kafka-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ryan P (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (KAFKA-3667) Improve Section 7.2 Encryption and Authentication using SSL to include proper hostname verification configuration
Date Fri, 06 May 2016 14:41:12 GMT

     [ https://issues.apache.org/jira/browse/KAFKA-3667?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Ryan P updated KAFKA-3667:
--------------------------
    Description: 
Kafka's documentation should include additional guidance on how to properly enable SSL with
hostname verification. 

1. Hostname verification will not be performed if ssl.endpoint.identification.algorithm has
not been set. 

Failing to enable this will leave Kafka susceptible to 'man-in-the-middle attacks' as describe
in the [oracle java api docs. |https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/X509ExtendedTrustManager.html]

2. The docs should also include instructions on how to strictly comply with [RFC-2818|https://tools.ietf.org/html/rfc2818#section-3.1].
This will require adding the DNS SAN extension. 

[keytool|http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html]

It's worth noting in the docs that placing the FQDN in the CN is still valid despite being
less than ideal as well. 

3. KAFKA-3665 aims to set the default value for ssl.endpoint.identification.algorithm to HTTPS.
This improvement JIRA aims to document the behavior changes introduced. 

  was:
Kafka's documentation should include additional guidance on how to properly enable SSL with
hostname verification. 

1. Hostname verification will not be performed if ssl.endpoint.identification.algorithm has
not been set. 

Failing to enable this will leave Kafka susceptible to 'man-in-the-middle attacks' as describe
in the [oracle java api docs. |https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/X509ExtendedTrustManager.html]

2. The docs should also include instructions on how to strictly comply with [RFC-2818|https://tools.ietf.org/html/rfc2818#section-3.1].
This will require adding the DNS SAN extension. 

[keytool|http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html]

It's worth noting in the docs that placing the FQDN in the CN is still valid despite being
less than ideal as well. 

3. KAFKA-3365 aims to set the default value for ssl.endpoint.identification.algorithm to HTTPS.
This improvement JIRA aims to document the behavior changes introduced. 


> Improve Section 7.2 Encryption and Authentication using SSL to include proper hostname
verification configuration
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: KAFKA-3667
>                 URL: https://issues.apache.org/jira/browse/KAFKA-3667
>             Project: Kafka
>          Issue Type: Improvement
>          Components: security
>            Reporter: Ryan P
>
> Kafka's documentation should include additional guidance on how to properly enable SSL
with hostname verification. 
> 1. Hostname verification will not be performed if ssl.endpoint.identification.algorithm
has not been set. 
> Failing to enable this will leave Kafka susceptible to 'man-in-the-middle attacks' as
describe in the [oracle java api docs. |https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/X509ExtendedTrustManager.html]
> 2. The docs should also include instructions on how to strictly comply with [RFC-2818|https://tools.ietf.org/html/rfc2818#section-3.1].
This will require adding the DNS SAN extension. 
> [keytool|http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html]
> It's worth noting in the docs that placing the FQDN in the CN is still valid despite
being less than ideal as well. 
> 3. KAFKA-3665 aims to set the default value for ssl.endpoint.identification.algorithm
to HTTPS. This improvement JIRA aims to document the behavior changes introduced. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message