[KAFKA-3665] Default ssl.endpoint.identification.algorithm should be https - ASF JIRA

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 0.9.0.1, 0.10.0.0
Fix Version/s: 2.0.0
Component/s: security
Labels:
None

Description

The default `ssl.endpoint.identification.algorithm` is `null` which is not a secure default (man in the middle attacks are possible).

We should probably use `https` instead. A more conservative alternative would be to update the documentation instead of changing the default.

A paper on the topic (thanks to Ryan Pridgeon for the reference): http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

Attachments

Issue Links

Add Link

is related to

KAFKA-3667 Improve Section 7.2 Encryption and Authentication using SSL to include proper hostname verification configuration

Resolved

Delete this link

links to

GitHub Pull Request #1330

Delete this link

GitHub Pull Request #4956

Delete this link

mentioned in: Page Loading...

Delete this link

Activity

Comment

This comment will be Viewable by All Users Viewable by All Users

Cancel

People

Assignee:: Rajini Sivaram

Reporter:: Ismael Juma

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 06/May/16 12:30

Updated:: 18/Oct/18 18:02

Resolved:: 05/Jun/18 14:09

Agile

View on Board

Default ssl.endpoint.identification.algorithm should be https

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Agile

Slack

Issue deployment