[GitHub] [geode] kamilla1201 commented on pull request #6714: GEODE-9396: Upgrades using SSL fail with mismatch of hostname in certificates

[GitBox]

kamilla1201 commented on pull request #6714:
URL: https://github.com/apache/geode/pull/6714#issuecomment-957881600


   @upthewaterspout If there’s no DNS, then `getHost()` should return the 
textual representation of an IP address. `getHost()` calls 
`InetAddress.getCanonicalHostName()` which is a best effort method, it should 
return an IP address if there is no DNS name. I’m not sure about the second 
scenario you described, but it sounds unlikely.
   
   > I wonder if it would be possible to fall back to the old logic for 
hostname validation if the member is from an old member, rather than changing 
the bind address when deserializing. Would that be doable or any safer?
   
   I think we could do that in `Connection.createIoFilter()`, by replacing this:
   ```
         if (remoteAddr != null) {
           hostName = remoteAddr.getHostName();
         } else {
           hostName = SocketCreator.getHostName(address.getAddress());
         }
   ```
   with something like:
   ```
         if (remoteAddr != null) {
           if (remoteAddr.getVersion().isOlderThan(KnownVersion.GEODE_1_15_0)) {
             hostName = address.getHostString();
   
             if (owner.getDM().getConfig().getSSLEndPointIdentificationEnabled()
                 && InetAddressValidator.getInstance().isValid(hostName)) {
               // attempt to get a hostname instead of the proffered numeric 
address
               try {
                 hostName = 
InetAddress.getByName(hostName).getCanonicalHostName();
               } catch (UnknownHostException e) {
                 // ignore - we'll see what happens with endpoint validation 
using a numeric address
               }
             }
           } else {
             hostName = remoteAddr.getHostName();
           }
         } else {
           hostName = SocketCreator.getHostName(address.getAddress());
         }
   ```
   Here we know whether endpoint identification is enabled, which should help 
us avoid problems with IP numbers.
   But I’m not sure whether this code will work correctly if we decide to 
back-port this change (along with GEODE-9139).
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@geode.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org