Hi Ron & Ismael, Thanks for reviewing the KIP! I have updated the KIP to include Ismael's suggestion on printing a warning for unprefixed `ssl.client.auth` so that we can make the configs consistent in a future major release.
Regards, Rajini On Mon, Nov 9, 2020 at 3:58 PM Ismael Juma <ism...@juma.me.uk> wrote: > Thanks for the KIP Rajini. It's a good proposal. One suggestion for > consideration: > > 1. We could print a warning if the unprefixed `ssl.client.auth` is used and > there is a SASL_SSL listener. Then we could consider removing this > inconsistency in Kafka 4.0 or something like that. > > What do you think? > > Ismael > > On Mon, Nov 9, 2020 at 3:08 AM Rajini Sivaram <rajinisiva...@gmail.com> > wrote: > > > Hi all, > > > > I have submitted KIP-684 to support mTLS (TLS client authentication) for > > SASL_SSL listeners: > > > > - > > > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-684+-+Support+mutual+TLS+authentication+on+SASL_SSL+listeners > > > > > > In security-critical deployments, TLS client authentication adds an extra > > layer of security in addition to SASL-based client authentication. > > > > Feedback and suggestions are welcome. > > > > Thank you... > > > > Regards, > > > > Rajini > > >
