Hi, I have configured mTLS on a three server Kafka cluster. The servers and clients are all communicating properly, except I am having trouble with client hostname validation when the client is using a cert from a different host. I would expect this to fail on handshake like it does when the certs are expired, but I have found that clients can use any cert signed by the trusted CA regardless of whether the cert matches their hostname/IP. The certs are generated from an intermediate CA in Vault, and the server and client settings are configured via PEM properties. The intermediate CA cert is the only cert in ssl.truststore.certificates.
Example server config (ssl settings only): listeners=SSL://server-a.b.net:9092 advertised.listeners=SSL://server-a.b.net:9092 security.inter.broker.protocol=SSL ssl.client.auth=required #Default is HTTPS, but try explicitly setting it ssl.endpoint.identification.algorithm=HTTPS security.protocol=SSL ssl.keystore.type=PEM ssl.truststore.type=PEM ssl.key.password=mypassword ssl.keystore.key=-----BEGIN ENCRYPTED PRIVATE KEY-----\n<server private key info>\n...-----END ENCRYPTED PRIVATE KEY----- ssl.keystore.certificate.chain=-----BEGIN CERTIFICATE-----\n<server cert>\n...\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n<int ca info>\n...n-----END CERTIFICATE----- ssl.truststore.certificates=-----BEGIN CERTIFICATE-----\n<int ca info>\n...n-----END CERTIFICATE----- Example client config (ssl settings only): security.protocol=SSL ssl.keystore.type=PEM ssl.truststore.type=PEM ssl.key.password=mypassword #Default is HTTPS, but try explicitly setting it ssl.endpoint.identification.algorithm=HTTPS ssl.keystore.key=-----BEGIN ENCRYPTED PRIVATE KEY-----\n<client-1 private key info>\n...-----END ENCRYPTED PRIVATE KEY----- ssl.keystore.certificate.chain=-----BEGIN CERTIFICATE-----\n<client-1 cert>\n...\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n<int ca info>\n...n-----END CERTIFICATE----- ssl.truststore.certificates=-----BEGIN CERTIFICATE-----\n<int ca info>\n...n-----END CERTIFICATE----- I have two properties files with certs for client-1.b.net and client-2.b.net (producer.properties.client1 and producer.properties.client2 respectively). On client-1.b.net, I can use either of those properties files and successfully connect and send data to the cluster using kafka-console-producer.sh: ./kafka-console-producer.sh --bootstrap-server server-a.b.net:9092 --topic foo --producer.config producer.properties.client2 I have extracted the \n concatenated string out to a file, and verified that the CN and SAN include only the FQDN and IP of client-2.b.net. Am I missing a configuration setting somewhere, or is this broken? Thanks in advance, Jim Ziesig -- This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.
smime.p7s
Description: S/MIME Cryptographic Signature
