He-Pin opened a new issue, #3161:
URL: https://github.com/apache/pekko/issues/3161

   ### Description
   
   Classic remoting's `ConfigSSLEngineProvider.createSSLEngine()` never calls 
`setEndpointIdentificationAlgorithm`, meaning TLS certificate hostname 
verification is **not performed** on the remote peer's certificate — even when 
mutual authentication is enabled.
   
   An attacker with any certificate signed by a trusted CA could perform a 
man-in-the-middle attack, since the certificate's hostname/CN is never 
validated against the expected remote address.
   
   ### Location
   
   
`remote/src/main/scala/org/apache/pekko/remote/transport/netty/SSLEngineProvider.scala`
 — `createSSLEngine()` method.
   
   ### Comparison with Artery
   
   Artery's `ConfigSSLEngineProvider` 
(`remote/src/main/scala/org/apache/pekko/remote/artery/tcp/ConfigSSLEngineProvider.scala`)
 correctly calls `setEndpointIdentificationAlgorithm("HTTPS")` when hostname 
verification is enabled, and provides a `hostname-verification` configuration 
option (default off).
   
   Classic remoting has no equivalent configuration option and no hostname 
verification at all.
   
   ### Suggested Fix
   
   Add a `hostname-verification` configuration option to classic remoting's SSL 
settings (similar to Artery), and call 
`engine.setEndpointIdentificationAlgorithm("HTTPS")` when enabled. Given 
classic remoting is deprecated, a documentation warning about this limitation 
may also be appropriate.
   
   ### Affected Versions
   
   All versions using classic remoting with TLS enabled.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to