[
https://issues.apache.org/jira/browse/FLINK-5030?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15818368#comment-15818368
]
ASF GitHub Bot commented on FLINK-5030:
---------------------------------------
Github user StephanEwen commented on the issue:
https://github.com/apache/flink/pull/3061
This looks critical, thanks for addressing this!
Will try to get to this very soon. It may be that we do not get this into
1.2.0, but should have it in 1.2.1 definitely. We should add a warning to 1.2.0
that it is not fully safe against man-in-the-middle attacks.
> Support hostname verification
> -----------------------------
>
> Key: FLINK-5030
> URL: https://issues.apache.org/jira/browse/FLINK-5030
> Project: Flink
> Issue Type: Sub-task
> Components: Security
> Reporter: Eron Wright
> Assignee: Eron Wright
> Fix For: 1.2.0
>
>
> _See [Dangerous Code|http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf] and
> [further
> commentary|https://tersesystems.com/2014/03/23/fixing-hostname-verification/]
> for useful background._
> When hostname verification is performed, it should use the hostname (not IP
> address) to match the certificate. The current code is wrongly using the
> address.
> In technical terms, ensure that calls to `SSLContext::createSSLEngine` supply
> the expected hostname, not host address.
> Please audit all SSL setup code as to whether hostname verification is
> enabled, and file follow-ups where necessary. For example, Akka 2.4
> supports it but 2.3 doesn't
> ([ref|http://doc.akka.io/docs/akka/2.4.4/scala/http/client-side/https-support.html#Hostname_verification]).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
