Versions Compared

Old Version 4

changes.mady.by.user Jakub Scholz

Saved on

compared with

New Version 5

changes.mady.by.user Jakub Scholz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Use two separate options

...

Public Interfaces

This change introduces a two new broker configuration option options named ssl.allow.dn.andchanges and ssl.allow.san.changes. It is They are described in the next section.

Proposed Changes

This KIP proposes adding a two new configuration option options ssl.allow.dn.andchanges and ssl.allow.san.changes. When :

  • When ssl.allow.dn.changes is set to true, the check for DN

...

  • changes during dynamic configuration updates will be skipped.

...

  • When ssl.allow.san.changes is set to true, the check for SAN changes during dynamic configuration updates will be skipped.

Using two separate options provides more flexibility if some users would want to disable only one of the checks. The default value of both options dn.and.san.changes will be false. That way, the default behavior would not change and any users will still have the certificates validated unless they explicitly disable it. The new option options will not have any impact on the TLS handshake check done for inter-broker listeners. It will be still executed to make sure the keystore and truststore match even if the DN and SAN check is disabled.

The ssl.allow.dn.changes and ssl.andallow.san.changesoption itself  options will not be dynamically configurable.

...

The default behavior for any existing and new users will not change. Only users who explicitly set the new option options to true would be affected by this proposal.

Rejected Alternatives

Disabling the checks completely

Another option would be to remove the existing DN and SAN check completely. While it might protect the users in some situations, it would still allow them to break the TLS setup in some situations. However, that would mean a change for any user who relies on this check. So I rejected this alternative and proposed the new configuration option instead.

Using one option for both checks

Another considered variant was using a single option ssl.allow.dn.and.san.changes to disable both DN and SAN checks at once. This would provide less flexibility if users want to disable only one of the checks.