Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-3667

Improve Section 7.2 Encryption and Authentication using SSL to include proper hostname verification configuration

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 0.10.0.1
    • security
    • None

    Description

      Kafka's documentation should include additional guidance on how to properly enable SSL with hostname verification.

      1. Hostname verification will not be performed if ssl.endpoint.identification.algorithm has not been set.

      Failing to enable this will leave Kafka susceptible to 'man-in-the-middle attacks' as describe in the oracle java api docs.

      2. The docs should also include instructions on how to strictly comply with RFC-2818. This will require adding the DNS SAN extension.

      keytool

      It's worth noting in the docs that placing the FQDN in the CN is still valid despite being less than ideal as well.

      3. KAFKA-3665 aims to set the default value for ssl.endpoint.identification.algorithm to HTTPS. This improvement JIRA aims to document the behavior changes introduced.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Ryan P Ryan P
            Ryan P Ryan P
            Ismael Juma Ismael Juma
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Issue deployment