GitHub user EronWright created a discussion: Enable TLS hostname verification by default
**Is your enhancement request related to a problem? Please describe.** Hostname verification is a critical aspect of TLS, especially when using the system-provided certificate bundle. TLS server authentication consists of two steps, a) verify the certificate is **valid** according to a trust chain (i.e. a certificate bundle), and b) verify that the certificate is **applicable** to the connection (i.e. hostname verification). See the article [The Most Dangerous Code in the World](https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf) for more details. Without hostname verification, the client is willing to accept any certificate that is rooted in the certificate bundle; if you use the system bundle, any certificate from Let's Encrypt or other public issuer would suffice. For example, the client thinks it is connecting to `pulsar.apache.org` but accepts a certificate for `domain-that-i-just-purchased.com`. Pulsar disables hostname verification by default, perhaps on the assumption that a private CA is being used and thus the set of valid certificates is tightly controlled. From [the docs](https://pulsar.apache.org/docs/en/security-tls-transport/#hostname-verification): > By default, Pulsar clients disable hostname verification, as it requires that > each broker has a DNS record and a unique cert. **Describe the solution you'd like** The enhancement request is to enable hostname verification by default, at least when using the system cert bundle. Specifically, enable verification when both are true: a) an explicit setting has not been specified, and b) a certificate bundle has not been specified. Condition (b) is for backwards compatibility purposes. GitHub link: https://github.com/apache/pulsar/discussions/18874 ---- This is an automatically sent email for dev@pulsar.apache.org. To unsubscribe, please send an email to: dev-unsubscr...@pulsar.apache.org
