Hello,
Can anyone please help me regarding the below query regarding SSL communication
in Kafka:
Query: Is there any way to enable the hostname verification for Kafka
communication between broker and client without specifying the IP address in
SAN?
Regards,
Deepak
From: Deepak Jain
Sent: 08 July 2022 01:23
To: Luke Chen <show...@gmail.com>
Cc: users@kafka.apache.org
Subject: Inquiry about using SSL encryption and SASL authentication for Kafka
without specifying IP address in SAN in the CA certificate
Hi Luke,
We are using Kafka 2.8.1 Broker/Client system in our prod environment with
SASL_SSL communication between Kafka Clients and Broker. We are using the IP
for the property “bootstrap.servers” while initiating the KafkaConsumer. Due to
some reason, one of our Customer is unable to use the IP in the CA certificate
and provided only hostname in the SAN entry in the certificate due to which he
is getting following exception in the logs:
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative names
matching IP address xx.xx.xx.xx found
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
at
sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
Even after disabling the hostname verifier, he is unable to send the data from
Client to broker. He has also added the Ip – hostname of the broker entry in
/etc/hosts file
Can you please let us know:
1. Is IP and DNS both field mandatory in SAN for Kafka Certificates?
2. If no, why the communication is failing without the IP?
Regards,
Deepak Jain
Cumulus Systems
