Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-5724

SSL certificate validation should allow IP only verification.

    XMLWordPrintableJSON

    Details

    • Sprint:
      Mesosphere Sprint 38

      Description

      Our SSL certificate validation currently assumes that the host (on connect and on accept) does have a valid hostname. This however is not true for all environments.

      process::network::openssl::verify currently only allows the validation of a certificate against a hostname.
      See https://github.com/apache/mesos/blob/08866edd8a71d12f87f4f4dbefa292729efbf6ae/3rdparty/libprocess/src/openssl.cpp#L546

      RFC2818 however says that it should be perfectly valid to validate a certificate based on the IP address.
      See https://tools.ietf.org/html/rfc2818

      In some cases, the URI is specified as an IP address rather than a
      hostname. In this case, the iPAddress subjectAltName must be present
      in the certificate and must exactly match the IP in the URI.
      

        Attachments

          Activity

            People

            • Assignee:
              tillt Till Toenshoff
              Reporter:
              tillt Till Toenshoff
              Shepherd:
              Joris Van Remoortere
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: