Kezhu Wang created ZOOKEEPER-4961:
-------------------------------------
Summary: Client side hostname verification failed due to reverse
dns lookup in sasl client
Key: ZOOKEEPER-4961
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4961
Project: ZooKeeper
Issue Type: Bug
Components: java client
Affects Versions: 3.9.3, 3.8.4
Reporter: Kezhu Wang
Sasl client and {{ClientCnxnSocket}} use same
{{{color}{color:#000000}InetSocketAddress{color}}} object. If sasl is
enabled(which is the default), it will do {{getHostName}} which will change the
result of {{getHostString}} which is used by {{ClientCnxnSocket}}.
Normally this doesn't matter. But in fips-mode (which is enabled by default in
3.9), this could fail client side hostname verification. This could happen in
following situation:
1. server cert is signed with san ip address "127.0.0.1"
2. connection string is "127.0.0.1"
3. zookeeper.fips-mode is enabled in client
4. zookeeper.sasl.client is enabled
5. zookeeper.ssl.hostnameVerification is enabled
Then the ssl connection could rejected by client as sasl client reverse dns
lookup will turn {{getHostString}} to "localhost" which does not match server
cert.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
