From 9a23d4a3b2d555a8b73bde574d5773d74d1b8845 Mon Sep 17 00:00:00 2001
From: Balazs Meszaros <meszibalu@apache.org>
Date: Wed, 1 Mar 2023 12:20:06 +0100
Subject: [PATCH] HBASE-27673 Fix mTLS client hostname verification (#5066)

Signed-off-by: Peter Somogyi <psomogyi@apache.org>
Signed-off-by: Bryan Beaudreault <bbeaudreault@apache.org>
---
 .../hadoop/hbase/ipc/NettyRpcServer.java      | 29 ++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java
index d42b03d4d5d..f3ead471fe6 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java
@@ -19,10 +19,12 @@ package org.apache.hadoop.hbase.ipc;
 
 import static org.apache.hadoop.hbase.io.crypto.tls.X509Util.HBASE_SERVER_NETTY_TLS_ENABLED;
 import static org.apache.hadoop.hbase.io.crypto.tls.X509Util.HBASE_SERVER_NETTY_TLS_SUPPORTPLAINTEXT;
+import static org.apache.hadoop.hbase.io.crypto.tls.X509Util.TLS_CONFIG_REVERSE_DNS_LOOKUP_ENABLED;
 
 import java.io.IOException;
 import java.io.InterruptedIOException;
 import java.net.InetSocketAddress;
+import java.net.SocketAddress;
 import java.util.List;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.atomic.AtomicReference;
@@ -63,6 +65,7 @@ import org.apache.hbase.thirdparty.io.netty.channel.group.DefaultChannelGroup;
 import org.apache.hbase.thirdparty.io.netty.handler.codec.FixedLengthFrameDecoder;
 import org.apache.hbase.thirdparty.io.netty.handler.ssl.OptionalSslHandler;
 import org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContext;
+import org.apache.hbase.thirdparty.io.netty.handler.ssl.SslHandler;
 import org.apache.hbase.thirdparty.io.netty.util.concurrent.GlobalEventExecutor;
 
 /**
@@ -267,7 +270,31 @@ public class NettyRpcServer extends RpcServer {
       p.addLast("ssl", new OptionalSslHandler(nettySslContext));
       LOG.debug("Dual mode SSL handler added for channel: {}", p.channel());
     } else {
-      p.addLast("ssl", nettySslContext.newHandler(p.channel().alloc()));
+      SocketAddress remoteAddress = p.channel().remoteAddress();
+      SslHandler sslHandler;
+
+      if (remoteAddress instanceof InetSocketAddress) {
+        InetSocketAddress remoteInetAddress = (InetSocketAddress) remoteAddress;
+        String host;
+
+        if (conf.getBoolean(TLS_CONFIG_REVERSE_DNS_LOOKUP_ENABLED, true)) {
+          host = remoteInetAddress.getHostName();
+        } else {
+          host = remoteInetAddress.getHostString();
+        }
+
+        int port = remoteInetAddress.getPort();
+
+        /*
+         * our HostnameVerifier gets the host name from SSLEngine, so we have to construct the
+         * engine properly by passing the remote address
+         */
+        sslHandler = nettySslContext.newHandler(p.channel().alloc(), host, port);
+      } else {
+        sslHandler = nettySslContext.newHandler(p.channel().alloc());
+      }
+
+      p.addLast("ssl", sslHandler);
       LOG.debug("SSL handler added for channel: {}", p.channel());
     }
   }