I am trying to deploy a brand new Kafka cluster and trying to do it "the
right way". I am thinking about TLS everywhere, with my own private CA.
I wonder about the CRL management.
I know I can enable CRL in Kafka via
KAFKA_OPTS: "-Dcom.sun.security.enableCRLDP=true
-Dcom.sun.net.ssl.checkRevocation=true"
as described in https://jeqo.github.io/notes/2022-02-09-kafka-ssl-crl/,
but I wonder how the CRL is managed:
1. If kafka only fetches the CRL when the server is launched, it will
miss new revocations until reboot. Is "nextupdate" CRL field honored
after that (via new fetches)?
2. What happens if the CRL URL timeouts or gives an error? the behaviour
is different when kafka starts compared with "nextupdate" updates, if
they work as expected? I don't want a single point of failure because of
this...
3. I wonder if Kafka can be configured to check the CRL from a local
file. If that is the case, is the file reloaded when changed or only
read when kafka boots?. If this configuration is possible, how can it be
enabled?. What happens if "nextupdate" is in the past?
Apparently "librdkafka" (for clients) can use a local file CRL using
"ssl.crl.location". Would this file work if "nextupdate" is in the past?
When is the file loaded, at launch time or everytime a validation is needed?
Do you have any advice?
Thanks a lot.
--
Jesús Cea Avión _/_/ _/_/_/ _/_/_/
j...@jcea.es - https://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/
Twitter: @jcea _/_/ _/_/ _/_/_/_/_/
jabber / xmpp:j...@jabber.org _/_/ _/_/ _/_/ _/_/ _/_/
"Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
"My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
