[
https://issues.apache.org/jira/browse/KAFKA-3667?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15405638#comment-15405638
]
ASF GitHub Bot commented on KAFKA-3667:
---------------------------------------
Github user asfgit closed the pull request at:
https://github.com/apache/kafka/pull/1384
> Improve Section 7.2 Encryption and Authentication using SSL to include proper
> hostname verification configuration
> -----------------------------------------------------------------------------------------------------------------
>
> Key: KAFKA-3667
> URL: https://issues.apache.org/jira/browse/KAFKA-3667
> Project: Kafka
> Issue Type: Improvement
> Components: security
> Reporter: Ryan P
>
> Kafka's documentation should include additional guidance on how to properly
> enable SSL with hostname verification.
> 1. Hostname verification will not be performed if
> ssl.endpoint.identification.algorithm has not been set.
> Failing to enable this will leave Kafka susceptible to 'man-in-the-middle
> attacks' as describe in the [oracle java api docs.
> |https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/X509ExtendedTrustManager.html]
> 2. The docs should also include instructions on how to strictly comply with
> [RFC-2818|https://tools.ietf.org/html/rfc2818#section-3.1]. This will require
> adding the DNS SAN extension.
> [keytool|http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html]
> It's worth noting in the docs that placing the FQDN in the CN is still valid
> despite being less than ideal as well.
> 3. KAFKA-3665 aims to set the default value for
> ssl.endpoint.identification.algorithm to HTTPS. This improvement JIRA aims to
> document the behavior changes introduced.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
