[jira] [Commented] (KAFKA-3665) Default ssl.endpoint.identification.algorithm should be https

Ryan P (JIRA) Wed, 03 Aug 2016 03:03:55 -0700

    [ 
https://issues.apache.org/jira/browse/KAFKA-3665?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15405659#comment-15405659
 ]


Ryan P commented on KAFKA-3665:
-------------------------------

RFC-6066 describes an extension to the TLS protocol to handle the VIP case. 

https://tools.ietf.org/html/rfc6066#page-6

Setting the SNI field within a client request, JSSE sets this field by default, 
allows the VIP to determine the correct named virtual host for the request and 
set the connection up accordingly from the start.



> Default ssl.endpoint.identification.algorithm should be https
> -------------------------------------------------------------
>
>                 Key: KAFKA-3665
>                 URL: https://issues.apache.org/jira/browse/KAFKA-3665
>             Project: Kafka
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.9.0.1, 0.10.0.0
>            Reporter: Ismael Juma
>            Assignee: Ismael Juma
>             Fix For: 0.10.1.0
>
>
> The default `ssl.endpoint.identification.algorithm` is `null` which is not a 
> secure default (man in the middle attacks are possible).
> We should probably use `https` instead. A more conservative alternative would 
> be to update the documentation instead of changing the default.
> A paper on the topic (thanks to Ryan Pridgeon for the reference): 
> http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-3665) Default ssl.endpoint.identification.algorithm should be https

Reply via email to