[jira] [Updated] (KAFKA-6097) Kafka ssl.endpoint.identification.algorithm=HTTPS not working

[Damyan Petev Manev (JIRA)]

     [ 
https://issues.apache.org/jira/browse/KAFKA-6097?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Damyan Petev Manev updated KAFKA-6097:
--------------------------------------
    Description: 
When ssl.endpoint.identification.algorithm is set to HTTPS and I have san 
extension on my server certificate clients do not verify the servers's fully 
qualified domain name (FQDN) agains it.
Client certificate authentication works. With the following san extension - 
dns:some.thing.here I expect connection to fail, because according to  
 http://kafka.apache.org/documentation.html#security_ssl :
 "clients will verify the server's fully qualified domain name (FQDN) against 
one of the following two fields
Common Name (CN)
Subject Alternative Name (SAN)",
but messages are produced and consumed successfully.

I am using kafka 0.10.2.1 command line tools. 




  was:
When ssl.endpoint.identification.algorithm is set to HTTPS and I have san 
extension on my server certificate clients do not verify the servers's fully 
qualified domain name (FQDN) agains it.
Client certificate authentication works. With the following san extension - 
dns:some.thing.here I expect connection to fail, because according to  
 http://kafka.apache.org/documentation.html#security_ssl :
 "clients will verify the server's fully qualified domain name (FQDN) against 
one of the following two fields
Common Name (CN)
Subject Alternative Name (SAN)",
but messages are produced and consumed successfully.





> Kafka ssl.endpoint.identification.algorithm=HTTPS not working
> -------------------------------------------------------------
>
>                 Key: KAFKA-6097
>                 URL: https://issues.apache.org/jira/browse/KAFKA-6097
>             Project: Kafka
>          Issue Type: Bug
>            Reporter: Damyan Petev Manev
>         Attachments: kafka-certificates-script.sh
>
>
> When ssl.endpoint.identification.algorithm is set to HTTPS and I have san 
> extension on my server certificate clients do not verify the servers's fully 
> qualified domain name (FQDN) agains it.
> Client certificate authentication works. With the following san extension - 
> dns:some.thing.here I expect connection to fail, because according to  
>  http://kafka.apache.org/documentation.html#security_ssl :
>  "clients will verify the server's fully qualified domain name (FQDN) against 
> one of the following two fields
> Common Name (CN)
> Subject Alternative Name (SAN)",
> but messages are produced and consumed successfully.
> I am using kafka 0.10.2.1 command line tools. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)