-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Strip trailing dot off hostname used for SSL validation. #2374
base: master
Are you sure you want to change the base?
Conversation
For additional context, this was raised to the Python project and was decided that it, too, is a problem for the application layer: python/cpython#76178 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm cautious about adding an invocation of rstrip(".")
to each hostname attached to the socket. I think this should be the responsibility of users to add this logic. Sure, it makes sense to remove dots from the end of all hostnames, but I don't think it should be the library's responsibility to do so. The library assumes an arbitrary hostname is passed in, not specifically FQDNs.
The issue here is
There are reasons to an FQDN (terminated with As for
A real-world example is seen in the .NET Runtime: dotnet/runtime#62540 My stance is for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see now, thank you for the clarification! LGTM.
Just a note: I'm waiting to get v2.0.3 released before merging this. |
…terations for Kafka 0.8.2 and Python 3.12 (dpkp#159) * skip failing tests for PyPy since they work locally * Reconfigure tests for PyPy and 3.12 * Skip partitioner tests in test_partitioner.py if 3.12 and 0.8.2 * Update test_partitioner.py * Update test_producer.py * Timeout tests after ten minutes * Set 0.8.2.2 to be experimental from hereon * Formally support PyPy 3.9
* Test Kafka 0.8.2.2 using Python 3.11 in the meantime * Override PYTHON_LATEST conditionally in python-package.yml * Update python-package.yml * add python annotation to kafka version test matrix * Update python-package.yml * try python 3.10
* Remove support for EOL'ed versions of Python * Update setup.py
Too many MRs to review... so little time.
After stop/start kafka service, kafka-python may use 100% CPU caused by busy-retry while the socket was closed. This fix the issue by unregister the socket if the fd is negative. Co-authored-by: Orange Kao <orange@aiven.io>
Co-authored-by: Ryar Nyah <ryarnyah@gmail.com>
Co-authored-by: Denis Otkidach <denis.otkidach@gmail.com>
The former has been deprecated since setuptools 56 Co-authored-by: micwoj92 <45581170+micwoj92@users.noreply.github.com>
When using FQDN's with trailing dots to connect to a broker, the trailing dot in the hostname should be stripped before using the hostname for validation against the server's certificate.
For instance, this code:
Will cause certificate validation to fail when the subject name doesn't contain the trailing dot.
For some context, this is also a problem with librdkafka: confluentinc/librdkafka#4348
The current stance from the OpenSSL team is this is an application layer issue: openssl/openssl#11560
This change is