[jira] [Updated] (KAFKA-5051) Avoid DNS reverse lookup in security-critical TLS code path

[Ismael Juma (JIRA)]

     [ 
https://issues.apache.org/jira/browse/KAFKA-5051?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ismael Juma updated KAFKA-5051:
-------------------------------
    Fix Version/s:     (was: 1.0.0)

> Avoid DNS reverse lookup in security-critical TLS code path
> -----------------------------------------------------------
>
>                 Key: KAFKA-5051
>                 URL: https://issues.apache.org/jira/browse/KAFKA-5051
>             Project: Kafka
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.10.2.0
>            Reporter: Rajini Sivaram
>            Assignee: Rajini Sivaram
>             Fix For: 0.11.0.0
>
>
> At the moment SSL engine is created using the hostname obtained using 
> {{InetAddress#getHostName}} which performs unnecessary reverse DNS lookups.
> h2.Scenarios:
> h3. Server-side
> h4. Scenario: Server accepts connection from a client
> Broker knows only client IP address. At the moment broker does a reverse 
> lookup. This is unnecessary since the server does not verify or use client 
> hostname. It can block the network thread for several seconds in some 
> configurations. The IP address should be used directly.
> h3. Client-side
> h4. Scenario: Client connects to server using hostname
> No lookup is necessary and the hostname is used to create the SSL engine. 
> This hostname is validated against the hostname in SubjectAltName (dns) or 
> CommonName in the certificate if hostname verification is enabled. 
> Authentication fails if hostname does not match. This is handled correctly in 
> the current code.
> h4. Scenario: Client connects to server using IP address, but certificate 
> contains only SubjectAltName (dns)
> The current code does hostname verification using the hostname obtained 
> through reverse name lookup. But use of reverse DNS lookup to determine 
> hostname introduces a security vulnerability since authentication would be 
> reliant on a secure DNS. Hence hostname verification should fail in this 
> case. 
> h4. Scenario: Client connects to server using IP address and certificate 
> contains SubjectAltName (ipaddress).
> This could be used when Kafka is on a private network. The current code uses 
> reverse DNS lookup to determine hostname. If reverse lookup succeeds, 
> authentication fails since the hostname is matched against the IP address in 
> the certificate. But if reverse lookup fails, SSL engine is created with the 
> IP address and authentication succeeds. For consistency and to avoid 
> dependency on a potentially insecure DNS, reverse DNS lookup should be 
> avoided and the IP address specified by the client for connection should be 
> used to create the SSL engine.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)