You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "James Zheng (JIRA)" <ji...@apache.org> on 2018/10/21 20:37:00 UTC
[jira] [Commented] (KAFKA-3700) CRL support
[ https://issues.apache.org/jira/browse/KAFKA-3700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16658376#comment-16658376 ]
James Zheng commented on KAFKA-3700:
------------------------------------
I am using kafka 0.11.0 and there is no such feature. I managed to use the native java crl jvm options and works as expected. Since it is native java, it should work with older version of kafka.
[https://tersesystems.com/blog/2014/03/22/fixing-certificate-revocation/]
Basically, I added this line before starting the broker,
{code:java}
java -Dcom.sun.security.enableCRLDP=true -Dcom.sun.net.ssl.checkRevocation=true{code}
You have to set the kafka environment variable $KAFKA_OPTS="java -Dcom.sun.security.enableCRLDP=true -Dcom.sun.net.ssl.checkRevocation=true"
Obviously, the broker's trust store should contain the private certificate authority(PCA) or PCA and PCA points to a location that has the *.crl file. I haven't test performance yet.
> CRL support
> -----------
>
> Key: KAFKA-3700
> URL: https://issues.apache.org/jira/browse/KAFKA-3700
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 0.9.0.1
> Reporter: Vincent Bernat
> Priority: Major
>
> Hey!
> Currently, there is no way to specify a CRL to be checked when a client presents its TLS certificate. Therefore, a revoked certificate is accepted. A CRL can either be provided as an URL in a certificate but with a private authority, it is more common to have one as a separate file. A `ssl.crl.location` would come handy to specify a CRL.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)