Enables EndpointValidation #47111
Enables EndpointValidation #47111
Conversation
FabianMeiswinkel
requested review from
a team and
kirankumarkolli
as code owners
There was a problem hiding this comment.
Pull Request Overview
This PR enables endpoint validation in the SSL/TLS configuration for Azure Cosmos DB client connections by setting the endpoint identification algorithm to "HTTPS". This ensures that the hostname in the certificate matches the hostname being connected to, preventing potential man-in-the-middle attacks.
Key Changes:
- Adds endpoint identification algorithm validation to SSL context configuration
|
/azp run java - cosmos - spark |
|
/azp run java - cosmos - kafka |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run java - cosmos - tests |
|
Azure Pipelines successfully started running 1 pipeline(s). |
1 similar comment
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run java - cosmos - tests |
|
/azp run java - cosmos - kafka |
|
/azp run java - cosmos - spark |
|
Azure Pipelines successfully started running 1 pipeline(s). |
2 similar comments
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run java - cosmos - tests |
|
/azp run java - cosmos - kafka |
|
/azp run java - cosmos - spark |
|
Azure Pipelines successfully started running 1 pipeline(s). |
2 similar comments
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run java - cosmos - tests |
|
/azp run java - cosmos - kafka |
|
/azp run java - cosmos - spark |
|
Azure Pipelines successfully started running 1 pipeline(s). |
2 similar comments
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run java - cosmos - spark |
|
/azp run java - cosmos - kafka |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run java - cosmos - tests |
|
Azure Pipelines successfully started running 1 pipeline(s). |
1 similar comment
|
Azure Pipelines successfully started running 1 pipeline(s). |
…to users/fabianm/FixNettyEPValidation
|
/azp run java - cosmos - spark |
|
/azp run java - cosmos - kafka |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run java - cosmos - tests |
|
Azure Pipelines successfully started running 1 pipeline(s). |
1 similar comment
|
Azure Pipelines successfully started running 1 pipeline(s). |
1 participant
Description
Netty 4.1.* by default is not enabling hostname validation for TLS connections - so, when establishing a TLS connection it validates that the server certificate has a valid signature, and the certificate chain ends-up in a trusted anchor - but it does not validate that the certificate used by the service endpoint has attributes indicating that it can act as a SSL certificate ofr the hostname used when creating the connection. The lack of hostname validation is a problem, because it makes man-in-the-middle attacks simpler than necessary or intended.
This PR enables hostname validation for both Direct mode and Gateway mode.
All SDK Contribution checklist:
General Guidelines and Best Practices
Testing Guidelines