rdhabalia commented on a change in pull request #1208: Add 
hostname-verification at client tls connection
URL: https://github.com/apache/incubator-pulsar/pull/1208#discussion_r167158945
 
 

 ##########
 File path: 
pulsar-client/src/main/java/org/apache/pulsar/client/api/ClientConfiguration.java
 ##########
 @@ -356,4 +357,21 @@ public void 
setMaxNumberOfRejectedRequestPerConnection(int maxNumberOfRejectedRe
         this.maxNumberOfRejectedRequestPerConnection = 
maxNumberOfRejectedRequestPerConnection;
     }
 
+    public boolean isTlsHostnameVerificationEnable() {
+        return tlsHostnameVerificationEnable;
+    }
+
+    /**
+     * It allows to validate hostname verification when client connects to 
broker over tls. It validates incoming x509
+     * certificate and matches provided hostname(CN/SAN) with expected 
broker's host name. It follows RFC 2818, 3.1. Server
+     * Identity hostname verification.
+     * 
+     * @see <a href="https://tools.ietf.org/html/rfc2818";>rfc2818</a>
+     * 
+     * @param tlsHostnameVerificationEnable
+     */
+    public void setTlsHostnameVerificationEnable(boolean 
tlsHostnameVerificationEnable) {
 
 Review comment:
   umm.. actually one can use `allowInsecureConnection` in non-prod env which 
makes client to  trust all X.509 certificates without any verification using 
`InsecureTrustManagerFactory.java`.  However, hostname verification can be 
applied on top of secured connection as well.
   
   >  that is what the HTTP client is following anyway.
   
   Actually even HTTP client also provides separate API to [set 
hostNameVerifier](http://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/impl/client/HttpClientBuilder.html#setHostnameVerifier(org.apache.http.conn.ssl.X509HostnameVerifier))
   
   So, as both the configs serve different purpose then shouldn't it better to 
give flexibility while configuring it?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Reply via email to