You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@kafka.apache.org by Gérald Quintana <ge...@gmail.com> on 2020/07/09 06:07:15 UTC

ssl.endpoint.identification.algorithm and performance

Hello,

We noticed that setting ssl.endpoint.identification.algorithm to empty (on
both client and broker side) we got a big performance improvement in terms
of throughput. As far as I understand, this is related to the SSL
connection doing a DNS lookup to check that the host matches the
certificate.

The root cause was a networking issue after enabling
ssl.endpoint.identification.algorithm=https. Too many DNS requests were
made and they were too expensive.
We are using 1-way SSL (no SSL client auth) with Kafka 2.4 still on Java 8
:'(

Why are so many DNS requests being made? There is no DNS caching?
Is it possible to have both security (ssl.endpoint.identification.algorithm
enabled) and performance?

Regards,
Gérald