michaeljmarshall opened a new pull request, #15824: URL: https://github.com/apache/pulsar/pull/15824
### Motivation Currently, we perform hostname verification for the Java Client and the Proxy Java Client using a custom Pulsar hostname verifier. In order to simplify the code, I propose that we refactor these clients so they rely on a Netty, its SslHandler, and the JVM, to perform the hostname verification. When `HTTPS` is configured as the endpoint verification algorithm, it uses [RFC 2818](https://datatracker.ietf.org/doc/html/rfc2818) to perform hostname verification. This is defined by the `Java Security Standard Algorithm Names` documentation for JDK versions 8, 11, and 17. Here are the official docs: * https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html * https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html * https://docs.oracle.com/en/java/javase/17/docs/specs/security/standard-names.html ### Modifications * Update the Java Client so that it configures the SslHandler's SslEngine to use `HTTPS` for endpoint verification and remove unnecessary custom hostname verification logic. * Update the Proxy's `DirectProxyHandler` class so that it configures the SslHandler to perform hostname verification and so that the proxy handler itself does not perform that verification. * Make it possible to disable hostname verification checking in the `HttpClient` used by the HTTP Lookup Client code in the Java Client. Currently, it defaults to being always enabled. ### Verifying this change There are tests that already cover the changes, and I performed integration testing on a minikube cluster with Cert-Manager created certs. ### Does this pull request potentially affect one of the following parts: This change deprecates support for CN matching in the Pulsar Java Client. A future change should remove this support from the Pulsar Admin Client, which relies on Pulsar's verifier that still supports CN matching. ### Documentation There is no need for documentation. This is an internal change. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
