Bruce J Schuchardt created GEODE-9135:
-----------------------------------------
Summary: Remove reverse DNS lookup in Connection.java for accepted
connections
Key: GEODE-9135
URL: https://issues.apache.org/jira/browse/GEODE-9135
Project: Geode
Issue Type: Test
Components: membership
Reporter: Bruce J Schuchardt
Prior to the introduction of SSLEngine use in the org.apache.geode.internal.tcp
package we used SSLSockets. During a handshake we would set the SNIHostName on
the client side of the connection and have it validate the hostname returned by
the server side of the handshake.
When we introduced SSLEngine we changed this to set the SNIHostName on both
sides. We should revert this so that it only does it on the client side.
The server side of the connection does not have a hostname for the client side
of the connection in this case and it is currently doing a reverse DNS lookup
to get the name. That's a potentially expensive operation, and even then we
don't know whether to use the fully qualified domain name (FQDN) or a simple
host name. This matters because endpoint verification requires that the name
we choose be presented in the certificate of the other server. If we choose
the FQDN and the cert only has a simple host name the handshake will fail.
SSLEngine requires a host name when it's constructed but most algorithms don't
use it. Documentation mentions Kerberos possibly needing it, so we'd have to
have a way for the reverse lookup to be enabled or find some other way to get
the host name, like SocketCreator.getHostName()'s reverse-lookup cache.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
