Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-5051

Avoid DNS reverse lookup in security-critical TLS code path



    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • security
    • None


      At the moment SSL engine is created using the hostname obtained using InetAddress#getHostName which performs unnecessary reverse DNS lookups.



      Scenario: Server accepts connection from a client

      Broker knows only client IP address. At the moment broker does a reverse lookup. This is unnecessary since the server does not verify or use client hostname. It can block the network thread for several seconds in some configurations. The IP address should be used directly.


      Scenario: Client connects to server using hostname

      No lookup is necessary and the hostname is used to create the SSL engine. This hostname is validated against the hostname in SubjectAltName (dns) or CommonName in the certificate if hostname verification is enabled. Authentication fails if hostname does not match. This is handled correctly in the current code.

      Scenario: Client connects to server using IP address, but certificate contains only SubjectAltName (dns)

      The current code does hostname verification using the hostname obtained through reverse name lookup. But use of reverse DNS lookup to determine hostname introduces a security vulnerability since authentication would be reliant on a secure DNS. Hence hostname verification should fail in this case.

      Scenario: Client connects to server using IP address and certificate contains SubjectAltName (ipaddress).

      This could be used when Kafka is on a private network. The current code uses reverse DNS lookup to determine hostname. If reverse lookup succeeds, authentication fails since the hostname is matched against the IP address in the certificate. But if reverse lookup fails, SSL engine is created with the IP address and authentication succeeds. For consistency and to avoid dependency on a potentially insecure DNS, reverse DNS lookup should be avoided and the IP address specified by the client for connection should be used to create the SSL engine.


        Issue Links



              rsivaram Rajini Sivaram
              rsivaram Rajini Sivaram
              0 Vote for this issue
              3 Start watching this issue