Hi Deepak, Unfortunately you cannot disable that with the default client implementation as far as I know. The SSL connection is created using the SSL implementation provided by the JVM. It might be possible to do this with a different or custom SSL implementation or with a custom SSL Engine. You can control that with the ssl.engine.factory.class property, This can have other side effects with the applications, and is a lot of work.
Kind regards, Richard Bosch Developer Advocate Axual BV https://axual.com/ On Thu, Jul 14, 2022 at 12:46 PM Deepak Jain < deepak.j...@cumulus-systems.com> wrote: > Hi Richard, > > Thanks for your response. > > We are using IP in the advertised.listener and also passing IP in the > property ' bootstrap.servers' while instantiating KafkaConsumer class. But > in the server certificate only dns is used as SAN and not IP due to some > security concerns. > > Regarding hostname verifier disabling, we are able to do it by setting the > client property ssl.endpoint.identification.algorithm to an empty string. > But the Customer is asking below query whose answer can only be provided by > the Kafka team: > > Query: Is there any way to enable the hostname verification for Kafka > communication between broker and client without specifying the IP address > in SAN? > > Regards, > Deepak > > -----Original Message----- > From: Richard Bosch <richard.bo...@axual.com> > Sent: 13 July 2022 20:57 > To: users@kafka.apache.org > Subject: Re: Inquiry about using SSL encryption and SASL authentication > for Kafka without specifying IP address in SAN in the CA certificate > > Caution: From Cumulus Systems – IT Department, this email originated from > outside of the organization. Please call and confirm with the sender before > opening attachments or clicking links inside the email. > > > Hi Deepak, > > I'm not sure what you mean by IP in the CA certificate? > The CA certificates are used to determine who signed a provided > certificate and if it is valid. > So when I connect to a broker using an IP address, then the server must > provide a server certificate containing the IP as SAN to verify the > handshake and signed by a CA that the client trusts. > > If the IP address is used in the advertised listener configuration or if > only the listener is configured to the IP address then the client will fail > as well. > Because the client will open a new connection using the addresses provided > by the broker, which are IP based. > > Can you check that the IP address is set as SAN in the broker Server > certificates? > And that the Kafka Broker configuration uses listeners like this? > listener=SSL://1.2.3.4:9092 > advertised.listener=SSL://hostname:9092 > > This means that the hostname is used to connect to the broker, and the > hostname must be in the SAN to successfully connect. > > How did you try to disable the hostname verifier? > Because I'm not sure why setting the client property > ssl.endpoint.identification.algorithm to an empty string did not work. > > Kind regards, > > > Richard Bosch > > Developer Advocate > > Axual BV > > > > On Tue, Jul 12, 2022 at 7:40 PM Deepak Jain < > deepak.j...@cumulus-systems.com> > wrote: > > > Hello, > > > > Can anyone please help me regarding the below query regarding SSL > > communication in Kafka: > > > > Query: Is there any way to enable the hostname verification for Kafka > > communication between broker and client without specifying the IP > > address in SAN? > > > > Regards, > > Deepak > > > > From: Deepak Jain > > Sent: 08 July 2022 01:23 > > To: Luke Chen <show...@gmail.com> > > Cc: users@kafka.apache.org > > Subject: Inquiry about using SSL encryption and SASL authentication > > for Kafka without specifying IP address in SAN in the CA certificate > > > > Hi Luke, > > > > We are using Kafka 2.8.1 Broker/Client system in our prod environment > > with SASL_SSL communication between Kafka Clients and Broker. We are > > using the IP for the property “bootstrap.servers” while initiating the > KafkaConsumer. > > Due to some reason, one of our Customer is unable to use the IP in the > > CA certificate and provided only hostname in the SAN entry in the > > certificate due to which he is getting following exception in the logs: > > > > org.apache.kafka.common.errors.SslAuthenticationException: SSL > > handshake failed Caused by: javax.net.ssl.SSLHandshakeException: No > > subject alternative names matching IP address xx.xx.xx.xx found > > at sun.security.ssl.Alert.createSSLException(Alert.java:131) > > at sun.security.ssl.TransportContext.fatal(TransportContext.java:324) > > at sun.security.ssl.TransportContext.fatal(TransportContext.java:267) > > at sun.security.ssl.TransportContext.fatal(TransportContext.java:262) > > at > > sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServer > > Certs(CertificateMessage.java:654) > > > > Even after disabling the hostname verifier, he is unable to send the > > data from Client to broker. He has also added the Ip – hostname of the > > broker entry in /etc/hosts file > > > > Can you please let us know: > > > > > > 1. Is IP and DNS both field mandatory in SAN for Kafka Certificates? > > 2. If no, why the communication is failing without the IP? > > > > > > Regards, > > Deepak Jain > > Cumulus Systems > > >
