[GitHub] [pulsar-client-go] zzzming opened a new pull request #238: Implement TLS VerifyPeerCertificate callback to skip hostname verfication

Sun, 03 May 2020 12:52:22 -0700 


zzzming opened a new pull request #238:
URL: https://github.com/apache/pulsar-client-go/pull/238


   ### Contribution Checklist
     
   This PR addresses a problem how to disable TLS ValidateHostname. The current 
implementation with empty `tlsConfig.ServerName` would not work, because the 
connected server host will be inferred in absence of tlsConfig.ServerName by Go 
Tls library. One of the use cases is when DNS name in the server certificate 
returned does not match the broker host name that the client connects to. The 
client can be deployed within the same Pulsar kubernetes cluster if the client 
connects to the internal proxy or broker host directly instead of the public 
fqdn. This problem may also rise for self-signed cert.
   
   This specific problem and solution are described by this issue report,  
https://github.com/golang/go/issues/21971
   
   This PR implements a TLS VerifyPeerCertificate callback to skip host name 
validation if any client chooses to disable TLSValidateHostname in ClientOption.
   
   I understand TLSValidateHostname is false by default because Go initializes 
bool as `false`. There is an existing issue #171 that is tracking the problem. 
I think it will open up a discussion how to support backward compatibility that 
might require consensus from the community. Therefore, altering the current 
default is beyond the scope of this PR.
   
   ### Does this pull request potentially affect one of the following parts:
   
   *If `yes` was chosen, please highlight the changes*
   
     - Dependencies (does it add or upgrade a dependency): (no)
     - The public API: (yes) Yes the current implementation of skip hostname 
check is broken, this is a fix.
     - The schema: (no)
     - The default values of configurations: (no)
     - The wire protocol: (no)
   
   ### Documentation
   
     - Does this pull request introduce a new feature? (no)
     - If yes, how is the feature documented? (not applicable)
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to