Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-9863

Libprocess SSL tests may fail client certificate validation

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • None

    Description

      In the current libprocess `ssl_tests.cpp`, we create a "valid" server certificate containing the hostname returned by ::getnameinfo() for the IP of `libprocess::address()`. The libprocess IP is by default determined by a DNS lookup for the current hostname.

      As an example, let's assume my hostname is `poincare` and the libprocess IP is `127.0.1.1`.

      The tests then spawn the `ssl-client` binary as a subprocess passing the server IP as a command-line argument. The `ssl-client` binary will connect to the passed IP. Since we do not bind() before calling connect, the source IP for that connection will be automatically determined by the kernel.

      Continuing the example, the `ssl-client` connects to 127.0.1.1. Since it is a loopback address, the kernel will automatically select 127.0.0.1 as the source IP.

      On the server side, libprocess will now do a reverse DNS lookup on the source IP to determine the hostname of the connecting client. If it doesnt match the provided client certificate, the connection is rejected.

      In the example, libprocess will determine (127.0.0.1, 'localhost') as source ip/hostname, but the certificate contains (127.0.1.1, 'poincare'). Therefore, the connection attempt is rejected.

      Possible solutions to this include binding before calling connect to fix the source ip, or only running these tests with the 'openssl' hostname validation scheme after the corresponding review chain has landed.

      Attachments

        Activity

          People

            Unassigned Unassigned
            bennoe Benno Evers
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: