He-Pin opened a new pull request, #3164:
URL: https://github.com/apache/pekko/pull/3164

   ### Motivation
   
   Classic remoting's `ConfigSSLEngineProvider.createSSLEngine()` never calls 
`setEndpointIdentificationAlgorithm`, meaning TLS certificate hostname 
verification is not performed on the remote peer's certificate — even when 
mutual authentication is enabled. An attacker with any certificate signed by a 
trusted CA could perform a man-in-the-middle attack.
   
   Artery's `ConfigSSLEngineProvider` already supports hostname verification 
via a configurable option (default off). Classic remoting has no equivalent.
   
   ### Modification
   
   - `SSLSettings`: add `hostname-verification` config option (default off for 
backward compatibility)
   - `SSLEngineProvider` trait: add `createClientSSLEngine(hostname, port)` 
default method for backward compatibility
   - `ConfigSSLEngineProvider`: implement hostname-aware engine creation with 
`setEndpointIdentificationAlgorithm("HTTPS")` when enabled
   - `NettyTransport`: pass remote address hostname to SSL handler on client 
side when hostname verification is enabled
   - `NettySSLSupport`: accept optional hostname/port parameters
   
   ### Result
   
   Classic remoting can now optionally verify TLS certificate hostnames, 
matching Artery's behavior. Disabled by default for backward compatibility. 
Enable with:
   
   ```hocon
   pekko.remote.classic.netty.ssl.security {
     hostname-verification = on
   }
   ```
   
   ### Tests
   
   - `sbt "remote / Test / testOnly 
org.apache.pekko.remote.Ticket1978ConfigSpec"` — verified hostname-verification 
defaults to off and can be enabled
   
   ### References
   
   Fixes #3161


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to