Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS Hostname Verification supports only one server #44

Open
spasam-onshape opened this issue Oct 25, 2024 · 3 comments
Open

TLS Hostname Verification supports only one server #44

spasam-onshape opened this issue Oct 25, 2024 · 3 comments

Comments

@spasam-onshape
Copy link

I can connect to more than one server using MemcachedClient. But there is ability to specify only one host name for ConnectionFactoryBuilder#setHostnameForTlsVerification

ConnectionFactoryBuilder#hostnameForTlsVerification seems redundant. Why doesn't TCPMemcachedNodeImpl use NodeEndPoint or SocketAddress and get the hostname it is communicating with?

@ciaranj
Copy link

ciaranj commented Nov 19, 2024

Yeah it's a bit weird, I'm not at all sure why this line in TCPMemcachedNodeImpl.java :
sslEngine = sslContext.createSSLEngine(connectionFactory.getHostnameForTlsVerification(), ((InetSocketAddress) socketAddress).getPort());
isn't something more like:
sslEngine = sslContext.createSSLEngine(((InetSocketAddress) socketAddress).getHostName(), ((InetSocketAddress) socketAddress).getPort());
I can only assume it's supporting an edge case where all the nodes share the same certificate with all the addresses for al lthe nodes set as SANs or perhaps there's a hidden dependency on a bunch of IPs [nodes] all reverse-dns'ing back to a shared domain name, so only one [shared] certificate is required across them all.

@QuChen88
Copy link

QuChen88 commented Nov 26, 2024

For AWS elasticache, the DNS hostname for all the nodes in a memcached cluster has similar domain name / suffix. i.e. 0001.mycluster.xkf84q.use1.cache.amazonaws.com, 0002.mycluster..xkf84q.use1.cache.amazonaws.com etc. So it is easy to wild-card the hostname in the certificate so that it works for all the nodes in the cluster (e.g. in this case it would be something like *.mycluster.xkf84q.use1.cache.amazonaws.com).

@ciaranj
Copy link

ciaranj commented Dec 7, 2024

@QuChen88 that makes sense (as to the design choice) it just doesn't generalise outside of the AWS elasticache case, which is unfortunate (but understandable given the client)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants