[
https://issues.apache.org/jira/browse/KAFKA-5051?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rajini Sivaram updated KAFKA-5051:
----------------------------------
Resolution: Fixed
Fix Version/s: 0.11.1.0
Status: Resolved (was: Patch Available)
Issue resolved by pull request 2835
[https://github.com/apache/kafka/pull/2835]
> Avoid DNS reverse lookup in security-critical TLS code path
> -----------------------------------------------------------
>
> Key: KAFKA-5051
> URL: https://issues.apache.org/jira/browse/KAFKA-5051
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 0.10.2.0
> Reporter: Rajini Sivaram
> Assignee: Rajini Sivaram
> Fix For: 0.11.0.0, 0.11.1.0
>
>
> At the moment SSL engine is created using the hostname obtained using
> {{InetAddress#getHostName}} which performs unnecessary reverse DNS lookups.
> h2.Scenarios:
> h3. Server-side
> h4. Scenario: Server accepts connection from a client
> Broker knows only client IP address. At the moment broker does a reverse
> lookup. This is unnecessary since the server does not verify or use client
> hostname. It can block the network thread for several seconds in some
> configurations. The IP address should be used directly.
> h3. Client-side
> h4. Scenario: Client connects to server using hostname
> No lookup is necessary and the hostname is used to create the SSL engine.
> This hostname is validated against the hostname in SubjectAltName (dns) or
> CommonName in the certificate if hostname verification is enabled.
> Authentication fails if hostname does not match. This is handled correctly in
> the current code.
> h4. Scenario: Client connects to server using IP address, but certificate
> contains only SubjectAltName (dns)
> The current code does hostname verification using the hostname obtained
> through reverse name lookup. But use of reverse DNS lookup to determine
> hostname introduces a security vulnerability since authentication would be
> reliant on a secure DNS. Hence hostname verification should fail in this
> case.
> h4. Scenario: Client connects to server using IP address and certificate
> contains SubjectAltName (ipaddress).
> This could be used when Kafka is on a private network. The current code uses
> reverse DNS lookup to determine hostname. If reverse lookup succeeds,
> authentication fails since the hostname is matched against the IP address in
> the certificate. But if reverse lookup fails, SSL engine is created with the
> IP address and authentication succeeds. For consistency and to avoid
> dependency on a potentially insecure DNS, reverse DNS lookup should be
> avoided and the IP address specified by the client for connection should be
> used to create the SSL engine.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
