[jira] [Comment Edited] (KAFKA-3700) CRL support

Sun, 21 Oct 2018 13:37:36 -0700 


    [ 
https://issues.apache.org/jira/browse/KAFKA-3700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16658376#comment-16658376
 ] 

James Zheng edited comment on KAFKA-3700 at 10/21/18 8:36 PM:
--------------------------------------------------------------

I am using kafka 0.11.0 and there is no such feature. I managed to use the 
native java crl jvm options and works as expected. Since it is native java, it 
should work with older version of kafka.
 [https://tersesystems.com/blog/2014/03/22/fixing-certificate-revocation/]
Basically, I added this line before starting the broker, 
{code:java}
java -Dcom.sun.security.enableCRLDP=true 
-Dcom.sun.net.ssl.checkRevocation=true{code}
You have to set the kafka environment variable $KAFKA_OPTS="java 
-Dcom.sun.security.enableCRLDP=true  -Dcom.sun.net.ssl.checkRevocation=true"

Obviously, the broker's trust store should contain the private certificate 
authority(PCA) or PCA and PCA points to a location that has the *.crl file. I 
haven't test performance yet.


was (Author: jameszheng66):
I am using kafka 0.11.0 and there is no such feature. I managed to use the 
native java crl jvm options and works as expected. Since it is native java, it 
should work with older version of kafka.
[https://tersesystems.com/blog/2014/03/22/fixing-certificate-revocation/]
Basically, I added this line before starting the broker, 
{code:java}
java -Dcom.sun.security.enableCRLDP=true 
-Dcom.sun.net.ssl.checkRevocation=true{code}
You have to set the kafka environment variable $KAFKA_OPTS="java 
-Dcom.sun.security.enableCRLDP=true -Dcom.sun.net.ssl.checkRevocation=true"

Obviously, the broker's trust store should contain the private certificate 
authority(PCA) or PCA and PCA points to a location that has the *.crl file. I 
haven't test performance yet.

> CRL support
> -----------
>
>                 Key: KAFKA-3700
>                 URL: https://issues.apache.org/jira/browse/KAFKA-3700
>             Project: Kafka
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.9.0.1
>            Reporter: Vincent Bernat
>            Priority: Major
>
> Hey!
> Currently, there is no way to specify a CRL to be checked when a client 
> presents its TLS certificate. Therefore, a revoked certificate is accepted. A 
> CRL can either be provided as an URL in a certificate but with a private 
> authority, it is more common to have one as a separate file. A 
> `ssl.crl.location` would come handy to specify a CRL.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to