[
https://issues.apache.org/jira/browse/KAFKA-6097?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16212804#comment-16212804
]
Ismael Juma commented on KAFKA-6097:
------------------------------------
Have you verified that it's not succeeding because of the CN?
> Kafka ssl.endpoint.identification.algorithm=HTTPS not working
> -------------------------------------------------------------
>
> Key: KAFKA-6097
> URL: https://issues.apache.org/jira/browse/KAFKA-6097
> Project: Kafka
> Issue Type: Bug
> Reporter: Damyan Petev Manev
> Attachments: kafka-certificates-script.sh
>
>
> When ssl.endpoint.identification.algorithm is set to HTTPS and I have san
> extension on my server certificate clients do not verify the servers's fully
> qualified domain name (FQDN) agains it.
> Client certificate authentication works. With the following san extension -
> dns:some.thing.here I expect connection to fail, because according to
> http://kafka.apache.org/documentation.html#security_ssl :
> "clients will verify the server's fully qualified domain name (FQDN) against
> one of the following two fields
> Common Name (CN)
> Subject Alternative Name (SAN)",
> but messages are produced and consumed successfully.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
