CASSJAVA-80: Support configuration to disable DNS reverse-lookups for SAN validation #2018
Conversation
aratno
force-pushed
the
CASSJAVA-80-ssl-dns-san
branch
5 times, most recently
from
2c6c0f9 to
c8e5b56
Compare
There was a problem hiding this comment.
Looks good in general. Do we need to do the same for ProgrammaticSslEngineFactory and SniSslEngineFactory?
core/src/main/java/com/datastax/oss/driver/api/core/config/DefaultDriverOption.java
Outdated
Show resolved
Hide resolved
aratno
force-pushed
the
CASSJAVA-80-ssl-dns-san
branch
from
c8e5b56 to
2d83d21
Compare
Definitely see the value in doing it for the Programmatic one (I see you already covered that, thanks!), for SNI I think there is less utility as you are likely using a DNS name with the IP of the node to target in the SNI, but I think we might as well add it though just in the event that someone is using a literal IP address for the primary endpoint for tunneling through SNI. |
core/src/main/java/com/datastax/oss/driver/internal/core/ssl/SniSslEngineFactory.java
Outdated
Show resolved
Hide resolved
| this(sslContext, true); | ||
| } | ||
|
|
||
| public SniSslEngineFactory(SSLContext sslContext, boolean allowDnsReverseLookupSan) { |
There was a problem hiding this comment.
Didn't dawn on me at the time that SniSslEngineFactory does not access DriverContext so we can't make use of it unless programatically (outside of CloudConfigFactory), but I suppose if someone wants to use it separately, they can programmatically and in which case this adds some functionality 👍
… SAN validation patch by Abe Ratnofsky; reviewed by Alexandre Dutra, Andy Tolbert, and Francisco Guerrero for CASSJAVA-80
aratno
force-pushed
the
CASSJAVA-80-ssl-dns-san
branch
from
5f8fe8a to
b3b9cf1
Compare
No description provided.