He-Pin opened a new issue, #3161:
URL: https://github.com/apache/pekko/issues/3161
### Description
Classic remoting's `ConfigSSLEngineProvider.createSSLEngine()` never calls
`setEndpointIdentificationAlgorithm`, meaning TLS certificate hostname
verification is **not performed** on the remote peer's certificate — even when
mutual authentication is enabled.
An attacker with any certificate signed by a trusted CA could perform a
man-in-the-middle attack, since the certificate's hostname/CN is never
validated against the expected remote address.
### Location
`remote/src/main/scala/org/apache/pekko/remote/transport/netty/SSLEngineProvider.scala`
— `createSSLEngine()` method.
### Comparison with Artery
Artery's `ConfigSSLEngineProvider`
(`remote/src/main/scala/org/apache/pekko/remote/artery/tcp/ConfigSSLEngineProvider.scala`)
correctly calls `setEndpointIdentificationAlgorithm("HTTPS")` when hostname
verification is enabled, and provides a `hostname-verification` configuration
option (default off).
Classic remoting has no equivalent configuration option and no hostname
verification at all.
### Suggested Fix
Add a `hostname-verification` configuration option to classic remoting's SSL
settings (similar to Artery), and call
`engine.setEndpointIdentificationAlgorithm("HTTPS")` when enabled. Given
classic remoting is deprecated, a documentation warning about this limitation
may also be appropriate.
### Affected Versions
All versions using classic remoting with TLS enabled.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]