Uploaded image for project: 'Geode'
  1. Geode
  2. GEODE-9135

Remove reverse DNS lookup in Connection.java for accepted connections



    • Type: Bug
    • Status: In Progress
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: membership
    • Labels:


      Prior to the introduction of SSLEngine use in the org.apache.geode.internal.tcp package we used SSLSockets. During a handshake we would set the SNIHostName on the client side of the connection and have it validate the hostname returned by the server side of the handshake.

      When we introduced SSLEngine we changed this to set the SNIHostName on both sides. We should revert this so that it only does it on the client side.

      The server side of the connection does not have a hostname for the client side of the connection in this case and it is currently doing a reverse DNS lookup to get the name. That's a potentially expensive operation, and even then we don't know whether to use the fully qualified domain name (FQDN) or a simple host name. This matters because endpoint verification requires that the name we choose be presented in the certificate of the other server. If we choose the FQDN and the cert only has a simple host name the handshake will fail.

      SSLEngine requires a host name when it's constructed but most algorithms don't use it. Documentation mentions Kerberos possibly needing it, so we'd have to have a way for the reverse lookup to be enabled or find some other way to get the host name, like SocketCreator.getHostName()'s reverse-lookup cache.




            • Assignee:
              bschuchardt Bruce J Schuchardt
            • Votes:
              0 Vote for this issue
              1 Start watching this issue


              • Created: