[THRIFT-3009] TSSLSocket does not use the correct hostname (breaks certificate checks) - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 0.9.3
Component/s: Go - Library
Labels:
None

Description

TSSLSocket first resolves the specified hostname from NewTSSLSocket, and then passes the IP to tls.Dial. This is wrong because tls.Dial performs TLS certificate checks and needs the original hostname. The result is that TLS support is completely broken as the only way to make a successful connection is to disable the hostname check.

I'd propose (and will upload a patch in a minute) that TSSLSocket gets an field hostPort (in additon to addr) which contains the unresolved hostname. Open() then used one of the two fields, depending on which one was specified in the constructor.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

0001-THRIFT-3009-Make-TSSLSocket-use-the-original-hostnam.patch
25/Feb/15 11:54
4 kB
Mathias Gottschlag

Activity

People

Assignee:: Jens Geyer

Reporter:: Mathias Gottschlag

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 25/Feb/15 11:38

Updated:: 03/Mar/15 20:51

Resolved:: 27/Feb/15 22:16