Rajini Sivaram created KAFKA-14770:
--------------------------------------
Summary: Allow dynamic keystore update for brokers if string
representation of DN matches even if canonical DNs don't match
Key: KAFKA-14770
URL: https://issues.apache.org/jira/browse/KAFKA-14770
Project: Kafka
Issue Type: Improvement
Components: security
Reporter: Rajini Sivaram
Assignee: Rajini Sivaram
Fix For: 3.5.0
To avoid mistakes during dynamic broker config updates that could potentially
affect clients, we restrict changes that can be performed dynamically without
broker restart. For broker keystore updates, we require the DN to be the same
for the old and new certificates since this could potentially contain host
names used for host name verification by clients. DNs are compared using
standard Java implementation of X500Principal.equals() which compares canonical
names. If tags of fields change from one with a printable string representation
and one without or vice-versa, canonical name check fails even if the actual
name is the same since canonical representation converts to hex for some tags
only. We can relax the verification to allow dynamic updates in this case by
enabling dynamic update if either the canonical name or the RFC2253 string
representation of the DN matches.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
