[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[HTCondor-users] SSL authentication fails when DNS returns multiple records

Package: htcondor

Version: 8.7.10




we have encountered an unexpected failure with X509 authentication between HTCondor daemons. The hostname checking for the daemon’s SSL certificate fails if the DNS server returns multiple A records. It is caused by the problematic implementation of the `get_full_hostname` method (https://github.com/htcondor/htcondor/blob/75b6f507a8be72dbe4fb17b61c0aa5049933522e/src/condor_utils/ipv6_hostname.cpp#L415), which returns only the first domain name of the PTR records (reverse DNS records). However, according to the DNS standard, the order of those PTR records cannot be guaranteed. Therefore, the authentication fails from time to time depending on whether the first record matches the common name in the x509 certificate.


Best regards,

Mingxuan Lin