Strimzi
KafkaClients like producer/consumer, why they need to pass on ca.crt (ClusterCA?) Otherwise handshakefails #5999
Replies: 1 comment 2 replies
-
|
Server authentication is a common part of the TLS process. At the end the mutual says that the authentication should be mutual and not just one-sided. It helps to ensure you are sending the records to / receiving it from the correct server and not from some faked one in case of some form of man-in-the-middle-atack. But at the end it is your setup and your responsibility. So if your Kafka client supports it, you can just trust all Kafka brokers 🤷♂️ . |
Beta Was this translation helpful? Give feedback.
-
|
@scholzj This helps, But lets say considering I trust broker, if I dont want to pass ca.crt, is it possible? |
Beta Was this translation helpful? Give feedback.
-
|
This is not something you can set in the broker. That depends on your Kafka client. AFAIK, the Java client does not have such option (or if it does I somehow missed it). But other clients might have such options. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
We have setup Kafka with mtls, we observed from some of your threads that we need to pass on ca.crt (clusterCa) as truststore, else the handshake fails. Why server verification is needed?
Any help?
Beta Was this translation helpful? Give feedback.
All reactions