EronWright opened a new issue #9872: URL: https://github.com/apache/pulsar/issues/9872
**Is your enhancement request related to a problem? Please describe.** Hostname verification is a critical aspect of TLS, especially when using the system-provided certificate bundle. TLS server authentication consists of two steps, a) verify the certificate is **valid** according to a trust chain (i.e. a certificate bundle), and b) verify that the certificate is **applicable** to the connection (i.e. hostname verification). See the article [The Most Dangerous Code in the World](https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf) for more details. Without hostname verification, the client is willing to accept any certificate that is rooted in the certificate bundle; if you use the system bundle, any certificate from Let's Encrypt or other public issuer would suffice. For example, the client thinks it is connecting to `pulsar.apache.org` but accepts a certificate for `foo.com`. Pulsar disables hostname verification by default, perhaps on the assumption that a private CA is being used and thus the set of valid certificates is tightly controlled. From [the docs](https://pulsar.apache.org/docs/en/security-tls-transport/#hostname-verification): > By default, Pulsar clients disable hostname verification, as it requires that each broker has a DNS record and a unique cert. **Describe the solution you'd like** The enhancement request is to enable hostname verification by default, at least when using the system cert bundle. Specifically, enable verification when both are true: a) an explicit setting has not been specified, and b) a certificate bundle has not been specified. Condition (b) is for backwards compatibility purposes. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
