Ryan P created KAFKA-3667:
-----------------------------
Summary: Improve Section 7.2 Encryption and Authentication using
SSL to include proper hostname verification configuration
Key: KAFKA-3667
URL: https://issues.apache.org/jira/browse/KAFKA-3667
Project: Kafka
Issue Type: Improvement
Components: security
Reporter: Ryan P
Kafka's documentation should include additional guidance on how to properly
enable SSL with hostname verification.
1. Hostname verification will not be performed if
ssl.endpoint.identification.algorithm has not been set.
Failing to enable this will leave Kafka susceptible to 'man-in-the-middle
attacks' as describe in the [oracle java api docs.
|https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/X509ExtendedTrustManager.html]
2. The docs should also include instructions on how to strictly comply with
[RFC-2818|https://tools.ietf.org/html/rfc2818#section-3.1]. This will require
adding the DNS SAN extension.
[keytool|http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html]
It's worth noting in the docs that placing the FQDN in the CN is still valid
despite being less than ideal as well.
3. KAFKA-3365 aims to set the default value for
ssl.endpoint.identification.algorithm to HTTPS. This improvement JIRA aims to
document the behavior changes introduced.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
