We use almost the same properties (the same if you account for defaults), and have not seen any check whether the FQDN matches the CN, as it's al working without matching names. It seems the requirement is only needed if you use SASL_SSL as security protocol, which from you config you don't seem to do (just SSL).
On Wed, Jun 1, 2016 at 9:19 AM Phi Primed <phipri...@gmail.com> wrote: > I using Kafka v 0.9 with TLS enabled, including client auth. > > In > > http://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption > , > it is mentioned that "We need to generate a key and certificate for each > broker and client in the cluster. The common name (CN) of the broker > certificate must match the fully qualified domain name (FQDN) of the server > as the client compares the CN with the DNS domain name to ensure that it is > connecting to the desired broker (instead of a malicious one)." > > 1) Is there a specific additional configuration parameter to enable this or > does it always happen if the other TLS/SSL parameters are set (as e.g. > shown below) ? > > 2) Is it possible to make the broker(s) carry out the same check against > client certificates if SSL client auth is enabled ? > > Regards, > Phi > > > listeners=SSL://:9093 > > authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer > > super.users=User:CN=broker1.mydomain.com,OU=ABC,O=XYZ,L=SFO,ST=CA,C=US > > ssl.keystore.location=/opt/ssl/kafka.server.keystore.jks > ssl.keystore.password=test1234 > ssl.key.password=test1234 > ssl.truststore.location=/opt/ssl/kafka.server.truststore.jks > ssl.truststore.password=test1234 > > ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1 > ssl.keystore.type=JKS > ssl.truststore.type=JKS > > security.inter.broker.protocol=SSL > > ssl.client.auth=required >
