You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by "Rajini Sivaram (JIRA)" <ji...@apache.org> on 2017/04/10 18:37:41 UTC

[jira] [Created] (KAFKA-5051) Avoid DNS reverse lookup in security-critical TLS code path

Rajini Sivaram created KAFKA-5051:
-------------------------------------

             Summary: Avoid DNS reverse lookup in security-critical TLS code path
                 Key: KAFKA-5051
                 URL: https://issues.apache.org/jira/browse/KAFKA-5051
             Project: Kafka
          Issue Type: Bug
          Components: security
    Affects Versions: 0.10.2.0
            Reporter: Rajini Sivaram
            Assignee: Rajini Sivaram
             Fix For: 0.11.0.0


At the moment SSL engine is created using the hostname obtained using {{InetAddress#getHostName}} which performs unnecessary reverse DNS lookups.

h2.Scenarios:

h3. Server-side
h4. Scenario: Server accepts connection from a client
Broker knows only client IP address. At the moment broker does a reverse lookup. This is unnecessary since the server does not verify or use client hostname. It can block the network thread for several seconds in some configurations. The IP address should be used directly.

h3. Client-side
h4. Scenario: Client connects to server using hostname
No lookup is necessary and the hostname is used to create the SSL engine. This hostname is validated against the hostname in SubjectAltName (dns) or CommonName in the certificate if hostname verification is enabled. Authentication fails if hostname does not match. This is handled correctly in the current code.

h4. Scenario: Client connects to server using IP address, but certificate contains only SubjectAltName (dns)
The current code does hostname verification using the hostname obtained through reverse name lookup. But use of reverse DNS lookup to determine hostname introduces a security vulnerability since authentication would be reliant on a secure DNS. Hence hostname verification should fail in this case. 

h4. Scenario: Client connects to server using IP address and certificate contains SubjectAltName (ipaddress).
This could be used when Kafka is on a private network. The current code uses reverse DNS lookup to determine hostname. If reverse lookup succeeds, authentication fails since the hostname is matched against the IP address in the certificate. But if reverse lookup fails, SSL engine is created with the IP address and authentication succeeds. For consistency and to avoid dependency on a potentially insecure DNS, reverse DNS lookup should be avoided and the IP address specified by the client for connection should be used to create the SSL engine.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)