raboof/pekko
1
0
Fork 0
Code Issues Pull requests Projects Releases 6 Packages Wiki Activity Actions 11

Merge pull request #28593 from johanandren/wip-28437-hostname-verification-warning

Browse source 
Host name verification off is not necessarily bad
This commit is contained in:
Renato Cavalcanti 2020-02-12 15:55:01 +01:00 committed by GitHub
commit 946ff235b7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 7 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

2
akka-docs/src/main/paradox/remoting-artery.md
View file

@ -333,6 +333,8 @@ It's recommended that you enable hostname verification with
`akka.remote.artery.ssl.config-ssl-engine.hostname-verification=on`. `akka.remote.artery.ssl.config-ssl-engine.hostname-verification=on`.
When enabled it will verify that the destination hostname matches the hostname in the peer's certificate. When enabled it will verify that the destination hostname matches the hostname in the peer's certificate.
In deployments where hostnames are dynamic and not known up front it can make sense to leave the hostname verification off.
You have a few choices how to set up certificates and hostname verification: You have a few choices how to set up certificates and hostname verification:
* Have a single set of keys and a single certificate for all nodes and *disable* hostname checking * Have a single set of keys and a single certificate for all nodes and *disable* hostname checking

3
akka-remote/src/main/resources/reference.conf
View file

@ -1158,6 +1158,9 @@ akka {
require-mutual-authentication = on require-mutual-authentication = on
# Set this to `on` to verify hostnames with sun.security.util.HostnameChecker # Set this to `on` to verify hostnames with sun.security.util.HostnameChecker
# If possible it is recommended to have this enabled. Hostname verification is designed for
# situations where things locate each other by hostname, in scenarios where host names are dynamic
# and not known up front it can make sense to have this disabled.
hostname-verification = off hostname-verification = off
} }

7
akka-remote/src/main/scala/akka/remote/artery/tcp/SSLEngineProvider.scala
View file

@ -88,12 +88,9 @@ class ConfigSSLEngineProvider(protected val config: Config, protected val log: M
if (HostnameVerification) if (HostnameVerification)
log.debug("TLS/SSL hostname verification is enabled.") log.debug("TLS/SSL hostname verification is enabled.")
else else
log.warning( log.info(
LogMarker.Security, LogMarker.Security,
"TLS/SSL hostname verification is disabled. " + "TLS/SSL hostname verification is disabled. See Akka reference documentation for more information.")
"Please configure akka.remote.artery.ssl.config-ssl-engine.hostname-verification=on " +
"and ensure the X.509 certificate on the host is correct to remove this warning. " +
"See Akka reference documentation for more information.")
constructContext() constructContext()
} }