[
https://issues.apache.org/jira/browse/KAFKA-5051?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15963338#comment-15963338
]
ASF GitHub Bot commented on KAFKA-5051:
---------------------------------------
GitHub user rajinisivaram opened a pull request:
https://github.com/apache/kafka/pull/2835
KAFKA-5051: Avoid reverse DNS lookup to obtain hostname for TLS
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/rajinisivaram/kafka KAFKA-5051
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/kafka/pull/2835.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #2835
----
commit 5805bd5a2cf19a24e89534b10708c42e7b402a0b
Author: Rajini Sivaram <rajinisiva...@googlemail.com>
Date: 2017-04-04T19:21:45Z
KAFKA-5051: Avoid reverse DNS lookup to obtain hostname for TLS
----
> Avoid DNS reverse lookup in security-critical TLS code path
> -----------------------------------------------------------
>
> Key: KAFKA-5051
> URL: https://issues.apache.org/jira/browse/KAFKA-5051
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 0.10.2.0
> Reporter: Rajini Sivaram
> Assignee: Rajini Sivaram
> Fix For: 0.11.0.0
>
>
> At the moment SSL engine is created using the hostname obtained using
> {{InetAddress#getHostName}} which performs unnecessary reverse DNS lookups.
> h2.Scenarios:
> h3. Server-side
> h4. Scenario: Server accepts connection from a client
> Broker knows only client IP address. At the moment broker does a reverse
> lookup. This is unnecessary since the server does not verify or use client
> hostname. It can block the network thread for several seconds in some
> configurations. The IP address should be used directly.
> h3. Client-side
> h4. Scenario: Client connects to server using hostname
> No lookup is necessary and the hostname is used to create the SSL engine.
> This hostname is validated against the hostname in SubjectAltName (dns) or
> CommonName in the certificate if hostname verification is enabled.
> Authentication fails if hostname does not match. This is handled correctly in
> the current code.
> h4. Scenario: Client connects to server using IP address, but certificate
> contains only SubjectAltName (dns)
> The current code does hostname verification using the hostname obtained
> through reverse name lookup. But use of reverse DNS lookup to determine
> hostname introduces a security vulnerability since authentication would be
> reliant on a secure DNS. Hence hostname verification should fail in this
> case.
> h4. Scenario: Client connects to server using IP address and certificate
> contains SubjectAltName (ipaddress).
> This could be used when Kafka is on a private network. The current code uses
> reverse DNS lookup to determine hostname. If reverse lookup succeeds,
> authentication fails since the hostname is matched against the IP address in
> the certificate. But if reverse lookup fails, SSL engine is created with the
> IP address and authentication succeeds. For consistency and to avoid
> dependency on a potentially insecure DNS, reverse DNS lookup should be
> avoided and the IP address specified by the client for connection should be
> used to create the SSL engine.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
