mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Till Toenshoff (JIRA)" <j...@apache.org>
Subject [jira] [Created] (MESOS-5724) SSL certificate validation should allow IP only verification.
Date Mon, 27 Jun 2016 19:34:52 GMT
Till Toenshoff created MESOS-5724:
-------------------------------------

             Summary: SSL certificate validation should allow IP only verification.
                 Key: MESOS-5724
                 URL: https://issues.apache.org/jira/browse/MESOS-5724
             Project: Mesos
          Issue Type: Bug
          Components: libprocess
    Affects Versions: 1.0.0
            Reporter: Till Toenshoff
            Priority: Blocker


Our SSL certificate validation currently assumes that the host (on connect and on accept)
does have a valid hostname. This however is not true for all valid environments.

{{process::network::openssl::verify}} currently only allows the validation of a certificate
against a hostname. 
See https://github.com/apache/mesos/blob/master/3rdparty/libprocess/src/openssl.cpp#L546

RFC2818 however says that it should be perfectly valid to validate a certificate  based on
the IP address.
See https://tools.ietf.org/html/rfc2818
{noformat}
In some cases, the URI is specified as an IP address rather than a
hostname. In this case, the iPAddress subjectAltName must be present
in the certificate and must exactly match the IP in the URI.
{noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message