[jira] [Commented] (KAFKA-13607) Cannot use PEM certificate coding when parent defined file-based

Fri, 04 Mar 2022 11:36:05 -0800 


    [ 
https://issues.apache.org/jira/browse/KAFKA-13607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17501498#comment-17501498
 ] 

Kirk True commented on KAFKA-13607:
-----------------------------------

[~psmolinski] - if you're working on this, can you assign the Jira to yourself? 
Thanks.

> Cannot use PEM certificate coding when parent defined file-based
> ----------------------------------------------------------------
>
>                 Key: KAFKA-13607
>                 URL: https://issues.apache.org/jira/browse/KAFKA-13607
>             Project: Kafka
>          Issue Type: Bug
>          Components: clients, config, KafkaConnect
>    Affects Versions: 2.7.1, 3.0.0
>            Reporter: Piotr Smolinski
>            Priority: Major
>
> The problem applies to the situation when we create a Kafka client based on 
> prepopulated config. If we have only partial control on the input we can 
> attempt to reset some values.
> KIP-651 added a new cool feature to use PEM coding of certificates as an 
> alternative to file stores. I have observed a problem in Confluent 
> Replicator. We have shifted the common configuration to the worker level and 
> assumed the connectors define only what is specific for them. The security 
> setup is mTLS, i.e. we need both client cert and trusted chain. Our default 
> configuration has both in #PKCS12 files, but we had to reverse the 
> replication direction and redefine the destination coordinates. For these we 
> have certificates, but having KIP-651 we could specify them as connector 
> params as opposed to the worker deployment change.
> It came out that we cannot override {*}ssl.keystore.location{*}, 
> {*}ssl.keystore.password{*}, etc. simply with empty values, because the code 
> in the *DefaultSslEngineFactory* checks if the entry is null. We can only 
> override it to empty string.
> *DefaultSslEngineFactory* should treat the unexpected configuration entries 
> as absent when they are {*}null{*}, but also when the given entry is an empty 
> string.
> For a workaround I have created a hacky patch that fixes the behaviour:
> [https://github.com/piotrsmolinski/kafka-ssl-fix]
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to