I think we should opt for the safer option and go with BOTH. On Wed, Mar 25, 2026 at 11:22 AM Alexandre Dutra <[email protected]> wrote:
> +1 to using BOTH by default. > > Le mer. 25 mars 2026 à 00:55, Steven Wu <[email protected]> a écrit : > >> Are there any concerns about changing the hostname verification policy >> default from CLIENT to BOTH (more secure) in the 1.11 release? >> >> This is the last blocker for the 1.11.0 release. Let's decide to unblock >> the release. Hopefully we can get 1.11.0 out before the summit. >> >> On Fri, Mar 20, 2026 at 12:02 PM Steven Wu <[email protected]> wrote: >> >>> I asked for a dev ML discussion for this. I will share why I favor >>> changing the default to HostnameVerificationPolicy.BOTH in the next 1.11 >>> release. >>> >>> * In the production environment, people should use the hostname matching >>> the SAN attribute in the certificate. The hostname could be a DNS name, an >>> IP address, or both. The certificate must be generated with the proper >>> Subject Alternative Name (SAN) matching its intended use. While this is a >>> slight behavior change for the 1.11 release, the practical impact should be >>> very small since production deployments probably use a DNS name anyway. >>> * For the unit test, Alex's PR #15598 provides the customization to >>> allow using the loopback IP address (127.0.0.1) with noop hostname >>> verification. >>> >>> BTW, this is the last blocking PR for version 1.11.0 release. It will be >>> great to reach a consensus soon. >>> https://github.com/apache/iceberg/milestone/59 >>> >>> >>> On Fri, Mar 20, 2026 at 11:43 AM Alexandre Dutra <[email protected]> >>> wrote: >>> >>>> Hi all, >>>> >>>> Last week I opened an issue to report what I believe is a regression >>>> in the HTTPClient when using TLS: >>>> >>>> https://github.com/apache/iceberg/issues/15598 >>>> >>>> I also opened a PR to fix it: >>>> >>>> https://github.com/apache/iceberg/pull/15500 >>>> >>>> The fix is basically to expose the HostnameVerificationPolicy in the >>>> TLSConfigurer, and I think there is consensus on that. >>>> >>>> However I would like to have the community's opinion about the default >>>> value we should use for the HostnameVerificationPolicy. >>>> >>>> We can either go with: >>>> >>>> - CLIENT, which reproduces the current behavior in 1.10 but is less >>>> safe; or >>>> - BOTH, which introduces a behavioral change, but is the safest option. >>>> >>>> What do you think? >>>> >>>> Thanks, >>>> Alex >>>> >>>
