[KAFKA-3667] Improve Section 7.2 Encryption and Authentication using SSL to include proper hostname verification configuration - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 0.10.0.1
Component/s: security
Labels:
None

Description

Kafka's documentation should include additional guidance on how to properly enable SSL with hostname verification.

1. Hostname verification will not be performed if ssl.endpoint.identification.algorithm has not been set.

Failing to enable this will leave Kafka susceptible to 'man-in-the-middle attacks' as describe in the oracle java api docs.

2. The docs should also include instructions on how to strictly comply with RFC-2818. This will require adding the DNS SAN extension.

keytool

It's worth noting in the docs that placing the FQDN in the CN is still valid despite being less than ideal as well.

3. ~~KAFKA-3665~~ aims to set the default value for ssl.endpoint.identification.algorithm to HTTPS. This improvement JIRA aims to document the behavior changes introduced.

Attachments

Issue Links

relates to

KAFKA-3665 Default ssl.endpoint.identification.algorithm should be https

Resolved

links to

GitHub Pull Request #1384

Activity

People

Assignee:: Ryan P

Reporter:: Ryan P

Reviewer:: Ismael Juma

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 06/May/16 14:29

Updated:: 03/Aug/16 09:50

Resolved:: 03/Aug/16 09:50