Currently, when accepting a socket connection, the server is only able to verify the IP Address of the client. The IP Address that it can verify is the physical interface address used by the client, which may not be present in the certificate SANs. We could instead check if the client hostname is present in SANs.
This PR uses a HostnameResolver to execute a reverse DNS lookup. Since reverse DNS is unsupported in Kubernetes, it uses the local hostname and the predefined formula for Pod hostnames in a StatefulSet to find the mapping of IP Address to Pod Hostname.
We then use reflection to inject this hostname into the InetAddress object returned by the Socket.
Currently, when accepting a socket connection, the server is only able to verify the IP Address of the client. The IP Address that it can verify is the physical interface address used by the client, which may not be present in the certificate SANs. We could instead check if the client hostname is present in SANs.
This PR uses a
HostnameResolverto execute a reverse DNS lookup. Since reverse DNS is unsupported in Kubernetes, it uses the local hostname and the predefined formula for Pod hostnames in a StatefulSet to find the mapping of IP Address to Pod Hostname.We then use reflection to inject this hostname into the InetAddress object returned by the
Socket.