From 43aa9b33f1065a475f7e8088d1e47162dd780950 Mon Sep 17 00:00:00 2001 From: Balazs Meszaros Date: Tue, 28 Feb 2023 18:39:47 +0100 Subject: [PATCH] HBASE-27673 Fix mTLS client hostname verification (#5065) Signed-off-by: Peter Somogyi Signed-off-by: Bryan Beaudreault --- .../hadoop/hbase/ipc/NettyRpcServer.java | 29 ++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java index a79941e4a7b..dd5afe92c4e 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java @@ -19,10 +19,12 @@ package org.apache.hadoop.hbase.ipc; import static org.apache.hadoop.hbase.io.crypto.tls.X509Util.HBASE_SERVER_NETTY_TLS_ENABLED; import static org.apache.hadoop.hbase.io.crypto.tls.X509Util.HBASE_SERVER_NETTY_TLS_SUPPORTPLAINTEXT; +import static org.apache.hadoop.hbase.io.crypto.tls.X509Util.TLS_CONFIG_REVERSE_DNS_LOOKUP_ENABLED; import java.io.IOException; import java.io.InterruptedIOException; import java.net.InetSocketAddress; +import java.net.SocketAddress; import java.util.List; import java.util.concurrent.CountDownLatch; import java.util.concurrent.atomic.AtomicReference; @@ -56,6 +58,7 @@ import org.apache.hbase.thirdparty.io.netty.channel.group.DefaultChannelGroup; import org.apache.hbase.thirdparty.io.netty.handler.codec.FixedLengthFrameDecoder; import org.apache.hbase.thirdparty.io.netty.handler.ssl.OptionalSslHandler; import org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContext; +import org.apache.hbase.thirdparty.io.netty.handler.ssl.SslHandler; import org.apache.hbase.thirdparty.io.netty.util.concurrent.GlobalEventExecutor; /** @@ -243,7 +246,31 @@ public class NettyRpcServer extends RpcServer { p.addLast("ssl", new OptionalSslHandler(nettySslContext)); LOG.debug("Dual mode SSL handler added for channel: {}", p.channel()); } else { - p.addLast("ssl", nettySslContext.newHandler(p.channel().alloc())); + SocketAddress remoteAddress = p.channel().remoteAddress(); + SslHandler sslHandler; + + if (remoteAddress instanceof InetSocketAddress) { + InetSocketAddress remoteInetAddress = (InetSocketAddress) remoteAddress; + String host; + + if (conf.getBoolean(TLS_CONFIG_REVERSE_DNS_LOOKUP_ENABLED, true)) { + host = remoteInetAddress.getHostName(); + } else { + host = remoteInetAddress.getHostString(); + } + + int port = remoteInetAddress.getPort(); + + /* + * our HostnameVerifier gets the host name from SSLEngine, so we have to construct the + * engine properly by passing the remote address + */ + sslHandler = nettySslContext.newHandler(p.channel().alloc(), host, port); + } else { + sslHandler = nettySslContext.newHandler(p.channel().alloc()); + } + + p.addLast("ssl", sslHandler); LOG.debug("SSL handler added for channel: {}", p.channel()); } }