[MESOS-5724] SSL certificate validation should allow IP only verification. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Blocker
Resolution: Fixed
Affects Version/s: 0.23.0, 0.23.1, 0.24.0, 0.24.1, 0.24.2, 0.25.0, 0.25.1, 0.26.0, 0.26.1, 0.27.0, 0.27.1, 0.27.2, 0.27.3, 0.28.0, 0.28.1, 0.28.2, 1.0.0
Fix Version/s: 1.0.0
Component/s: libprocess, security
Labels:
- libprocess
- mesosphere
- security
- ssl
- won't-backport

Sprint:
Mesosphere Sprint 38

Description

Our SSL certificate validation currently assumes that the host (on connect and on accept) does have a valid hostname. This however is not true for all environments.

process::network::openssl::verify currently only allows the validation of a certificate against a hostname.
See https://github.com/apache/mesos/blob/08866edd8a71d12f87f4f4dbefa292729efbf6ae/3rdparty/libprocess/src/openssl.cpp#L546

RFC2818 however says that it should be perfectly valid to validate a certificate based on the IP address.
See https://tools.ietf.org/html/rfc2818

In some cases, the URI is specified as an IP address rather than a
hostname. In this case, the iPAddress subjectAltName must be present
in the certificate and must exactly match the IP in the URI.

Attachments

Activity

People

Assignee:: Till Toenshoff

Reporter:: Till Toenshoff

Shepherd:: Joris Van Remoortere

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 27/Jun/16 19:34

Updated:: 29/Apr/19 09:27

Resolved:: 04/Jul/16 16:54