[ https://issues.apache.org/jira/browse/KAFKA-3700 ]
Igor Shipenkov deleted comment on KAFKA-3700:
---------------------------------------
was (Author: JIRAUSER280700):
For people, looking for OCSP support.
Use Oracle Java documentation "[Security Developer’s Guide - OCSP Stapling
Configuration Properties - Setting Up a Java Server to Use OCSP
Stapling|https://docs.oracle.com/en/java/javase/11/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-423716FB-DA34-4C73-B3A1-EB4CE120BB62]";
to configure OCSP stapling on JVM level.
Basically, it's just
{quote}
Online Certificate Status Protocol (OCSP) stapling is enabled on the server by
setting the system property {{jdk.tls.server.enableStatusRequestExtension}} to
{{true}}. (It is set to {{false}} by default.)
{quote}
I can confirm, that broker with additional command line option
{code}
-Djdk.tls.server.enableStatusRequestExtension=true
{code}
runs just fine and in traffic dump I see proper OCSP requests and responses.
This link is for Java 11, but this system property exists since Java 1.8.
Also it's end of 2023 now and people around use at least Kafka 3.1, but since
it's JVM property, I think it's independent from Kafka version.
> CRL support
> -----------
>
> Key: KAFKA-3700
> URL: https://issues.apache.org/jira/browse/KAFKA-3700
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 0.9.0.1
> Reporter: Vincent Bernat
> Priority: Major
>
> Hey!
> Currently, there is no way to specify a CRL to be checked when a client
> presents its TLS certificate. Therefore, a revoked certificate is accepted. A
> CRL can either be provided as an URL in a certificate but with a private
> authority, it is more common to have one as a separate file. A
> `ssl.crl.location` would come handy to specify a CRL.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
