Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
After the changes in MESOS-9809 will have landed, operators will be able to ensure that libprocess-enabled programs are performing RFC6125-compliant TLS hostname validation on all outgoing connections.
However, client hostname validation will not be done since there's no standard way of doing that. Instead, the application layer should set the policy on which certificate fields are considered a valid and accepted proof of identity.
In order to do that, we should provide hooks for Mesos modules, so they can select the hostname policy for client (and probably also for server) hostname validation.