Hi Phil, You are right that the check is not done by default. We have a couple of JIRAs tracking that:
https://issues.apache.org/jira/browse/KAFKA-3665 https://issues.apache.org/jira/browse/KAFKA-3667 Enabling the check is a matter of setting `ssl.endpoint.identification.algorithm` to `https`, but please check the JIRAs for more details. Ismael On Wed, Jun 1, 2016 at 8:18 AM, Phi Primed <phipri...@gmail.com> wrote: > I using Kafka v 0.9 with TLS enabled, including client auth. > > In > > http://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption > , > it is mentioned that "We need to generate a key and certificate for each > broker and client in the cluster. The common name (CN) of the broker > certificate must match the fully qualified domain name (FQDN) of the server > as the client compares the CN with the DNS domain name to ensure that it is > connecting to the desired broker (instead of a malicious one)." > > 1) Is there a specific additional configuration parameter to enable this or > does it always happen if the other TLS/SSL parameters are set (as e.g. > shown below) ? > > 2) Is it possible to make the broker(s) carry out the same check against > client certificates if SSL client auth is enabled ? > > Regards, > Phi > > > listeners=SSL://:9093 > > authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer > > super.users=User:CN=broker1.mydomain.com,OU=ABC,O=XYZ,L=SFO,ST=CA,C=US > > ssl.keystore.location=/opt/ssl/kafka.server.keystore.jks > ssl.keystore.password=test1234 > ssl.key.password=test1234 > ssl.truststore.location=/opt/ssl/kafka.server.truststore.jks > ssl.truststore.password=test1234 > > ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1 > ssl.keystore.type=JKS > ssl.truststore.type=JKS > > security.inter.broker.protocol=SSL > > ssl.client.auth=required >
