Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-5051

Avoid DNS reverse lookup in security-critical TLS code path

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 0.10.2.0
    • 0.11.0.0
    • security
    • None

    Description

      At the moment SSL engine is created using the hostname obtained using InetAddress#getHostName which performs unnecessary reverse DNS lookups.

      Scenarios:

      Server-side

      Scenario: Server accepts connection from a client

      Broker knows only client IP address. At the moment broker does a reverse lookup. This is unnecessary since the server does not verify or use client hostname. It can block the network thread for several seconds in some configurations. The IP address should be used directly.

      Client-side

      Scenario: Client connects to server using hostname

      No lookup is necessary and the hostname is used to create the SSL engine. This hostname is validated against the hostname in SubjectAltName (dns) or CommonName in the certificate if hostname verification is enabled. Authentication fails if hostname does not match. This is handled correctly in the current code.

      Scenario: Client connects to server using IP address, but certificate contains only SubjectAltName (dns)

      The current code does hostname verification using the hostname obtained through reverse name lookup. But use of reverse DNS lookup to determine hostname introduces a security vulnerability since authentication would be reliant on a secure DNS. Hence hostname verification should fail in this case.

      Scenario: Client connects to server using IP address and certificate contains SubjectAltName (ipaddress).

      This could be used when Kafka is on a private network. The current code uses reverse DNS lookup to determine hostname. If reverse lookup succeeds, authentication fails since the hostname is matched against the IP address in the certificate. But if reverse lookup fails, SSL engine is created with the IP address and authentication succeeds. For consistency and to avoid dependency on a potentially insecure DNS, reverse DNS lookup should be avoided and the IP address specified by the client for connection should be used to create the SSL engine.

      Attachments

        Issue Links

          Activity

            People

              rsivaram Rajini Sivaram
              rsivaram Rajini Sivaram
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: