fix hostname verification

hoguni · hoguni · commit 7a6cd3be6d4f · 2022-11-25T11:09:25.000+09:00
diff --git a/lib/ClientConnection.cc b/lib/ClientConnection.cc
@@ -201,11 +201,6 @@ ClientConnection::ClientConnection(const std::string& logicalAddress, const std:
         } else {
             ctx.set_verify_mode(boost::asio::ssl::context::verify_peer);
 
-            if (clientConfiguration.isValidateHostName()) {
-                LOG_DEBUG("Validating hostname for " << serviceUrl.host() << ":" << serviceUrl.port());
-                ctx.set_verify_callback(boost::asio::ssl::rfc2818_verification(physicalAddress));
-            }
-
             std::string trustCertFilePath = clientConfiguration.getTlsTrustCertsFilePath();
             if (!trustCertFilePath.empty()) {
                 if (file_exists(trustCertFilePath)) {
@@ -254,6 +249,11 @@ ClientConnection::ClientConnection(const std::string& logicalAddress, const std:
 
         tlsSocket_ = ExecutorService::createTlsSocket(socket_, ctx);
 
+        if (!clientConfiguration.isTlsAllowInsecureConnection() && clientConfiguration.isValidateHostName()) {
+            LOG_DEBUG("Validating hostname for " << serviceUrl.host() << ":" << serviceUrl.port());
+            tlsSocket_->set_verify_callback(boost::asio::ssl::rfc2818_verification(serviceUrl.host()));
+        }
+
         LOG_DEBUG("TLS SNI Host: " << serviceUrl.host());
         if (!SSL_set_tlsext_host_name(tlsSocket_->native_handle(), serviceUrl.host().c_str())) {
             boost::system::error_code ec{static_cast<int>(::ERR_get_error()),
diff --git a/tests/AuthPluginTest.cc b/tests/AuthPluginTest.cc
@@ -147,6 +147,21 @@ TEST(AuthPluginTest, testTlsDetectPulsarSslWithHostNameValidation) {
     Client client(serviceUrlTls, config);
     std::string topicName = "persistent://private/auth/testTlsDetectPulsarSslWithHostNameValidation";
 
+    Producer producer;
+    Result res = client.createProducer(topicName, producer);
+    ASSERT_EQ(ResultOk, res);
+}
+
+TEST(AuthPluginTest, testTlsDetectPulsarSslWithHostNameValidationMissingCertsFile) {
+    ClientConfiguration config = ClientConfiguration();
+    config.setTlsAllowInsecureConnection(false);
+    config.setValidateHostName(true);
+    config.setAuth(pulsar::AuthTls::create(clientPublicKeyPath, clientPrivateKeyPath));
+
+    Client client(serviceUrlTls, config);
+    std::string topicName =
+        "persistent://private/auth/testTlsDetectPulsarSslWithHostNameValidationMissingCertsFile";
+
     Producer producer;
     Result res = client.createProducer(topicName, producer);
     ASSERT_EQ(ResultConnectError, res);
@@ -183,6 +198,23 @@ TEST(AuthPluginTest, testTlsDetectHttpsWithHostNameValidation) {
 
     std::string topicName = "persistent://private/auth/test-tls-detect-https-with-hostname-validation";
 
+    Producer producer;
+    Result res = client.createProducer(topicName, producer);
+    ASSERT_EQ(ResultOk, res);
+}
+
+TEST(AuthPluginTest, testTlsDetectHttpsWithHostNameValidationMissingCertsFile) {
+    ClientConfiguration config = ClientConfiguration();
+    config.setUseTls(true);  // shouldn't be needed soon
+    config.setTlsAllowInsecureConnection(false);
+    config.setAuth(pulsar::AuthTls::create(clientPublicKeyPath, clientPrivateKeyPath));
+    config.setValidateHostName(true);
+
+    Client client(serviceUrlHttps, config);
+
+    std::string topicName =
+        "persistent://private/auth/test-tls-detect-https-with-hostname-validation-missing-certs-file";
+
     Producer producer;
     Result res = client.createProducer(topicName, producer);
     ASSERT_NE(ResultOk, res);
