+1 to this change.
> I am not sure enabling hostname verification > by default is a good idea
> because it will cause deployment failures for > many users. Hostname
> verification requires x509 cert changes and wildcard SNName in some cases
> and it's not easy when broker hostname patterns don't
Hi Rajan,
> it will cause deployment failures for many users
We must consider all users. In addition to the users you describe,
there are other users to consider--specifically ones that are not
familiar with TLS configurations and just want to get a pulsar cluster
up and running quickly. Making i
Hi,
I am not sure enabling hostname verification by default is a good idea
because it will cause deployment failures for many users. Hostname
verification requires x509 cert changes and wildcard SNName in some cases
and it's not easy when broker hostname patterns don't match in x509 certs
and there
One late addition that I just discovered is for any pulsar CLI
argument that is zero arity, we'll need to make a breaking change to
make it have arity 1. For example, the
--tls-enable-hostname-verification param here [0]
currently works such that it is disabled when the parameter is
missing and en
+1. default security is reasonable.
Thanks
ZhangJian He
On Tue, 6 Jun 2023 at 13:40, Michael Marshall wrote:
> > Should these changes be released in a minor version?
>
> I think it is reasonable to make this change in 3.1.0. The change will
> be covered in the release notes.
>
> > For the Gola
> Should these changes be released in a minor version?
I think it is reasonable to make this change in 3.1.0. The change will
be covered in the release notes.
> For the Golang client, I think we should introduce a
> `NewDefaultConfig` method to create the config instead of directly new
> config.
+1
Default to enable the TLS hostname verification is important anywhere,
which protected our application.
Should these changes be released in a minor version?
For the Golang client, I think we should introduce a
`NewDefaultConfig` method to create the config instead of directly new
config.
Th
I put together PRs for the python and the C++ clients:
https://github.com/apache/pulsar-client-python/pull/128
https://github.com/apache/pulsar-client-cpp/pull/278
I am not sure the right way to change the default for the go client
because go uses the zero value for structs, and we have the varia
Hi Pulsar Community,
I am writing to start the discussion on PIP 273 to enable hostname
verification by default.
PR with PIP contents: https://github.com/apache/pulsar/pull/20453
I copy the content below (except for the associated svg of the pulsar
network diagram).
I look forward to your feedb
