[ https://issues.apache.org/jira/browse/KAFKA-14770?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rajini Sivaram resolved KAFKA-14770. ------------------------------------ Reviewer: Manikumar Resolution: Fixed > Allow dynamic keystore update for brokers if string representation of DN > matches even if canonical DNs don't match > ------------------------------------------------------------------------------------------------------------------ > > Key: KAFKA-14770 > URL: https://issues.apache.org/jira/browse/KAFKA-14770 > Project: Kafka > Issue Type: Improvement > Components: security > Reporter: Rajini Sivaram > Assignee: Rajini Sivaram > Priority: Major > Fix For: 3.5.0 > > > To avoid mistakes during dynamic broker config updates that could potentially > affect clients, we restrict changes that can be performed dynamically without > broker restart. For broker keystore updates, we require the DN to be the same > for the old and new certificates since this could potentially contain host > names used for host name verification by clients. DNs are compared using > standard Java implementation of X500Principal.equals() which compares > canonical names. If tags of fields change from one with a printable string > representation and one without or vice-versa, canonical name check fails even > if the actual name is the same since canonical representation converts to hex > for some tags only. We can relax the verification to allow dynamic updates in > this case by enabling dynamic update if either the canonical name or the > RFC2253 string representation of the DN matches. -- This message was sent by Atlassian Jira (v8.20.10#820010)