KAFKA-6654 correctly states that there will never be enough configuration parameters to fully configure the SSLContext/SSLSocketFactory created by Kafka. For example, in our case, we need an alias to choose the key in the keystore, and we need an implementation of OCSP. KAFKA-6654 suggests to make the creation of the SSLContext a pluggable implementation. Maybe by declaring an interface and passing the name of an implementation class in a new parameter.
Many libraries solve this problem by accepting the SSLContextFactory instance from the application. How about passing the instance as the value of a runtime configuration parameter? If that parameter is set, all other ssl.* parameters would be ignored. Obviously, this parameter could only be set programmatically. I would like to hear the proposed solution by the Kafka maintainers. I can help implementing a patch if there is an agreement on the desired solution.