[jira] [Commented] (KAFKA-4525) Kafka should not require SSL trust store password

["ASF GitHub Bot (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/KAFKA-4525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15860596#comment-15860596 ] 

ASF GitHub Bot commented on KAFKA-4525:
---------------------------------------

Github user asfgit closed the pull request at:

    https://github.com/apache/kafka/pull/2246


> Kafka should not require SSL trust store password
> -------------------------------------------------
>
>                 Key: KAFKA-4525
>                 URL: https://issues.apache.org/jira/browse/KAFKA-4525
>             Project: Kafka
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.9.0.0
>            Reporter: Grant Henke
>            Assignee: Grant Henke
>
> When configuring SSL for Kafka; If the truststore password is not set, Kafka fails to start with:
> {noformat}
> org.apache.kafka.common.KafkaException: SSL trust store is specified, but trust store password is not specified.
> 	at org.apache.kafka.common.security.ssl.SslFactory.createTruststore(SslFactory.java:195)
> 	at org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:115)
> {noformat}
> The truststore password is not required for read operations. When reading the truststore the password is used as an integrity check but not required. 
> The risk of not providing a password is that someone could add a certificate into the store which you do not want to trust. The store should be protected first by the OS permissions. The password is an additional protection.
> Though this risk of trusting the OS permissions is one many may not want to take, its not a decision that Kafka should enforce or require. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)