Switch to rely on Netty for Hostname Verification #15824
Conversation
michaeljmarshall
added
area/proxy
area/security
component/client-java
type/refactor
michaeljmarshall
requested review from
merlimat,
lhotari,
eolivelli,
codelipenghui and
dave2wave
|
@michaeljmarshall:Thanks for your contribution. For this PR, do we need to update docs? |
2 similar comments
|
@michaeljmarshall:Thanks for your contribution. For this PR, do we need to update docs? |
|
@michaeljmarshall:Thanks for your contribution. For this PR, do we need to update docs? |
michaeljmarshall
added
doc-not-needed
|
/pulsarbot rerun-failure-checks |
1 similar comment
|
/pulsarbot rerun-failure-checks |
There was a problem hiding this comment.
LGTM
I have a quest:
If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used. Although
the use of the Common Name is existing practice, it is deprecated and
Certification Authorities are encouraged to use the dNSName instead.
Do your changes follow up on this rule?
|
There are 2 test failures:
I debugged and fixed the first one. The test was invalid. One observation is that when the handshake fails because of hostname verification, the client will keep on retrying for some time. Here's an example log: https://gist.github.com/lhotari/8455fc155e0c7526398f36e9bd0bd88c |
|
I got both failing tests fixed. I pushed my change to my fork and I'm running tests there: lhotari#72 |
|
@michaeljmarshall I'll rebase this PR and include my changes to fix the tests. I hope this is fine. |
|
@michaeljmarshall It seems that when you opened the PR you didn't grant access to others for collaborating in the PR. I pushed changes to my fork in master...lhotari:use-netty . one way to make your branch to match the changes: |
|
@lhotari thank you for finding and fixing those tests! I just gave maintainers access to collaborate. If you’re no longer available to push, I’ll get the commits in soon. |
michaeljmarshall
force-pushed
the
use-netty
branch
from
037d982 to
9bb660e
Compare
* Switch to relying on Netty for Hostname Verification - Add "subjectAltName = DNS:localhost, IP:127.0.0.1" to unit test certs Co-authored-by: Lari Hotari <lhotari@apache.org> (cherry picked from commit aa7700d)
* Switch to relying on Netty for Hostname Verification - Add "subjectAltName = DNS:localhost, IP:127.0.0.1" to unit test certs Co-authored-by: Lari Hotari <lhotari@apache.org> (cherry picked from commit aa7700d)
lhotari
added
cherry-picked/branch-2.8
* Switch to relying on Netty for Hostname Verification - Add "subjectAltName = DNS:localhost, IP:127.0.0.1" to unit test certs Co-authored-by: Lari Hotari <lhotari@apache.org> (cherry picked from commit aa7700d)
lhotari
added
cherry-picked/branch-2.7
* Switch to relying on Netty for Hostname Verification - Add "subjectAltName = DNS:localhost, IP:127.0.0.1" to unit test certs Co-authored-by: Lari Hotari <lhotari@apache.org> (cherry picked from commit aa7700d)
github-actions
bot
added
doc-label-missing
and removed
doc-not-needed
|
@michaeljmarshall Please provide a correct documentation label for your PR. |
github-actions
bot
added
doc-not-needed
- add 2 suppressions. - CVE-2023-37475 is a false positive - CVE-2023-4586 is about Netty hostname verification and that is already covered in Pulsar code base with apache#15824 changes.
Motivation
Currently, we perform hostname verification for the Java Client and the Proxy Java Client using a custom Pulsar hostname verifier. In order to simplify the code, I propose that we refactor these clients so they rely on a Netty, its SslHandler, and the JVM, to perform the hostname verification.
When
HTTPSis configured as the endpoint verification algorithm, it uses RFC 2818 to perform hostname verification. This is defined by theJava Security Standard Algorithm Namesdocumentation for JDK versions 8, 11, and 17. Here are the official docs:Modifications
HTTPSfor endpoint verification and remove unnecessary custom hostname verification logic.DirectProxyHandlerclass so that it configures the SslHandler to perform hostname verification and so that the proxy handler itself does not perform that verification.HttpClientused by the HTTP Lookup Client code in the Java Client. Currently, it defaults to being always enabled.Verifying this change
There are tests that already cover the changes, and I performed integration testing on a minikube cluster with Cert-Manager created certs.
Does this pull request potentially affect one of the following parts:
This change deprecates support for CN matching in the Pulsar Java Client. A future change should remove this support from the Pulsar Admin Client, which relies on Pulsar's verifier that still supports CN matching.
Documentation
There is no need for documentation. This is an internal change.
doc-not-needed