KIP-684 — Support mutual TLS authentication on SASL_SSL listeners
Accepted Kafka 2.8 Security
Enables mutual TLS (mTLS) client authentication on `SASL_SSL` listeners by honoring the `ssl.client.auth` broker configuration for those listeners. Kafka currently ignores `ssl.client.auth` on `SASL_SSL` listeners, preventing operators from requiring TLS client certificates in addition to SASL credentials for defense-in-depth authentication.
Details
| Author | Rajini Sivaram |
| Status | Accepted |
| Kafka Version | 2.8 |
| JIRA | KAFKA-10700 |
| Wiki | View on Apache Wiki |
| Created | 2020-11-09 |
| Last Modified | 2021-03-03 |
Explore how this KIP affects the Kafka protocol in the Protocol Explorer, or see the full KIP database.