Hi Richard, Thanks for your response.
We are using IP in the advertised.listener and also passing IP in the property ' bootstrap.servers' while instantiating KafkaConsumer class. But in the server certificate only dns is used as SAN and not IP due to some security concerns. Regarding hostname verifier disabling, we are able to do it by setting the client property ssl.endpoint.identification.algorithm to an empty string. But the Customer is asking below query whose answer can only be provided by the Kafka team: Query: Is there any way to enable the hostname verification for Kafka communication between broker and client without specifying the IP address in SAN? Regards, Deepak -----Original Message----- From: Richard Bosch <richard.bo...@axual.com> Sent: 13 July 2022 20:57 To: users@kafka.apache.org Subject: Re: Inquiry about using SSL encryption and SASL authentication for Kafka without specifying IP address in SAN in the CA certificate Caution: From Cumulus Systems – IT Department, this email originated from outside of the organization. Please call and confirm with the sender before opening attachments or clicking links inside the email. Hi Deepak, I'm not sure what you mean by IP in the CA certificate? The CA certificates are used to determine who signed a provided certificate and if it is valid. So when I connect to a broker using an IP address, then the server must provide a server certificate containing the IP as SAN to verify the handshake and signed by a CA that the client trusts. If the IP address is used in the advertised listener configuration or if only the listener is configured to the IP address then the client will fail as well. Because the client will open a new connection using the addresses provided by the broker, which are IP based. Can you check that the IP address is set as SAN in the broker Server certificates? And that the Kafka Broker configuration uses listeners like this? listener=SSL://1.2.3.4:9092 advertised.listener=SSL://hostname:9092 This means that the hostname is used to connect to the broker, and the hostname must be in the SAN to successfully connect. How did you try to disable the hostname verifier? Because I'm not sure why setting the client property ssl.endpoint.identification.algorithm to an empty string did not work. Kind regards, Richard Bosch Developer Advocate Axual BV On Tue, Jul 12, 2022 at 7:40 PM Deepak Jain <deepak.j...@cumulus-systems.com> wrote: > Hello, > > Can anyone please help me regarding the below query regarding SSL > communication in Kafka: > > Query: Is there any way to enable the hostname verification for Kafka > communication between broker and client without specifying the IP > address in SAN? > > Regards, > Deepak > > From: Deepak Jain > Sent: 08 July 2022 01:23 > To: Luke Chen <show...@gmail.com> > Cc: users@kafka.apache.org > Subject: Inquiry about using SSL encryption and SASL authentication > for Kafka without specifying IP address in SAN in the CA certificate > > Hi Luke, > > We are using Kafka 2.8.1 Broker/Client system in our prod environment > with SASL_SSL communication between Kafka Clients and Broker. We are > using the IP for the property “bootstrap.servers” while initiating the > KafkaConsumer. > Due to some reason, one of our Customer is unable to use the IP in the > CA certificate and provided only hostname in the SAN entry in the > certificate due to which he is getting following exception in the logs: > > org.apache.kafka.common.errors.SslAuthenticationException: SSL > handshake failed Caused by: javax.net.ssl.SSLHandshakeException: No > subject alternative names matching IP address xx.xx.xx.xx found > at sun.security.ssl.Alert.createSSLException(Alert.java:131) > at sun.security.ssl.TransportContext.fatal(TransportContext.java:324) > at sun.security.ssl.TransportContext.fatal(TransportContext.java:267) > at sun.security.ssl.TransportContext.fatal(TransportContext.java:262) > at > sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServer > Certs(CertificateMessage.java:654) > > Even after disabling the hostname verifier, he is unable to send the > data from Client to broker. He has also added the Ip – hostname of the > broker entry in /etc/hosts file > > Can you please let us know: > > > 1. Is IP and DNS both field mandatory in SAN for Kafka Certificates? > 2. If no, why the communication is failing without the IP? > > > Regards, > Deepak Jain > Cumulus Systems >
