[ https://issues.apache.org/jira/browse/KAFKA-3667?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ismael Juma updated KAFKA-3667: ------------------------------- Assignee: Ryan P > Improve Section 7.2 Encryption and Authentication using SSL to include proper > hostname verification configuration > ----------------------------------------------------------------------------------------------------------------- > > Key: KAFKA-3667 > URL: https://issues.apache.org/jira/browse/KAFKA-3667 > Project: Kafka > Issue Type: Improvement > Components: security > Reporter: Ryan P > Assignee: Ryan P > Fix For: 0.10.0.1 > > > Kafka's documentation should include additional guidance on how to properly > enable SSL with hostname verification. > 1. Hostname verification will not be performed if > ssl.endpoint.identification.algorithm has not been set. > Failing to enable this will leave Kafka susceptible to 'man-in-the-middle > attacks' as describe in the [oracle java api docs. > |https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/X509ExtendedTrustManager.html] > 2. The docs should also include instructions on how to strictly comply with > [RFC-2818|https://tools.ietf.org/html/rfc2818#section-3.1]. This will require > adding the DNS SAN extension. > [keytool|http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html] > It's worth noting in the docs that placing the FQDN in the CN is still valid > despite being less than ideal as well. > 3. KAFKA-3665 aims to set the default value for > ssl.endpoint.identification.algorithm to HTTPS. This improvement JIRA aims to > document the behavior changes introduced. -- This message was sent by Atlassian JIRA (v6.3.4#6332)