You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@kafka.apache.org by "M. Manna" <ma...@gmail.com> on 2017/08/09 16:30:37 UTC

Hostname verification details for TLS implementation

Hello,

i have my test/development certficates created for X509 request extensions
and SAN names cover:

DNS.1 localhost
> DNS.2 *.testsystem.net


To make things more practical, I have used the advertised.listeners and
listeners to ONLY SSL://localhost:9093.

I have verified the certificates and can also confirm that with the
following settings I can do some basic console producer/consumer test and
see data received:

security.inter.broker.protocol=SSL
> ssl.keystore.location=/kafka_2.10-0.10.2.1/keys/kafka_server_keys.jks
> ssl.keystore.password=youwish
> ssl.key.password=youwish
> ssl.truststore.location=/kafka_2.10-0.10.2.1/keys/kafka_truststore
> ssl.truststore.password=youwish
> ssl.endpoint.identification.algorithm=HTTPS
> ssl.secure.random.implementation=SHA1PRNG
> ssl.client.auth=required


Since I have got a wildcard DNS name in SAN would I be able to use the same
certificates for my brokers in test environment where they have FQDN as:

host1.testsystem.net
host2.testsystem.net

In other words, if the clients do full hostname verification will this be
accepted? I haven't managed to check the source file yet.

I hope I have set it up correctly as it suggests in RFC -
https://tools.ietf.org/html/rfc2818#section-3.1

Kindest Regards,