EronWright opened a new issue #171: Enable TLS hostname verification by default URL: https://github.com/apache/pulsar-client-go/issues/171 #### Expected behavior The client should use hostname verification by default, especially when using the host's CA bundle. Hostname verification is a critical aspect of TLS when using public root certificates, to prevent an [MITM attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). See the famous paper: ["The Most Dangerous Code in the World"](http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf). _I see a possible related issue, that the `ServerName` field in `tls.Config` should be set in all cases, to support SNI. It is possible to separate certificate verification from hostname verification (see golang/go#21971)._ #### Actual behavior The client doesn't use hostname verification by default. #### Steps to reproduce Create a pulsar client with `pulsar.ClientOptions { ValidateHostname: false }`, and observe that hostname verification does not occur. #### System configuration **Pulsar-client-go version**: `master`
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
