Allow ssl.endpoint.identification.algorithm config #417
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
**Problem** kcat does not allow users to set the `ssl.endpoint.identification.algorithm` property in config files. One can verify this behavior by creating a config file with `ssl.endpoint.identification.algorithm=<non_default_value>` and running `kcat -F <config_file> -X dump` This causes friction for folks that wish to use config files and rely on (m)TLS but do not use CN/SAN based verification. Note that one can specify the aforementioned config value via command line args. **Background** 1. Commit 5a7d3ba added support for config files however at the time librdkafka did not support this parameter at the time. (I presume that) because this is a option is commonly set in Java Kafka client properties files, the decision was made to have kcat silently filter this option when parsing config files. 2. Support for ssl.endpoint.identification.algorithm was added in librdkafka v1.1.0 back in 2019 however the default was set to none. 3. With the release of librdkafka v2.x, the default value of ssl.endpoint.identification.algorithm changed from `none` to `https` (enabling hostname verification). I imagine this issue has gone unnoticed due to (2); folks tend not to notice that a TLS feature is _disabled_ until you enable it 😅.
|
I met the same issue, and I can't even change the config from command line. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
kcat does not allow users to set the
ssl.endpoint.identification.algorithmproperty in config files.One can verify this behavior by creating a config file with
ssl.endpoint.identification.algorithm=<non_default_value>and runningkcat -F <config_file> -X dumpThis causes friction for folks that wish to use config files and rely on (m)TLS but do not use CN/SAN based verification.
Note that one can specify the aforementioned config value via command line args.
Background
nonetohttps(enabling hostname verification).I imagine this issue has gone unnoticed due to (2); folks tend not to notice that a TLS feature is disabled until you enable it 😅.