lhotari opened a new pull request #10541:
URL: https://github.com/apache/pulsar/pull/10541
Fixes #10372
### Motivation
* See #10372
* Switching to use Conscrypt improves TLS performance of Jetty
* The change is also needed for fixing some test failures when switching to
JDK 11.
### Modifications
* Load Conscrypt if it's available on the classpath
* Use the Conscrypt Security provider when it's available. Use it for
non-Netty TLS configurations created with SecurityUtils or KeyStoreSSLContext
class.
* Move the Pulsar specific HostnameVerifier part of Pulsar Client from
pulsar-client module to pulsar-common module so that it can be used with
Conscrypt.
* Configure Conscrypt to use TlsHostnameVerifier.
* Configure Conscrypt's default hostname verifier to use Pulsar's
TlsHostnameVerifier which is more relaxed than the Conscrypt HostnameVerifier
checking for RFC 2818 conformity.
* Certificates used in Pulsar docs and examples aren't strictly RFC 2818
compliant since they use the deprecated way of specifying the hostname in the
CN field of the subject DN of the certificate.
* RFC 2818 recommends the use of SAN (subjectAltName) extension for
specifying the hostname in the dNSName field of the subjectAltName extension.
* Conscrypt's default HostnameVerifier has dropped support for the
deprecated method of specifying the hostname in the CN field.
* Pulsar's TlsHostnameVerifier continues to support the CN field.
* there's a bug in Conscrypt while setting a custom HostnameVerifier,
https://github.com/google/conscrypt/issues/1015
* Add a workaround for setting the HostnameVerifier when using Conscrypt.
The workaround can be removed once the bug in Conscrypt is fixed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
