Eike Thaden created KAFKA-15273:
-----------------------------------
Summary: Log common name of expired client certificate
Key: KAFKA-15273
URL: https://issues.apache.org/jira/browse/KAFKA-15273
Project: Kafka
Issue Type: Improvement
Components: clients, core, security
Affects Versions: 3.6.0
Reporter: Eike Thaden
Assignee: Eike Thaden
If a client tries to authenticate via mTLS with an expired certificate, the
connection is closed and the IP address of the connection attempt is logged.
However, in complex enterprise IT environments it might be very hard or even
impossible to identify which client tried to connect if only the IP address is
known (e.g. due to complex virtualization/containerization/NAT). This results
in significant effort for the Kafka platform teams to identify the developmers
responsible for such a misconfigured client.
As a possible solution I propose to log the common name used in the client
certificate in addition to the IP address. Due to security considerations, this
should only be done if that certificate is just expired and would be valid
otherwise (e.g. signed by a known, non-expired root/intermediate CA). The way
Kafka should handle any valid/invalid/expired certificate must be exactly the
same as before, except for the creation of a log message in case it is expired.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
