You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@kafka.apache.org by Rajini Sivaram <ra...@gmail.com> on 2018/05/09 15:28:55 UTC

[VOTE] KIP-294 - Enable TLS hostname verification by default

Hi all,

Since there have been no objections on this straightforward KIP, I would
like to initiate the voting process. KIP-294 proposes to use a secure
default value for endpoint identification when using SSL as the security
protocol. The KIP Is here:

https://cwiki.apache.org/confluence/display/KAFKA/KIP-294+-+Enable+TLS+hostname+verification+by+default

If there are any concerns, please add them to this thread or the discussion
thread (https://www.mail-archive.com/dev@kafka.apache.org/msg87549.html)

Regards,

Rajini

Re: [VOTE] KIP-294 - Enable TLS hostname verification by default

Posted by Jun Rao <ju...@confluent.io>.

Hi, Rajini,

Thanks for the KIP. +1

Could you document in the wiki how to
set ssl.endpoint.identification.algorithm to empty in the server property
file and through dynamic config? It's not obvious how to do that.

Jun

On Wed, May 9, 2018 at 8:28 AM, Rajini Sivaram <ra...@gmail.com>
wrote:

> Hi all,
>
> Since there have been no objections on this straightforward KIP, I would
> like to initiate the voting process. KIP-294 proposes to use a secure
> default value for endpoint identification when using SSL as the security
> protocol. The KIP Is here:
>
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-
> 294+-+Enable+TLS+hostname+verification+by+default
>
> If there are any concerns, please add them to this thread or the discussion
> thread (https://www.mail-archive.com/dev@kafka.apache.org/msg87549.html)
>
> Regards,
>
> Rajini
>

Re: [VOTE] KIP-294 - Enable TLS hostname verification by default

Posted by Rajini Sivaram <ra...@gmail.com>.

The vote has passed with three binding (Jun, Ismael, me) and five
non-binding (Ted, Michael, Manikumar, Edoardo, Jakub) votes. I will update
the KIP page.

Thanks everyone!

Regards,

Rajini

On Fri, May 11, 2018 at 2:28 PM, Rajini Sivaram <ra...@gmail.com>
wrote:

> Hi Jun,
>
> I have updated the KIP with examples on setting ssl.endpoint.
> identification.algorithm to an empty string. It turns out I had to update
> ConfigCommand to do this for dynamic configs, I have updated the PR as well.
>
> Thanks for pointing this out!
>
> Regards,
>
> Rajini
>
>
> On Fri, May 11, 2018 at 12:34 AM, Ismael Juma <is...@juma.me.uk> wrote:
>
>> Thanks for the KIP, +1 (binding) from me.
>>
>> Ismael
>>
>> On Wed, May 9, 2018 at 8:29 AM Rajini Sivaram <ra...@gmail.com>
>> wrote:
>>
>> > Hi all,
>> >
>> > Since there have been no objections on this straightforward KIP, I would
>> > like to initiate the voting process. KIP-294 proposes to use a secure
>> > default value for endpoint identification when using SSL as the security
>> > protocol. The KIP Is here:
>> >
>> >
>> > https://cwiki.apache.org/confluence/display/KAFKA/KIP-294+-+
>> Enable+TLS+hostname+verification+by+default
>> >
>> > If there are any concerns, please add them to this thread or the
>> discussion
>> > thread (https://www.mail-archive.com/dev@kafka.apache.org/msg87549.html
>> )
>> >
>> > Regards,
>> >
>> > Rajini
>> >
>>
>
>

Re: [VOTE] KIP-294 - Enable TLS hostname verification by default

Posted by Rajini Sivaram <ra...@gmail.com>.

Hi Jun,

I have updated the KIP with examples on setting ssl.endpoint.identification.
algorithm to an empty string. It turns out I had to update ConfigCommand to
do this for dynamic configs, I have updated the PR as well.

Thanks for pointing this out!

