[ https://issues.apache.org/jira/browse/KAFKA-5051?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15963338#comment-15963338 ]
ASF GitHub Bot commented on KAFKA-5051: --------------------------------------- GitHub user rajinisivaram opened a pull request: https://github.com/apache/kafka/pull/2835 KAFKA-5051: Avoid reverse DNS lookup to obtain hostname for TLS You can merge this pull request into a Git repository by running: $ git pull https://github.com/rajinisivaram/kafka KAFKA-5051 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/kafka/pull/2835.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #2835 ---- commit 5805bd5a2cf19a24e89534b10708c42e7b402a0b Author: Rajini Sivaram <rajinisiva...@googlemail.com> Date: 2017-04-04T19:21:45Z KAFKA-5051: Avoid reverse DNS lookup to obtain hostname for TLS ---- > Avoid DNS reverse lookup in security-critical TLS code path > ----------------------------------------------------------- > > Key: KAFKA-5051 > URL: https://issues.apache.org/jira/browse/KAFKA-5051 > Project: Kafka > Issue Type: Bug > Components: security > Affects Versions: 0.10.2.0 > Reporter: Rajini Sivaram > Assignee: Rajini Sivaram > Fix For: 0.11.0.0 > > > At the moment SSL engine is created using the hostname obtained using > {{InetAddress#getHostName}} which performs unnecessary reverse DNS lookups. > h2.Scenarios: > h3. Server-side > h4. Scenario: Server accepts connection from a client > Broker knows only client IP address. At the moment broker does a reverse > lookup. This is unnecessary since the server does not verify or use client > hostname. It can block the network thread for several seconds in some > configurations. The IP address should be used directly. > h3. Client-side > h4. Scenario: Client connects to server using hostname > No lookup is necessary and the hostname is used to create the SSL engine. > This hostname is validated against the hostname in SubjectAltName (dns) or > CommonName in the certificate if hostname verification is enabled. > Authentication fails if hostname does not match. This is handled correctly in > the current code. > h4. Scenario: Client connects to server using IP address, but certificate > contains only SubjectAltName (dns) > The current code does hostname verification using the hostname obtained > through reverse name lookup. But use of reverse DNS lookup to determine > hostname introduces a security vulnerability since authentication would be > reliant on a secure DNS. Hence hostname verification should fail in this > case. > h4. Scenario: Client connects to server using IP address and certificate > contains SubjectAltName (ipaddress). > This could be used when Kafka is on a private network. The current code uses > reverse DNS lookup to determine hostname. If reverse lookup succeeds, > authentication fails since the hostname is matched against the IP address in > the certificate. But if reverse lookup fails, SSL engine is created with the > IP address and authentication succeeds. For consistency and to avoid > dependency on a potentially insecure DNS, reverse DNS lookup should be > avoided and the IP address specified by the client for connection should be > used to create the SSL engine. -- This message was sent by Atlassian JIRA (v6.3.15#6346)