Uploaded image for project: 'Thrift'
  1. Thrift
  2. THRIFT-3009

TSSLSocket does not use the correct hostname (breaks certificate checks)

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.9.3
    • Component/s: Go - Library
    • Labels:
      None

      Description

      TSSLSocket first resolves the specified hostname from NewTSSLSocket, and then passes the IP to tls.Dial. This is wrong because tls.Dial performs TLS certificate checks and needs the original hostname. The result is that TLS support is completely broken as the only way to make a successful connection is to disable the hostname check.

      I'd propose (and will upload a patch in a minute) that TSSLSocket gets an field hostPort (in additon to addr) which contains the unresolved hostname. Open() then used one of the two fields, depending on which one was specified in the constructor.

        Attachments

          Activity

            People

            • Assignee:
              jensg Jens Geyer
              Reporter:
              mgottschlag Mathias Gottschlag
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: