Hi Sampo,
> The code for the ZKHostnameVerifier is copied from Apache HttpClient > and the bug has been fixed there in this issue > https://issues.apache.org/jira/browse/HTTPCLIENT-1906 > (commit > https://github.com/apache/httpcomponents-client/commit/56cc24525e5ba2a5ef8fa0de2385687e83589a71 > ) I believe that issue has been fixed by ZOOKEEPER-3832, "ZKHostnameVerifier rejects valid certificates with subjectAltNames": https://issues.apache.org/jira/browse/ZOOKEEPER-3832 The fix should be in 3.5.9 (soon), 3.6.2 (released) and 3.7.0 (soon). > It would be better not to need the copy pasting as there are several > other commits to that HostNameVerifier that have not been applied to > the ZKHostNameVerifier so there may exist other conditions too where > ZKHostNameVerifier does not work as expected. I agree in general, but haven't investigated the full history of this, but am sure it was done on purpose. In the meantime, are there other specific commits you think we should consider? > Also, the Java Doc says that the code is copied from the HttpClient > but does not canonically reference the class which it came from. Improving that (and providing an easier way to sync with upstream) would definitely be a good idea. Would you mind opening a ticket? (And if you have a solution in mind, a "pull request" would also be welcome!) Cheers, -D Sampo Saarela <sampo.saar...@relex.fi> writes: > Hello, > > The code for the ZKHostnameVerifier is copied from Apache HttpClient > and the bug has been fixed there in this issue > https://issues.apache.org/jira/browse/HTTPCLIENT-1906 > (commit > https://github.com/apache/httpcomponents-client/commit/56cc24525e5ba2a5ef8fa0de2385687e83589a71 > ) > > Missing the above fix will cause a valid certificate to be rejected in > case the certificate contains other alternative subject names than DNS > or IP, for example OID 1.3.6.1.5.2.2 - KRB5PrincipalName and/or OID > 1.3.6.1.4.1.311.20.2.3 - User Principal Name (UPN) . > > It would be better not to need the copy pasting as there are several > other commits to that HostNameVerifier that have not been applied to > the ZKHostNameVerifier so there may exist other conditions too where > ZKHostNameVerifier does not work as expected. > > Also, the Java Doc says that the code is copied from the HttpClient > but does not canonically reference the class which it came from. > > Brgs, > Sampo Saarela > Software developer
