KIP-294 — Enable TLS hostname verification by default
Accepted Kafka 2.0 Security
Changes the default value of ssl.endpoint.identification.algorithm from empty string (hostname verification disabled) to 'https' (hostname verification enabled). Without hostname verification, TLS connections are vulnerable to man-in-the-middle attacks even with valid certificates, as the client does not verify that the certificate's CN/SAN matches the broker hostname it connected to.
Details
| Author | Rajini Sivaram |
| Status | Accepted |
| Kafka Version | 2.0 |
| JIRA | KAFKA-3665 |
| Wiki | View on Apache Wiki |
| Created | 2018-05-04 |
| Last Modified | 2018-05-21 |
Explore how this KIP affects the Kafka protocol in the Protocol Explorer, or see the full KIP database.