...

JIRA: https://issues.apache.org/jira/projects/KAFKA/issues/KAFKA-16081

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

Motivation

For Kafka, an SSL connection occupies approximately 100KB of memory, while a plaintext connection occupies around 250 bytes, resulting in a memory footprint ratio of approximately 400:1. Therefore, there should be a limitation for SSL connections in broker wide to prevent potential OOM situations caused by an excessive number of SSL connections.

Currently, we have max.connections configuration at both the broker and listener levels, which allows us to limit the maximum number of active connections on each listener and the overall broker.

However, the current implementation presents a challenge in how to effectively controlling the number of SSL connections. For example, if we have a broker supporting 10,000 SSL connections with two SSL listeners, how to configure limit of each listener becomes an issue. For example, if we set the connection count to 5,000 for each listener, we cannot precisely control the total SSL connections count to be 10,000, especially if one listener is heavily used while the other has fewer connections. Furthermore，

Furthermore，if the security protocol of one listener switch from PLAINTEXT to SASL_SSL, the limit of this listener also needs to be modified.

The new configuration could work together with max.connections to control ssl and non-ssl connections. For examplem, set max.connections to 10000, max.ssl.connections to 5000, which means non-ssl connection radio is set at connections is litmit to 5000.

Public Interfaces

No new interfaces or will be added.

...