Grant Henke created KAFKA-4525:
----------------------------------
Summary: Kafka should not require SSL trust store password
Key: KAFKA-4525
URL: https://issues.apache.org/jira/browse/KAFKA-4525
Project: Kafka
Issue Type: Bug
Components: security
Affects Versions: 0.9.0.0
Reporter: Grant Henke
Assignee: Grant Henke
When configuring SSL for Kafka; If the truststore password is not set, Kafka
fails to start with:
{noformat}
org.apache.kafka.common.KafkaException: SSL trust store is specified, but trust
store password is not specified.
at
org.apache.kafka.common.security.ssl.SslFactory.createTruststore(SslFactory.java:195)
at
org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:115)
{noformat}
The truststore password is not required for read operations. When reading the
truststore the password is used as an integrity check but not required.
The risk of not providing a password is that someone could add a certificate
into the store which you do not want to trust. The store should be protected
first by the OS permissions. The password is an additional protection.
Though this risk of trusting the OS permissions is one many may not want to
take, its not a decision that Kafka should enforce or require.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
