ethaden commented on code in PR #14130:
URL: https://github.com/apache/kafka/pull/14130#discussion_r1292864470
##########
clients/src/main/java/org/apache/kafka/common/security/ssl/DefaultSslEngineFactory.java:
##########
@@ -255,7 +271,7 @@ private SSLContext createSSLContext(SecurityStore keystore,
SecurityStore trusts
}
String tmfAlgorithm = this.tmfAlgorithm != null ?
this.tmfAlgorithm : TrustManagerFactory.getDefaultAlgorithm();
- TrustManagerFactory tmf =
TrustManagerFactory.getInstance(tmfAlgorithm);
+ CommonNameLoggingTrustManagerFactoryWrapper tmf =
CommonNameLoggingTrustManagerFactoryWrapper.getInstance(tmfAlgorithm);
Review Comment:
@omkreddy please have a look at the latest commits: I implemented a cache
for faster rejecting known-invalid certificate chains. The test cases show that
the result of the checks is equal to the unmodified trust store implementation,
at least for the provided test data. However, a few extra cycles need to be
spend on calculating the hash for the certificate chain and do a lookup in the
cache, even if the certificate chain is valid (there is no free lunch).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
