Uploaded image for project: 'Flume'
  1. Flume
  2. FLUME-3315

[KafkaSink][KafkaSource] Impossible to disable hostname verification with SSL enryption

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.9.0
    • Fix Version/s: None
    • Labels:
      None
    • Environment:

      Flume 1.9.0

      Kafka 2.1.0

      Description

      The documentation says :

      Note: By default the property ssl.endpoint.identification.algorithm is not defined, so hostname verification is not performed. In order to enable hostname verification, set the following properties

      a1.sources.source1.kafka.consumer.ssl.endpoint.identification.algorithm=HTTPS

      But with Flume 1.9.0 this is not true anymore because since Kafka 2.0.0 hostname verification is enable by default.

      Notable changes in 2.0.0
      ...
      The default value for ssl.endpoint.identification.algorithm was changed to https, which performs hostname verification (man-in-the-middle attacks are possible otherwise). Set ssl.endpoint.identification.algorithm to an empty string to restore the previous behaviour.

      The problem is that it is impossible to disable hostname verification since flume does not support empty values in configuration (cf FlumeConfiguration.addRawProperty)

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              jleberre Jérémy LE BERRE
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: