geniusjoe opened a new pull request, #382: URL: https://github.com/apache/flume/pull/382
## previous pr Cause previous pr is out-of-date, I fetch the latest branch commit and commit again. #371 ## issue links [FLUME-3391](https://issues.apache.org/jira/browse/FLUME-3391?jql=text%20~%20%22ssl.endpoint.identification.algorithm%22) (duplicated) [FLUME-3315](https://issues.apache.org/jira/browse/FLUME-3315?jql=text%20~%20%22ssl.endpoint.identification.algorithm%22) ## steps to reproduce - using kafka as source - set transmit protocol like `a1.sources.kafka_source.kafka.consumer.security.protocol=SASL_SSL` to use ssl security layer - set bootstrap servers like `a1.sources.kafka_source.kafka.bootstrap.servers=172.16.0.1:9092` to use direct `ip:port` format instead of domain name First starts flume program, the output shows that `ssl.endpoint.identification.algorithm` enable `https` varification feature.  Then flume will fail when handshakes with kafka broker due to [FQDN](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) check.  ## reasons Kafka changed `ssl.endpoint.identification.algorithm` default value to `https` since [kafka client 2.0+](https://kafka.apache.org/documentation/#upgrade_200_notable) , so kafka client always check FQDN. > The default value for ssl.endpoint.identification.algorithm was changed to https, which performs hostname verification (man-in-the-middle attacks are possible otherwise). Set ssl.endpoint.identification.algorithm to an empty string to restore the previous behaviour. It needs to set `ssl.endpoint.identification.algorithm` to an empty string to prevent FQDN check. But according to [FLUME-3391](https://issues.apache.org/jira/browse/FLUME-3391?jql=text%20~%20%22ssl.endpoint.identification.algorithm%22), one cannot do this because flume has an empty value config validation. Besides, the default hostname verification shoud not be activated accroding to [flume document](https://flume.apache.org/FlumeUserGuide.html#kafka-source). > Note: By default the property ssl.endpoint.identification.algorithm is not defined, so hostname verification is not performed. In order to enable hostname verification, set the following properties. ## how to fix we need to add the following properties instead of straightforwardly setting ``ssl.endpoint.identification.algorithm`` to an empty string. ``a1.sources.source1.kafka.consumer.ssl.disableTLSHostnameVerification = true`` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@flume.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
