You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by Sampo Saarela <Sa...@relex.fi> on 2020/12/30 20:20:30 UTC
ZKHostnameVerifier is missing fix for certificates that contain other
alternative subject names than DNS or IP
Hello,
The code for the ZKHostnameVerifier is copied from Apache HttpClient and the bug has been fixed there in this issue https://issues.apache.org/jira/browse/HTTPCLIENT-1906
(commit https://github.com/apache/httpcomponents-client/commit/56cc24525e5ba2a5ef8fa0de2385687e83589a71 )
Missing the above fix will cause a valid certificate to be rejected in case the certificate contains other alternative subject names than DNS or IP, for example OID 1.3.6.1.5.2.2 - KRB5PrincipalName and/or OID 1.3.6.1.4.1.311.20.2.3 - User Principal Name (UPN) .
It would be better not to need the copy pasting as there are several other commits to that HostNameVerifier that have not been applied to the ZKHostNameVerifier so there may exist other conditions too where ZKHostNameVerifier does not work as expected.
Also, the Java Doc says that the code is copied from the HttpClient but does not canonically reference the class which it came from.
Brgs,
Sampo Saarela
Software developer
RELEX Solutions
Postintaival 7, 00230 Helsinki, Finland
mobile +358505676044
email sampo.saarela@relexsolutions.com
website www.relexsolutions.com<http://www.relexsolutions.com>
[1519052712238_image003.png]
plan better - sell more - waste less
Re: ZKHostnameVerifier is missing fix for certificates that contain
other alternative subject names than DNS or IP
Posted by Andor Molnar <an...@apache.org>.
Reason is explained in the Javadocs:
"We want host verification, but depending on the httpclient jar caused unexplained performance regressions (even when the code was not used).”
Andor
> On 2021. Jan 14., at 14:53, Damien Diederen <dd...@apache.org> wrote:
>
>
> Hi Sampo,
>
>> The code for the ZKHostnameVerifier is copied from Apache HttpClient
>> and the bug has been fixed there in this issue
>> https://issues.apache.org/jira/browse/HTTPCLIENT-1906
>> (commit
>> https://github.com/apache/httpcomponents-client/commit/56cc24525e5ba2a5ef8fa0de2385687e83589a71
>> )
>
> I believe that issue has been fixed by ZOOKEEPER-3832,
> "ZKHostnameVerifier rejects valid certificates with subjectAltNames":
>
> https://issues.apache.org/jira/browse/ZOOKEEPER-3832
>
> The fix should be in 3.5.9 (soon), 3.6.2 (released) and 3.7.0 (soon).
>
>> It would be better not to need the copy pasting as there are several
>> other commits to that HostNameVerifier that have not been applied to
>> the ZKHostNameVerifier so there may exist other conditions too where
>> ZKHostNameVerifier does not work as expected.
>
> I agree in general, but haven't investigated the full history of this,
> but am sure it was done on purpose. In the meantime, are there other
> specific commits you think we should consider?
>
>> Also, the Java Doc says that the code is copied from the HttpClient
>> but does not canonically reference the class which it came from.
>
> Improving that (and providing an easier way to sync with upstream) would
> definitely be a good idea. Would you mind opening a ticket? (And if
> you have a solution in mind, a "pull request" would also be welcome!)
>
> Cheers, -D
>
>
>
>
> Sampo Saarela <Sa...@relex.fi> writes:
>> Hello,
>>
>> The code for the ZKHostnameVerifier is copied from Apache HttpClient
>> and the bug has been fixed there in this issue
>> https://issues.apache.org/jira/browse/HTTPCLIENT-1906
>> (commit
>> https://github.com/apache/httpcomponents-client/commit/56cc24525e5ba2a5ef8fa0de2385687e83589a71
>> )
>>
>> Missing the above fix will cause a valid certificate to be rejected in
>> case the certificate contains other alternative subject names than DNS
>> or IP, for example OID 1.3.6.1.5.2.2 - KRB5PrincipalName and/or OID
>> 1.3.6.1.4.1.311.20.2.3 - User Principal Name (UPN) .
>>
>> It would be better not to need the copy pasting as there are several
>> other commits to that HostNameVerifier that have not been applied to
>> the ZKHostNameVerifier so there may exist other conditions too where
>> ZKHostNameVerifier does not work as expected.
>>
>> Also, the Java Doc says that the code is copied from the HttpClient
>> but does not canonically reference the class which it came from.
>>
>> Brgs,
>> Sampo Saarela
>> Software developer
Re: ZKHostnameVerifier is missing fix for certificates that contain
other alternative subject names than DNS or IP
Posted by Damien Diederen <dd...@apache.org>.
Hi Sampo,
> The code for the ZKHostnameVerifier is copied from Apache HttpClient
> and the bug has been fixed there in this issue
> https://issues.apache.org/jira/browse/HTTPCLIENT-1906
> (commit
> https://github.com/apache/httpcomponents-client/commit/56cc24525e5ba2a5ef8fa0de2385687e83589a71
> )
I believe that issue has been fixed by ZOOKEEPER-3832,
"ZKHostnameVerifier rejects valid certificates with subjectAltNames":
https://issues.apache.org/jira/browse/ZOOKEEPER-3832
The fix should be in 3.5.9 (soon), 3.6.2 (released) and 3.7.0 (soon).
> It would be better not to need the copy pasting as there are several
> other commits to that HostNameVerifier that have not been applied to
> the ZKHostNameVerifier so there may exist other conditions too where
> ZKHostNameVerifier does not work as expected.
I agree in general, but haven't investigated the full history of this,
but am sure it was done on purpose. In the meantime, are there other
specific commits you think we should consider?
> Also, the Java Doc says that the code is copied from the HttpClient
> but does not canonically reference the class which it came from.
Improving that (and providing an easier way to sync with upstream) would
definitely be a good idea. Would you mind opening a ticket? (And if
you have a solution in mind, a "pull request" would also be welcome!)
Cheers, -D
Sampo Saarela <Sa...@relex.fi> writes:
> Hello,
>
> The code for the ZKHostnameVerifier is copied from Apache HttpClient
> and the bug has been fixed there in this issue
> https://issues.apache.org/jira/browse/HTTPCLIENT-1906
> (commit
> https://github.com/apache/httpcomponents-client/commit/56cc24525e5ba2a5ef8fa0de2385687e83589a71
> )
>
> Missing the above fix will cause a valid certificate to be rejected in
> case the certificate contains other alternative subject names than DNS
> or IP, for example OID 1.3.6.1.5.2.2 - KRB5PrincipalName and/or OID
> 1.3.6.1.4.1.311.20.2.3 - User Principal Name (UPN) .
>
> It would be better not to need the copy pasting as there are several
> other commits to that HostNameVerifier that have not been applied to
> the ZKHostNameVerifier so there may exist other conditions too where
> ZKHostNameVerifier does not work as expected.
>
> Also, the Java Doc says that the code is copied from the HttpClient
> but does not canonically reference the class which it came from.
>
> Brgs,
> Sampo Saarela
> Software developer