[GitHub] [flume] geniusjoe opened a new pull request, #371: FLUME-3391 fix kafka ssl https verification

Fri, 13 May 2022 21:20:57 -0700 


geniusjoe opened a new pull request, #371:
URL: https://github.com/apache/flume/pull/371

   ## issue links
   
[FLUME-3391](https://issues.apache.org/jira/browse/FLUME-3391?jql=text%20~%20%22ssl.endpoint.identification.algorithm%22)
   
   
[FLUME-3315](https://issues.apache.org/jira/browse/FLUME-3315?jql=text%20~%20%22ssl.endpoint.identification.algorithm%22)
   
   ## steps to reproduce
   - using kafka as source
   - set transmit protocol like 
`a1.sources.kafka_source.kafka.consumer.security.protocol=SASL_SSL` to use ssl 
security layer
   - set bootstrap servers like 
`a1.sources.kafka_source.kafka.bootstrap.servers=172.16.0.1:9092` to use direct 
`ip:port` format instead of domain name 
   
   First starts flume program, the output shows that 
`ssl.endpoint.identification.algorithm` enable `https` varification feature.
   
   
![企业微信截图_16520962792042](https://user-images.githubusercontent.com/37236056/168409652-372cea47-3402-4a28-b853-802faab4a59b.png)
   
   Then flume will fail when handshakes with kafka broker due to 
[FQDN](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) check.
   
![企业微信截图_16520961102699](https://user-images.githubusercontent.com/37236056/168409727-597bfebc-3ca0-4321-9210-54e1ff16c540.png)
   
   
   ## reasons
   Kafka changed `ssl.endpoint.identification.algorithm` default value to 
`https` since [kafka client 
2.0+](https://kafka.apache.org/documentation/#upgrade_200_notable) , so kafka 
client always check FQDN.
   
   > The default value for ssl.endpoint.identification.algorithm was changed to 
https, which performs hostname verification (man-in-the-middle attacks are 
possible otherwise). Set ssl.endpoint.identification.algorithm to an empty 
string to restore the previous behaviour.
   
   It needs to set `ssl.endpoint.identification.algorithm` to an empty string 
to prevent FQDN check. But according to 
[FLUME-3391](https://issues.apache.org/jira/browse/FLUME-3391?jql=text%20~%20%22ssl.endpoint.identification.algorithm%22),
 one cannot do this because flume has an empty value config validation.
   
   Besides, the default hostname verification shoud not be activated accroding 
to [flume document](https://flume.apache.org/FlumeUserGuide.html#kafka-source).
   
   > Note: By default the property ssl.endpoint.identification.algorithm is not 
defined, so hostname verification is not performed. In order to enable hostname 
verification, set the following properties.
   
   ## how to fix
   Try to check if user set `ssl.endpoint.identification.algorithm` value. If 
not, add empty string as its value.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@flume.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to