[MESOS-9493] Libprocess can avoid hostname lookup in some cases when accepting TLS connections. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 1.8.0
Fix Version/s: None
Component/s: libprocess
Labels:
- certificate
- ssl

Description

libprocess, when accepting incoming connections on SSL/libevent builds, does attempt to retrieve the hostname for the peer address;
https://github.com/apache/mesos/blob/8344f303ffd6429ffa781e7fd7de5d00d9946d78/3rdparty/libprocess/src/posix/libevent/libevent_ssl_socket.cpp#L1158-L1168

The motivation for that step is the peer certificate verification, possibly happening later in that process; https://github.com/apache/mesos/blob/8344f303ffd6429ffa781e7fd7de5d00d9946d78/3rdparty/libprocess/src/posix/libevent/libevent_ssl_socket.cpp#L441

The peer certificate verification however is optional and switched off by default: https://github.com/apache/mesos/blob/8344f303ffd6429ffa781e7fd7de5d00d9946d78/3rdparty/libprocess/src/openssl.cpp#L88-L97

As an optimisation, we could skip the retrieval of the hostname when certificate verification was disabled.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Till Toenshoff

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 19/Dec/18 16:42

Updated:: 19/Dec/18 17:46