[
https://issues.apache.org/jira/browse/KAFKA-3665?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15274035#comment-15274035
]
Ryan P commented on KAFKA-3665:
-------------------------------
[~ijuma], I can absolutely do that.
Would you like me to include the documentation changes that will be needed for
this JIRA as well? Might be easier to just merge both Doc enhancements into one
since adding the SAN is useless without configuring the endpoint algorithm to
HTTPS.
For what it's worth the [OpenJDK
|https://github.com/openjdk-mirror/jdk7u-jdk/blob/master/src/share/classes/sun/security/util/HostnameChecker.java#L174-L209]
handles hostname verification in the proper order.
With that said I'd be glad to open the JIRA.
> Default ssl.endpoint.identification.algorithm should be https
> -------------------------------------------------------------
>
> Key: KAFKA-3665
> URL: https://issues.apache.org/jira/browse/KAFKA-3665
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 0.9.0.1
> Reporter: Ismael Juma
> Assignee: Ismael Juma
> Fix For: 0.10.0.0
>
>
> The default `ssl.endpoint.identification.algorithm` is `null` which is not a
> secure default (man in the middle attacks are possible).
> We should probably use `https` instead. A more conservative alternative would
> be to update the documentation instead of changing the default.
> A paper on the topic (thanks to Ryan Pridgeon for the reference):
> http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
