We would like to know if there is any mechanism to pre-authenticate broker users first (basic authentication or certificate authentication) and if the credentials/certificate is valid then only connection attempt is made on the broker. We are seeing a case where some users are either using invalid user-name password or invalid certificate (expired/missing private key or different cases of SSL handshake failure) to connect to brokers.
Since such applications keep running with invalid authentication and take lot of time to fix from client side, we are seeing too many connection attempts being made which subsequently failing on the broker. Broker logs also get filled very fast due to it. We can't just block those erring IP as same IP can host a good and a bad application. Blocking the IP will also block well behaving application. Some broker versions (e.g. 2.27.1) are very sensitive to such errors and it impacted normal broker operations where new good connections were denied or delayed, existing consumers were not able to pull messages or clustering and movement of messages across cluster was impacted. We would like to explore any proxy or pre-authentication where such erring consumers are not allowed to make any connection attempt itself thus safeguarding the broker. Any input or lead will be very useful. Thanks Shiv
