling for hostname validation.
> ------------------------------------------------------------------
>
> Key: MESOS-9790
> URL: https://issues.apache.org/jira/browse/MESOS-9790
> Project: Mesos
> Issue Type: Improvement
> Components: libprocess
> Reporter: Alexander Rukletsov
> Priority: Major
> Labels: foundations, mesosphere, security, ssl, tls
>
> Libprocess currently uses [custom code|https://github.com/apache/mesos/blob/eecb82c77117998af0c67a53c64e9b1e975acfa4/3rdparty/libprocess/src/openssl.cpp#L755-L863] for hostname validation in its SSL certificate verification workflow. However openssl provides a function for this, [{{X509_check_host()}} |https://www.openssl.org/docs/manmaster/man3/X509_check_host.html].
> For safety and reliability, we should enable an option to use {{X509_check_host()}} for hostname validation instead of our custom code, but preserve the custom code for backward compatibility.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)