KAFKA_SSL_TRUSTSTORE_CREDENTIALS should be optional when KAFKA_SSL_TRUSTSTORE_TYPE is PEM #72

jonathansp · 2021-02-18T12:19:37Z

Hello everybody!

I'm trying to set a PEM file as a trust store, as it seems to be supported here https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/DefaultSslEngineFactory.java#L311 as long as the password is null.

By checking https://github.com/confluentinc/kafka-images/blob/master/kafka/include/etc/confluent/docker/configure#L91 looks like KAFKA_SSL_TRUSTSTORE_CREDENTIALS is mandatory if SSL is enabled, meaning the password will never be null.

Shouldn't we test if KAFKA_SSL_TRUSTSTORE_TYPE is PEM before evaluating KAFKA_SSL_TRUSTSTORE_CREDENTIALS?

Thanks

JKollien · 2024-11-14T08:13:39Z

FYI: You could get around the check by using KAFKA_LISTENER_SECURITY_PROTOCOL_MAP to map SSL endpoints, e.g. EXTERNAL:SSL (see: #89)

Qubitza pushed a commit to Qubitza/kafka-images that referenced this issue Jul 10, 2023

confluentinc#72 don't check store credentials when type is PEM

c5ee1b6

Qubitza mentioned this issue Jul 10, 2023

#72 don't check store credentials when type is PEM #236

Open

Cito mentioned this issue Nov 10, 2023

PEM SSL #244

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

KAFKA_SSL_TRUSTSTORE_CREDENTIALS should be optional when KAFKA_SSL_TRUSTSTORE_TYPE is PEM #72

KAFKA_SSL_TRUSTSTORE_CREDENTIALS should be optional when KAFKA_SSL_TRUSTSTORE_TYPE is PEM #72

jonathansp commented Feb 18, 2021

JKollien commented Nov 14, 2024 •

edited

Loading

KAFKA_SSL_TRUSTSTORE_CREDENTIALS should be optional when KAFKA_SSL_TRUSTSTORE_TYPE is PEM #72

KAFKA_SSL_TRUSTSTORE_CREDENTIALS should be optional when KAFKA_SSL_TRUSTSTORE_TYPE is PEM #72

Comments

jonathansp commented Feb 18, 2021

JKollien commented Nov 14, 2024 • edited Loading

JKollien commented Nov 14, 2024 •

edited

Loading