pivotal-jbarrett commented on a change in pull request #5131:
URL: https://github.com/apache/geode/pull/5131#discussion_r429315845
##########
File path:
geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java
##########
@@ -791,7 +792,19 @@ private boolean setServerNames(SSLParameters
modifiedParams, HostAndPort addr) {
return false;
}
- serverNames.add(new SNIHostName(addr.getHostName()));
+ String hostName = addr.getHostName();
+ if (this.sslConfig.doEndpointIdentification()
+ && InetAddressValidator.getInstance().isValid(hostName)) {
+ // endpoint validation typically uses a hostname in the sniServer
parameter that the handshake
+ // will compare against the subject alternative addresses in the
server's certificate. Here
+ // we attempt to get a hostname instead of the proffered numeric address
+ try {
+ hostName = InetAddress.getByName(hostName).getCanonicalHostName();
Review comment:
As you mentioned offline, the same malicious entity could inject the IP
into their SAN and we would validate that. I don't think this code makes
anything any less secure from that standpoint so I am removing my block.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
