mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Till Toenshoff (JIRA)" <>
Subject [jira] [Updated] (MESOS-5724) SSL certificate validation should allow IP only verification.
Date Mon, 27 Jun 2016 19:39:51 GMT


Till Toenshoff updated MESOS-5724:
    Labels: libprocess mesosphere security ssl  (was: libprocess security ssl)

> SSL certificate validation should allow IP only verification.
> -------------------------------------------------------------
>                 Key: MESOS-5724
>                 URL:
>             Project: Mesos
>          Issue Type: Bug
>          Components: libprocess
>    Affects Versions: 1.0.0
>            Reporter: Till Toenshoff
>            Priority: Blocker
>              Labels: libprocess, mesosphere, security, ssl
> Our SSL certificate validation currently assumes that the host (on connect and on accept)
does have a valid hostname. This however is not true for all  environments.
> {{process::network::openssl::verify}} currently only allows the validation of a certificate
against a hostname. 
> See
> RFC2818 however says that it should be perfectly valid to validate a certificate  based
on the IP address.
> See
> {noformat}
> In some cases, the URI is specified as an IP address rather than a
> hostname. In this case, the iPAddress subjectAltName must be present
> in the certificate and must exactly match the IP in the URI.
> {noformat}

This message was sent by Atlassian JIRA

View raw message