Server hostname verification fails with "Hostname mismatch" #3685
Replies: 2 comments 1 reply
-
I don't believe that is possible, it is after all the hostname that needs to be match the certificate. |
Beta Was this translation helpful? Give feedback.
-
|
Is there any other configuration that we're missing here? The same use case worked fine with openssl library for our other features. Since we're new to Kakfa, I want to know if there is any other parameter that we've to set additionally with this configuration (ssl.endpoint.identification.algorithm=https). |
Beta Was this translation helpful? Give feedback.
-
|
If you reproduce this with debug=security, what does this log line say?: |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
As a client when testing the TLS call, we’re trying to perform hostname verification of the Kafka broker by setting the configuration “ssl.endpoint.identification.algorithm” to https.
Issue observed:
Client initiates Client Hello and server responds with Server Hello which contains the server certificate. But Client rejects the request with Bad Certificate error and the error got from the library is “Hostname mismatch”.
Observation from application log at the client:
Enabled endpoint identification using hostname
Error returned from library: Hostname mismatch
Certificate (subject=/C=IN/ST=KA/L=BAN/O=Company/OU=OU/CN=192.168.0.1, issuer=/ST=Karnataka/L=Banaglore/O=Company/OU=Unit/CN=example.com) verification callback failed
SSL handshake failed: s3_clnt.c:1264: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed: broker certificate could not be verified, verify that ssl.ca.location is correctly configured or root CA certificates are installed (install ca-certificates package) (after 9ms in state SSL_HANDSHAKE) (_SSL): identical to last error: error log suppressed
Client configurations:
Language used = C++
Library = librdkafka-1.0.7
Other configurations set on the client:
• security.protocol = SSL
• enable.ssl.certificate.verification = true
• ssl.endpoint.identification.algorithm=https
Server configurations:
Language used = Java 1.8.0_282
• ssl.client.auth=required
• ssl.endpoint.identification.algorithm=https
• inter.broker.listener.name=SSL
Our client uses ip address to communicate with server rather than hostname. Request some suggestions on how to perform server endpoint verification with ip address.
Beta Was this translation helpful? Give feedback.
All reactions