stevenzwu commented on PR #15500: URL: https://github.com/apache/iceberg/pull/15500#issuecomment-4095001928
> You could find yourself in the situation where the catalog server has TLS enabled, and its certificate shows a SAN of e.g. `catalog.bigcorp.com`; but if the client/engine is in the same cluster/network, it could actually be contacting the catalog through its internal IP instead, e.g. `https://1.2.3.4:8181/api/catalog`. In that case, the hostname verification will fail. > > (Please note: I mentioned `NoopHostnameVerifier` just as an example of possible usage of `HostnameVerificationPolicy`.) I am wondering about the default value of HostnameVerificationPolicy.CLIENT. I know the purpose is maintain the same behavior. Unit test can configure `NoopHostnameVerifier` to bypass the check or mapping from ip to the hostname. Is `HostnameVerificationPolicy.BOTH` the safer config for prod env and used as the default? if prod env also wants IP address to work, the safer practice is to add the IP address to the Subject Alternative Name (SAN) . -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
