https is a protocol NOT an algorithm..no wonder this causes confusion!ssl.endpoint.identification.algorithmhttps://en.wikipedia.org/wiki/Transport_Layer_Security ismael can you change ssl.endpoint.identification.algorithm property to ssl.endpoint.identification.protocolso the property matches what the accepted definition?
Thanks, Martin ______________________________________________ > From: ism...@juma.me.uk > Date: Wed, 1 Jun 2016 11:31:58 +0100 > Subject: Re: SSL certificate CN validation against FQDN in v0.9 > To: users@kafka.apache.org > > Hi Phil, > > You are right that the check is not done by default. We have a couple of > JIRAs tracking that: > > https://issues.apache.org/jira/browse/KAFKA-3665 > https://issues.apache.org/jira/browse/KAFKA-3667 > > Enabling the check is a matter of setting > `ssl.endpoint.identification.algorithm` > to `https`, but please check the JIRAs for more details. > > Ismael > > On Wed, Jun 1, 2016 at 8:18 AM, Phi Primed <phipri...@gmail.com> wrote: > > > I using Kafka v 0.9 with TLS enabled, including client auth. > > > > In > > > > http://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption > > , > > it is mentioned that "We need to generate a key and certificate for each > > broker and client in the cluster. The common name (CN) of the broker > > certificate must match the fully qualified domain name (FQDN) of the server > > as the client compares the CN with the DNS domain name to ensure that it is > > connecting to the desired broker (instead of a malicious one)." > > > > 1) Is there a specific additional configuration parameter to enable this or > > does it always happen if the other TLS/SSL parameters are set (as e.g. > > shown below) ? > > > > 2) Is it possible to make the broker(s) carry out the same check against > > client certificates if SSL client auth is enabled ? > > > > Regards, > > Phi > > > > > > listeners=SSL://:9093 > > > > authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer > > > > super.users=User:CN=broker1.mydomain.com,OU=ABC,O=XYZ,L=SFO,ST=CA,C=US > > > > ssl.keystore.location=/opt/ssl/kafka.server.keystore.jks > > ssl.keystore.password=test1234 > > ssl.key.password=test1234 > > ssl.truststore.location=/opt/ssl/kafka.server.truststore.jks > > ssl.truststore.password=test1234 > > > > ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1 > > ssl.keystore.type=JKS > > ssl.truststore.type=JKS > > > > security.inter.broker.protocol=SSL > > > > ssl.client.auth=required > >
