flink-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eron Wright (JIRA)" <j...@apache.org>
Subject [jira] [Created] (FLINK-5030) Support hostname verification
Date Mon, 07 Nov 2016 19:42:58 GMT
Eron Wright  created FLINK-5030:

             Summary: Support hostname verification
                 Key: FLINK-5030
                 URL: https://issues.apache.org/jira/browse/FLINK-5030
             Project: Flink
          Issue Type: Sub-task
            Reporter: Eron Wright 

_See [Dangerous Code|http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf] and [further commentary|https://tersesystems.com/2014/03/23/fixing-hostname-verification/]
for useful background._

When hostname verification is performed, it should use the hostname (not IP address) to match
the certificate.   The current code is wrongly using the address.

In technical terms, ensure that calls to `SSLContext::createSSLEngine` supply the expected
hostname, not host address.

Please audit all SSL setup code as to whether hostname verification is enabled, and file follow-ups
where necessary.   For example, Akka 2.4 supports it but 2.3 doesn't ([ref|http://doc.akka.io/docs/akka/2.4.4/scala/http/client-side/https-support.html#Hostname_verification]).

This message was sent by Atlassian JIRA

View raw message