You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2017/02/10 03:02:41 UTC
[jira] [Commented] (KAFKA-4525) Kafka should not require SSL trust
store password
[ https://issues.apache.org/jira/browse/KAFKA-4525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15860596#comment-15860596 ]
ASF GitHub Bot commented on KAFKA-4525:
---------------------------------------
Github user asfgit closed the pull request at:
https://github.com/apache/kafka/pull/2246
> Kafka should not require SSL trust store password
> -------------------------------------------------
>
> Key: KAFKA-4525
> URL: https://issues.apache.org/jira/browse/KAFKA-4525
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 0.9.0.0
> Reporter: Grant Henke
> Assignee: Grant Henke
>
> When configuring SSL for Kafka; If the truststore password is not set, Kafka fails to start with:
> {noformat}
> org.apache.kafka.common.KafkaException: SSL trust store is specified, but trust store password is not specified.
> at org.apache.kafka.common.security.ssl.SslFactory.createTruststore(SslFactory.java:195)
> at org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:115)
> {noformat}
> The truststore password is not required for read operations. When reading the truststore the password is used as an integrity check but not required.
> The risk of not providing a password is that someone could add a certificate into the store which you do not want to trust. The store should be protected first by the OS permissions. The password is an additional protection.
> Though this risk of trusting the OS permissions is one many may not want to take, its not a decision that Kafka should enforce or require.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)