[
https://issues.apache.org/jira/browse/KAFKA-15273?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Manikumar resolved KAFKA-15273.
-------------------------------
Fix Version/s: 3.7.0
Resolution: Fixed
> Log common name of expired client certificate
> ---------------------------------------------
>
> Key: KAFKA-15273
> URL: https://issues.apache.org/jira/browse/KAFKA-15273
> Project: Kafka
> Issue Type: Improvement
> Components: clients, core, security
> Affects Versions: 3.6.0
> Reporter: Eike Thaden
> Assignee: Eike Thaden
> Priority: Minor
> Labels: PatchAvailable
> Fix For: 3.7.0
>
>
> If a client tries to authenticate via mTLS with an expired certificate, the
> connection is closed and the IP address of the connection attempt is logged.
> However, in complex enterprise IT environments it might be very hard or even
> impossible to identify which client tried to connect if only the IP address
> is known (e.g. due to complex virtualization/containerization/NAT). This
> results in significant effort for the Kafka platform teams to identify the
> developmers responsible for such a misconfigured client.
> As a possible solution I propose to log the common name used in the client
> certificate in addition to the IP address. Due to security considerations,
> this should only be done if that certificate is just expired and would be
> valid otherwise (e.g. signed by a known, non-expired root/intermediate CA).
> The way Kafka should handle any valid/invalid/expired certificate must be
> exactly the same as before, except for the creation of a log message in case
> it is expired.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
