[
https://issues.apache.org/jira/browse/THRIFT-3009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14336404#comment-14336404
]
Mathias Gottschlag commented on THRIFT-3009:
--------------------------------------------
I just noticed that the patch shouldn't remove the error return value, even
though it is not used anymore now, because the change breaks source
compatibility. The second version of the patch reverts that change.
> TSSLSocket does not use the correct hostname (breaks certificate checks)
> ------------------------------------------------------------------------
>
> Key: THRIFT-3009
> URL: https://issues.apache.org/jira/browse/THRIFT-3009
> Project: Thrift
> Issue Type: Bug
> Components: Go - Library
> Reporter: Mathias Gottschlag
> Attachments:
> 0001-THRIFT-3009-Make-TSSLSocket-use-the-original-hostnam.patch,
> 0001-THRIFT-3009-Make-TSSLSocket-use-the-original-hostnam.patch
>
>
> TSSLSocket first resolves the specified hostname from NewTSSLSocket, and then
> passes the IP to tls.Dial. This is wrong because tls.Dial performs TLS
> certificate checks and needs the original hostname. The result is that TLS
> support is completely broken as the only way to make a successful connection
> is to disable the hostname check.
> I'd propose (and will upload a patch in a minute) that TSSLSocket gets an
> field hostPort (in additon to addr) which contains the unresolved hostname.
> Open() then used one of the two fields, depending on which one was specified
> in the constructor.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
