[MESOS-9811] Don't use reverse DNS for hostname validation - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.9.0
Component/s: None
Labels:

Epic Link:
ssl-cert-verification
Sprint:
Mesos Foundations: RI15 Sp 48, Mesos Foundations: RI 15 Sp 49, Mesos Foundations: RI-16 Sp 50
Story Points:
5

Description

Upon connection we first resolve the hostname and forget about it

https://github.com/apache/mesos/blob/master/3rdparty/libprocess/src/http.cpp#L1462-L1504

then later use reverse DNS on the remote address to get back a hostname

https://github.com/apache/mesos/blob/4708c2a368e12a89669135f47777d0dd05d9b0b2/3rdparty/libprocess/src/posix/libevent/libevent_ssl_socket.cpp#L548-L556

and verify the server certificate against that.

Instead, we should verify the server certificate against the hostname that was used by t he client to initiate the connection.

Attachments

Activity

People

Assignee:: Benno Evers

Reporter:: Benno Evers

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 03/Jun/19 23:01

Updated:: 05/Jul/19 13:58

Resolved:: 05/Jul/19 13:58