Regards,

Rajini


On Fri, May 11, 2018 at 12:34 AM, Ismael Juma <is...@juma.me.uk> wrote:

> Thanks for the KIP, +1 (binding) from me.
>
> Ismael
>
> On Wed, May 9, 2018 at 8:29 AM Rajini Sivaram <ra...@gmail.com>
> wrote:
>
> > Hi all,
> >
> > Since there have been no objections on this straightforward KIP, I would
> > like to initiate the voting process. KIP-294 proposes to use a secure
> > default value for endpoint identification when using SSL as the security
> > protocol. The KIP Is here:
> >
> >
> > https://cwiki.apache.org/confluence/display/KAFKA/KIP-
> 294+-+Enable+TLS+hostname+verification+by+default
> >
> > If there are any concerns, please add them to this thread or the
> discussion
> > thread (https://www.mail-archive.com/dev@kafka.apache.org/msg87549.html)
> >
> > Regards,
> >
> > Rajini
> >
>

Re: [VOTE] KIP-294 - Enable TLS hostname verification by default

Posted by Ismael Juma <is...@juma.me.uk>.

Thanks for the KIP, +1 (binding) from me.

Ismael

On Wed, May 9, 2018 at 8:29 AM Rajini Sivaram <ra...@gmail.com>
wrote:

> Hi all,
>
> Since there have been no objections on this straightforward KIP, I would
> like to initiate the voting process. KIP-294 proposes to use a secure
> default value for endpoint identification when using SSL as the security
> protocol. The KIP Is here:
>
>
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-294+-+Enable+TLS+hostname+verification+by+default
>
> If there are any concerns, please add them to this thread or the discussion
> thread (https://www.mail-archive.com/dev@kafka.apache.org/msg87549.html)
>
> Regards,
>
> Rajini
>

Re: [VOTE] KIP-294 - Enable TLS hostname verification by default

Posted by Jakub Scholz <ja...@scholz.cz>.

+1 (non-binding)

On Thu, May 10, 2018 at 11:24 AM, Edoardo Comar <ed...@gmail.com> wrote:

> +1 (non-binding)
>
> On 10 May 2018 at 09:36, Manikumar <ma...@gmail.com> wrote:
>
> > +1 (non-binding)
> >
> > Thanks.
> >
> > On Wed, May 9, 2018 at 10:09 PM, Mickael Maison <
> mickael.maison@gmail.com>
> > wrote:
> >
> > > +1, thanks for the KIP!
> > >
> > > On Wed, May 9, 2018 at 4:41 PM, Ted Yu <yu...@gmail.com> wrote:
> > > > +1
> > > >
> > > > On Wed, May 9, 2018 at 8:28 AM, Rajini Sivaram <
> > rajinisivaram@gmail.com>
> > > > wrote:
> > > >
> > > >> Hi all,
> > > >>
> > > >> Since there have been no objections on this straightforward KIP, I
> > would
> > > >> like to initiate the voting process. KIP-294 proposes to use a
> secure
> > > >> default value for endpoint identification when using SSL as the
> > security
> > > >> protocol. The KIP Is here:
> > > >>
> > > >> https://cwiki.apache.org/confluence/display/KAFKA/KIP-
> > > >> 294+-+Enable+TLS+hostname+verification+by+default
> > > >>
> > > >> If there are any concerns, please add them to this thread or the
> > > discussion
> > > >> thread (https://www.mail-archive.com/dev@kafka.apache.org/msg87549.
> > html
> > > )
> > > >>
> > > >> Regards,
> > > >>
> > > >> Rajini
> > > >>
> > >
> >
>
>
>
> --
> "When the people fear their government, there is tyranny; when the
> government fears the people, there is liberty." [Thomas Jefferson]
>

Re: [VOTE] KIP-294 - Enable TLS hostname verification by default

Posted by Edoardo Comar <ed...@gmail.com>.

