Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
1.8.0
-
None
Description
libprocess, when accepting incoming connections on SSL/libevent builds, does attempt to retrieve the hostname for the peer address;
https://github.com/apache/mesos/blob/8344f303ffd6429ffa781e7fd7de5d00d9946d78/3rdparty/libprocess/src/posix/libevent/libevent_ssl_socket.cpp#L1158-L1168
The motivation for that step is the peer certificate verification, possibly happening later in that process; https://github.com/apache/mesos/blob/8344f303ffd6429ffa781e7fd7de5d00d9946d78/3rdparty/libprocess/src/posix/libevent/libevent_ssl_socket.cpp#L441
The peer certificate verification however is optional and switched off by default: https://github.com/apache/mesos/blob/8344f303ffd6429ffa781e7fd7de5d00d9946d78/3rdparty/libprocess/src/openssl.cpp#L88-L97
As an optimisation, we could skip the retrieval of the hostname when certificate verification was disabled.