You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Joseph Wu (JIRA)" <ji...@apache.org> on 2016/11/07 22:36:58 UTC
[jira] [Updated] (MESOS-5724) SSL certificate validation should
allow IP only verification.
[ https://issues.apache.org/jira/browse/MESOS-5724?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Joseph Wu updated MESOS-5724:
-----------------------------
Labels: libprocess mesosphere security ssl won't-backport (was: libprocess mesosphere security ssl)
> SSL certificate validation should allow IP only verification.
> -------------------------------------------------------------
>
> Key: MESOS-5724
> URL: https://issues.apache.org/jira/browse/MESOS-5724
> Project: Mesos
> Issue Type: Bug
> Components: libprocess, security
> Affects Versions: 0.23.0, 0.23.1, 0.24.0, 0.24.1, 0.24.2, 0.25.0, 0.25.1, 0.26.0, 0.26.1, 0.27.0, 0.27.1, 0.27.2, 0.27.3, 0.28.0, 0.28.1, 0.28.2, 1.0.0
> Reporter: Till Toenshoff
> Assignee: Till Toenshoff
> Priority: Blocker
> Labels: libprocess, mesosphere, security, ssl, won't-backport
> Fix For: 1.0.0
>
>
> Our SSL certificate validation currently assumes that the host (on connect and on accept) does have a valid hostname. This however is not true for all environments.
> {{process::network::openssl::verify}} currently only allows the validation of a certificate against a hostname.
> See https://github.com/apache/mesos/blob/08866edd8a71d12f87f4f4dbefa292729efbf6ae/3rdparty/libprocess/src/openssl.cpp#L546
> RFC2818 however says that it should be perfectly valid to validate a certificate based on the IP address.
> See https://tools.ietf.org/html/rfc2818
> {noformat}
> In some cases, the URI is specified as an IP address rather than a
> hostname. In this case, the iPAddress subjectAltName must be present
> in the certificate and must exactly match the IP in the URI.
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)