Hi Deepak, I'm not sure what you mean by IP in the CA certificate? The CA certificates are used to determine who signed a provided certificate and if it is valid. So when I connect to a broker using an IP address, then the server must provide a server certificate containing the IP as SAN to verify the handshake and signed by a CA that the client trusts.
If the IP address is used in the advertised listener configuration or if only the listener is configured to the IP address then the client will fail as well. Because the client will open a new connection using the addresses provided by the broker, which are IP based. Can you check that the IP address is set as SAN in the broker Server certificates? And that the Kafka Broker configuration uses listeners like this? listener=SSL://1.2.3.4:9092 advertised.listener=SSL://hostname:9092 This means that the hostname is used to connect to the broker, and the hostname must be in the SAN to successfully connect. How did you try to disable the hostname verifier? Because I'm not sure why setting the client property ssl.endpoint.identification.algorithm to an empty string did not work. Kind regards, Richard Bosch Developer Advocate Axual BV On Tue, Jul 12, 2022 at 7:40 PM Deepak Jain <deepak.j...@cumulus-systems.com> wrote: > Hello, > > Can anyone please help me regarding the below query regarding SSL > communication in Kafka: > > Query: Is there any way to enable the hostname verification for Kafka > communication between broker and client without specifying the IP address > in SAN? > > Regards, > Deepak > > From: Deepak Jain > Sent: 08 July 2022 01:23 > To: Luke Chen <show...@gmail.com> > Cc: users@kafka.apache.org > Subject: Inquiry about using SSL encryption and SASL authentication for > Kafka without specifying IP address in SAN in the CA certificate > > Hi Luke, > > We are using Kafka 2.8.1 Broker/Client system in our prod environment with > SASL_SSL communication between Kafka Clients and Broker. We are using the > IP for the property “bootstrap.servers” while initiating the KafkaConsumer. > Due to some reason, one of our Customer is unable to use the IP in the CA > certificate and provided only hostname in the SAN entry in the certificate > due to which he is getting following exception in the logs: > > org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake > failed > Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative > names matching IP address xx.xx.xx.xx found > at sun.security.ssl.Alert.createSSLException(Alert.java:131) > at sun.security.ssl.TransportContext.fatal(TransportContext.java:324) > at sun.security.ssl.TransportContext.fatal(TransportContext.java:267) > at sun.security.ssl.TransportContext.fatal(TransportContext.java:262) > at > sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654) > > Even after disabling the hostname verifier, he is unable to send the data > from Client to broker. He has also added the Ip – hostname of the broker > entry in /etc/hosts file > > Can you please let us know: > > > 1. Is IP and DNS both field mandatory in SAN for Kafka Certificates? > 2. If no, why the communication is failing without the IP? > > > Regards, > Deepak Jain > Cumulus Systems >