+1 (non-binding)

On 10 May 2018 at 09:36, Manikumar <ma...@gmail.com> wrote:

> +1 (non-binding)
>
> Thanks.
>
> On Wed, May 9, 2018 at 10:09 PM, Mickael Maison <mi...@gmail.com>
> wrote:
>
> > +1, thanks for the KIP!
> >
> > On Wed, May 9, 2018 at 4:41 PM, Ted Yu <yu...@gmail.com> wrote:
> > > +1
> > >
> > > On Wed, May 9, 2018 at 8:28 AM, Rajini Sivaram <
> rajinisivaram@gmail.com>
> > > wrote:
> > >
> > >> Hi all,
> > >>
> > >> Since there have been no objections on this straightforward KIP, I
> would
> > >> like to initiate the voting process. KIP-294 proposes to use a secure
> > >> default value for endpoint identification when using SSL as the
> security
> > >> protocol. The KIP Is here:
> > >>
> > >> https://cwiki.apache.org/confluence/display/KAFKA/KIP-
> > >> 294+-+Enable+TLS+hostname+verification+by+default
> > >>
> > >> If there are any concerns, please add them to this thread or the
> > discussion
> > >> thread (https://www.mail-archive.com/dev@kafka.apache.org/msg87549.
> html
> > )
> > >>
> > >> Regards,
> > >>
> > >> Rajini
> > >>
> >
>



-- 
"When the people fear their government, there is tyranny; when the
government fears the people, there is liberty." [Thomas Jefferson]

Re: [VOTE] KIP-294 - Enable TLS hostname verification by default

Posted by Manikumar <ma...@gmail.com>.

+1 (non-binding)

Thanks.

On Wed, May 9, 2018 at 10:09 PM, Mickael Maison <mi...@gmail.com>
wrote:

> +1, thanks for the KIP!
>
> On Wed, May 9, 2018 at 4:41 PM, Ted Yu <yu...@gmail.com> wrote:
> > +1
> >
> > On Wed, May 9, 2018 at 8:28 AM, Rajini Sivaram <ra...@gmail.com>
> > wrote:
> >
> >> Hi all,
> >>
> >> Since there have been no objections on this straightforward KIP, I would
> >> like to initiate the voting process. KIP-294 proposes to use a secure
> >> default value for endpoint identification when using SSL as the security
> >> protocol. The KIP Is here:
> >>
> >> https://cwiki.apache.org/confluence/display/KAFKA/KIP-
> >> 294+-+Enable+TLS+hostname+verification+by+default
> >>
> >> If there are any concerns, please add them to this thread or the
> discussion
> >> thread (https://www.mail-archive.com/dev@kafka.apache.org/msg87549.html
> )
> >>
> >> Regards,
> >>
> >> Rajini
> >>
>

Re: [VOTE] KIP-294 - Enable TLS hostname verification by default

Posted by Mickael Maison <mi...@gmail.com>.

+1, thanks for the KIP!

On Wed, May 9, 2018 at 4:41 PM, Ted Yu <yu...@gmail.com> wrote:
> +1
>
> On Wed, May 9, 2018 at 8:28 AM, Rajini Sivaram <ra...@gmail.com>
> wrote:
>
>> Hi all,
>>
>> Since there have been no objections on this straightforward KIP, I would
>> like to initiate the voting process. KIP-294 proposes to use a secure
>> default value for endpoint identification when using SSL as the security
>> protocol. The KIP Is here:
>>
>> https://cwiki.apache.org/confluence/display/KAFKA/KIP-
>> 294+-+Enable+TLS+hostname+verification+by+default
>>
>> If there are any concerns, please add them to this thread or the discussion
>> thread (https://www.mail-archive.com/dev@kafka.apache.org/msg87549.html)
>>
>> Regards,
>>
>> Rajini
>>

Re: [VOTE] KIP-294 - Enable TLS hostname verification by default

Posted by Ted Yu <yu...@gmail.com>.

+1

On Wed, May 9, 2018 at 8:28 AM, Rajini Sivaram <ra...@gmail.com>
wrote:

> Hi all,
>
> Since there have been no objections on this straightforward KIP, I would
> like to initiate the voting process. KIP-294 proposes to use a secure
> default value for endpoint identification when using SSL as the security
> protocol. The KIP Is here:
>
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-
> 294+-+Enable+TLS+hostname+verification+by+default
>
> If there are any concerns, please add them to this thread or the discussion
> thread (https://www.mail-archive.com/dev@kafka.apache.org/msg87549.html)
>
> Regards,
>
> Rajini
>