Netty - set EndpointIdentificationAlgorithm to get rid of CWE-295

[nicoloboschi]

EndpointIdentificationAlgorithm parameter must be set to "HTTPS" to properly perform hostname validation during SslEngine creation.
As far as I can see in the Pulsar codebase this parameter is left to the default value; this means that the hostname validation is disabled.

More context here

• Security Vulnerability - Common Weakness Enumeration (CWE) CWE-295 netty/netty#9930
• [Netty 5] Enable hostname verification by default  netty/netty#8537
• https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLParameters.html#setEndpointIdentificationAlgorithm-java.lang.String-
• https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html#newHandler-io.netty.buffer.ByteBufAllocator-java.util.concurrent.Executor-

[eolivelli]

@nicoloboschi do you have a proposal ?
Which are the cons of setting a value ?

[nicoloboschi]

I don't see cons in a correctly configured environment. BTW I consider it a breaking change but it's worth because of security

The fix is to configure the parameter whenever a SSLEngine is created. I can work on it this week

[lhotari]

@nicoloboschi There are tests in https://github.com/apache/pulsar/blob/master/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthenticationTlsHostnameVerificationTest.java , do you think that there's a gap?

In Pulsar client, there's custom logic to do the hostname validation:

pulsar/pulsar-client/src/main/java/org/apache/pulsar/client/impl/ClientCnx.java

Lines 311 to 316 in 1a3688c

	if (isTlsHostnameVerificationEnable && remoteHostName != null && !verifyTlsHostName(remoteHostName, ctx)) {
	// close the connection if host-verification failed with the broker
	log.warn("[{}] Failed to verify hostname of {}", ctx.channel(), remoteHostName);
	ctx.close();
	return;
	}

[github-actions]

The issue had no activity for 30 days, mark with Stale label.

[github-actions]

The issue had no activity for 30 days, mark with Stale label.

[michaeljmarshall]

Fixed by #15824.