[jira] [Created] (KAFKA-5051) Avoid DNS reverse lookup in security-critical TLS code path

Mon, 10 Apr 2017 11:37:59 -0700 

Rajini Sivaram created KAFKA-5051:
-------------------------------------

             Summary: Avoid DNS reverse lookup in security-critical TLS code 
path
                 Key: KAFKA-5051
                 URL: https://issues.apache.org/jira/browse/KAFKA-5051
             Project: Kafka
          Issue Type: Bug
          Components: security
    Affects Versions: 0.10.2.0
            Reporter: Rajini Sivaram
            Assignee: Rajini Sivaram
             Fix For: 0.11.0.0


At the moment SSL engine is created using the hostname obtained using 
{{InetAddress#getHostName}} which performs unnecessary reverse DNS lookups.

h2.Scenarios:

h3. Server-side
h4. Scenario: Server accepts connection from a client
Broker knows only client IP address. At the moment broker does a reverse 
lookup. This is unnecessary since the server does not verify or use client 
hostname. It can block the network thread for several seconds in some 
configurations. The IP address should be used directly.

h3. Client-side
h4. Scenario: Client connects to server using hostname
No lookup is necessary and the hostname is used to create the SSL engine. This 
hostname is validated against the hostname in SubjectAltName (dns) or 
CommonName in the certificate if hostname verification is enabled. 
Authentication fails if hostname does not match. This is handled correctly in 
the current code.

h4. Scenario: Client connects to server using IP address, but certificate 
contains only SubjectAltName (dns)
The current code does hostname verification using the hostname obtained through 
reverse name lookup. But use of reverse DNS lookup to determine hostname 
introduces a security vulnerability since authentication would be reliant on a 
secure DNS. Hence hostname verification should fail in this case. 

h4. Scenario: Client connects to server using IP address and certificate 
contains SubjectAltName (ipaddress).
This could be used when Kafka is on a private network. The current code uses 
reverse DNS lookup to determine hostname. If reverse lookup succeeds, 
authentication fails since the hostname is matched against the IP address in 
the certificate. But if reverse lookup fails, SSL engine is created with the IP 
address and authentication succeeds. For consistency and to avoid dependency on 
a potentially insecure DNS, reverse DNS lookup should be avoided and the IP 
address specified by the client for connection should be used to create the SSL 
engine.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to