[
https://issues.apache.org/jira/browse/KAFKA-14770?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rajini Sivaram resolved KAFKA-14770.
------------------------------------
Reviewer: Manikumar
Resolution: Fixed
> Allow dynamic keystore update for brokers if string representation of DN
> matches even if canonical DNs don't match
> ------------------------------------------------------------------------------------------------------------------
>
> Key: KAFKA-14770
> URL: https://issues.apache.org/jira/browse/KAFKA-14770
> Project: Kafka
> Issue Type: Improvement
> Components: security
> Reporter: Rajini Sivaram
> Assignee: Rajini Sivaram
> Priority: Major
> Fix For: 3.5.0
>
>
> To avoid mistakes during dynamic broker config updates that could potentially
> affect clients, we restrict changes that can be performed dynamically without
> broker restart. For broker keystore updates, we require the DN to be the same
> for the old and new certificates since this could potentially contain host
> names used for host name verification by clients. DNs are compared using
> standard Java implementation of X500Principal.equals() which compares
> canonical names. If tags of fields change from one with a printable string
> representation and one without or vice-versa, canonical name check fails even
> if the actual name is the same since canonical representation converts to hex
> for some tags only. We can relax the verification to allow dynamic updates in
> this case by enabling dynamic update if either the canonical name or the
> RFC2253 string representation of the DN matches.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
