You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by "M. Manna" <ma...@gmail.com> on 2017/08/09 16:30:37 UTC
Hostname verification details for TLS implementation
Hello,
i have my test/development certficates created for X509 request extensions
and SAN names cover:
DNS.1 localhost
> DNS.2 *.testsystem.net
To make things more practical, I have used the advertised.listeners and
listeners to ONLY SSL://localhost:9093.
I have verified the certificates and can also confirm that with the
following settings I can do some basic console producer/consumer test and
see data received:
security.inter.broker.protocol=SSL
> ssl.keystore.location=/kafka_2.10-0.10.2.1/keys/kafka_server_keys.jks
> ssl.keystore.password=youwish
> ssl.key.password=youwish
> ssl.truststore.location=/kafka_2.10-0.10.2.1/keys/kafka_truststore
> ssl.truststore.password=youwish
> ssl.endpoint.identification.algorithm=HTTPS
> ssl.secure.random.implementation=SHA1PRNG
> ssl.client.auth=required
Since I have got a wildcard DNS name in SAN would I be able to use the same
certificates for my brokers in test environment where they have FQDN as:
host1.testsystem.net
host2.testsystem.net
In other words, if the clients do full hostname verification will this be
accepted? I haven't managed to check the source file yet.
I hope I have set it up correctly as it suggests in RFC -
https://tools.ietf.org/html/rfc2818#section-3.1
Kindest Regards,