Hi, I'm debugging a strange error in our mTLS setup where I had to explicitly disable client hostname verification, because HBase keeps trying to validate 127.0.0.1/localhost as the peer host.
------------------------------------------ 2024-08-09 01:32:21,486 ERROR org.apache.hadoop.hbase.io.crypto.tls.HBaseTrustManager: Failed to verify host address: 127.0.0.1 javax.net.ssl.SSLPeerUnverifiedException: Certificate for <127.0.0.1> doesn't match common name of the certificate subject: my-perfect- hostname ... 2024-08-09 01:32:21,486 ERROR org.apache.hadoop.hbase.io.crypto.tls.HBaseTrustManager: Failed to verify hostname: localhost javax.net.ssl.SSLPeerUnverifiedException: Certificate for <localhost> doesn't match common name of the certificate subject: my-perfect- hostname ------------------------------------------ First it tries 127.0.0.1 and localhost after, because reverse lookup is enabled, but why is that localhost? Check is here: https://github.com/apache/hbase/blob/master/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/HBaseTrustManager.java#L97 The version of checkClientTrusted with chain, authType and engine. Based on SSLEngine javadoc: ------------------------------------------ /** * Returns the host name of the peer. * <P> * Note that the value is not authenticated, and should not be * relied upon. * * @return the host name of the peer, or null if nothing is * available. */ public String getPeerHost() { return peerHost; } ------------------------------------------ That explains it, because if the peerHost is null, InetAddress.getByName() doesn't fail and it returns the localhost. I have no idea under what circumstances can the peerHost be unknown, but would like to add a null check and skip hostname verification with a warning message in such case. It would be nice to get the peerHost from somewhere else as a fallback. Regards, Andor
