[
https://issues.apache.org/jira/browse/KAFKA-3665?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15410268#comment-15410268
]
Jun Rao commented on KAFKA-3665:
--------------------------------
[~Ryan P], thanks for the explanation. In the common case, the client only
talks to the VIP for the very first MetadataRequest. At this point, the client
doesn't know any broker host except for the VIP. So, it can't set SNI. After
receiving the MetadataResponse, the client knows the broker hosts. However, for
subsequent requests, the client just sends the requests to the broker host
directly w/o going through the VIP. So, with SSL, we really need to solve the
host verification problem for the very first request. It seems that SNI won't
help in the that case?
> Default ssl.endpoint.identification.algorithm should be https
> -------------------------------------------------------------
>
> Key: KAFKA-3665
> URL: https://issues.apache.org/jira/browse/KAFKA-3665
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 0.9.0.1, 0.10.0.0
> Reporter: Ismael Juma
> Assignee: Ismael Juma
> Fix For: 0.10.1.0
>
>
> The default `ssl.endpoint.identification.algorithm` is `null` which is not a
> secure default (man in the middle attacks are possible).
> We should probably use `https` instead. A more conservative alternative would
> be to update the documentation instead of changing the default.
> A paper on the topic (thanks to Ryan Pridgeon for the reference):
> http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
