kafka-jira mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ismael Juma (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KAFKA-6097) Kafka ssl.endpoint.identification.algorithm=HTTPS not working
Date Fri, 20 Oct 2017 15:46:00 GMT

    [ https://issues.apache.org/jira/browse/KAFKA-6097?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16212804#comment-16212804
] 

Ismael Juma commented on KAFKA-6097:
------------------------------------

Have you verified that it's not succeeding because of the CN?

> Kafka ssl.endpoint.identification.algorithm=HTTPS not working
> -------------------------------------------------------------
>
>                 Key: KAFKA-6097
>                 URL: https://issues.apache.org/jira/browse/KAFKA-6097
>             Project: Kafka
>          Issue Type: Bug
>            Reporter: Damyan Petev Manev
>         Attachments: kafka-certificates-script.sh
>
>
> When ssl.endpoint.identification.algorithm is set to HTTPS and I have san extension on
my server certificate clients do not verify the servers's fully qualified domain name (FQDN)
agains it.
> Client certificate authentication works. With the following san extension - dns:some.thing.here
I expect connection to fail, because according to  
>  http://kafka.apache.org/documentation.html#security_ssl :
>  "clients will verify the server's fully qualified domain name (FQDN) against one of
the following two fields
> Common Name (CN)
> Subject Alternative Name (SAN)",
> but messages are produced and consumed successfully.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message