You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2017/06/06 11:37:18 UTC
[jira] [Commented] (KAFKA-5051) Avoid DNS reverse lookup in
security-critical TLS code path
[ https://issues.apache.org/jira/browse/KAFKA-5051?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16038680#comment-16038680 ]
ASF GitHub Bot commented on KAFKA-5051:
---------------------------------------
Github user asfgit closed the pull request at:
https://github.com/apache/kafka/pull/2835
> Avoid DNS reverse lookup in security-critical TLS code path
> -----------------------------------------------------------
>
> Key: KAFKA-5051
> URL: https://issues.apache.org/jira/browse/KAFKA-5051
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 0.10.2.0
> Reporter: Rajini Sivaram
> Assignee: Rajini Sivaram
> Fix For: 0.11.0.0, 0.11.1.0
>
>
> At the moment SSL engine is created using the hostname obtained using {{InetAddress#getHostName}} which performs unnecessary reverse DNS lookups.
> h2.Scenarios:
> h3. Server-side
> h4. Scenario: Server accepts connection from a client
> Broker knows only client IP address. At the moment broker does a reverse lookup. This is unnecessary since the server does not verify or use client hostname. It can block the network thread for several seconds in some configurations. The IP address should be used directly.
> h3. Client-side
> h4. Scenario: Client connects to server using hostname
> No lookup is necessary and the hostname is used to create the SSL engine. This hostname is validated against the hostname in SubjectAltName (dns) or CommonName in the certificate if hostname verification is enabled. Authentication fails if hostname does not match. This is handled correctly in the current code.
> h4. Scenario: Client connects to server using IP address, but certificate contains only SubjectAltName (dns)
> The current code does hostname verification using the hostname obtained through reverse name lookup. But use of reverse DNS lookup to determine hostname introduces a security vulnerability since authentication would be reliant on a secure DNS. Hence hostname verification should fail in this case.
> h4. Scenario: Client connects to server using IP address and certificate contains SubjectAltName (ipaddress).
> This could be used when Kafka is on a private network. The current code uses reverse DNS lookup to determine hostname. If reverse lookup succeeds, authentication fails since the hostname is matched against the IP address in the certificate. But if reverse lookup fails, SSL engine is created with the IP address and authentication succeeds. For consistency and to avoid dependency on a potentially insecure DNS, reverse DNS lookup should be avoided and the IP address specified by the client for connection should be used to create the SSL engine.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)