2

How SSL works is well know as it's quite widely used and described well every where. In short - SSL involves

  1. Verifying server authenticity by client by verifying the servers X.509 certificate.
  2. Then arriving at a symmetric key using diffie-hellman key exchange algorithm.

But I am not sure what happens withsecurity.protocol=SASL_SSL. Clients and Server communication of few technologies like Kafka etc rely on this security protocol as one of the option. Here I am worried about the point 1 above. If i get a wrong broker address (as a trick ) from some one, does SASL_SSL verify the server certificate or not is my question. If it does, then I can be sure that the received broker is not genuine and my application will not publish or subscribe to messages from this server and my data is safe.

Edit 1: Following @steffen-ullrich answer and comments And little more dig, i see below. Looks like the certificate validation is happening when used through chrome and probably its loaded in the cacerts too. So the java code is able to authenticate the server.. so seems ok..

Edit 2: Right the certificates DST and ISRG are preloaded in the JDK 11 cacerts, so the client is able to authenticate the server as commented by Stephen. enter image description here

OneCricketeer
  • 179,855
  • 19
  • 132
  • 245
joven
  • 371
  • 1
  • 6
  • 17

2 Answers2

2

SASL is a standard for authentication of the client - see Simple Authentication and Security Layer. SASL_SSL simply means that the client authentication (SASL) is used over a protected connection (SSL) to prevent interception instead of over a plain connection.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • how about server authentication by client. Is that done. Does the client verify the SSL (X.509) certificate of the server. I have to ask this as I don't see any preloaded keystore with server certificate in my java producer/consumer projects. – joven Jun 13 '21 at 07:00
  • @joven: SSL includes authentication of the server by the client and therefore SASL_SSL does too. I'm not sure about your specific setup but typically Java has a default key store which includes the common publicly trusted CA. If your server certificate is not issued by any of these, the certificate or its issuer CA need to be likely explicitly configured as trusted on the client side. Note that none of these is a property of SASL_SSL, it is a property of SSL. SASL_SSL just means to make sure that SASL is only done over SSL and not plain. – Steffen Ullrich Jun 13 '21 at 07:03
  • I got your point. I am using internal host / Dev env and with `kafkaProps.put("security.protocol", "SASL_SSL")` and *am sure that server certificate is not present in the default jre cacerts..* (will see through it once again though) still its working like blaze.. that's what triggered all this discussion. – joven Jun 13 '21 at 07:21
  • i edited the Q with observation following your A and comments.. seems it's all connecting with your info.. thanks – joven Jun 13 '21 at 07:40
  • need bit more help in resolving this. I looked at chrome managed certificates and it has DST Root Certificate listed in it. So it is clear that chrome is able to verify the server certificate. Then I listed the certificates in cacerts, the one my kafka project is using (default one at jdk-11.0.10_windows-x64_bin\jdk-11.0.10\lib\security, i never added anything in to this) and don't find DST or ISRG or R3 or confluent in there, so wondering how the java code is able to verify server certificate. Any hint's on this. – joven Jun 13 '21 at 09:22
  • @joven: Don't know about the default key store of the JDK you are using and which key store is actually used in the application. But in jdk 11 on Ubuntu 20.04 (Linux) both the ISRG root X1 and DST Root CA X3 are in the key store. – Steffen Ullrich Jun 13 '21 at 09:37
  • i see them now with grep `letsencryptisrgx1 [jdk], 04-Jun-2015, trustedCertEntry` and `identrustdstx3 [jdk], 01-Oct-2000, trustedCertEntry` Thanks Steffen, it's been of gr8 help. It helped me in understanding the bigger picture involved with SASL_SSL – joven Jun 13 '21 at 10:03
1

What you are asking is related to another configuration please read the following description.

ssl.endpoint.identification.algorithm The endpoint identification algorithm used by clients to validate server host name. The default value is https. Clients including client connections created by the broker for inter-broker communication verify that the broker host name matches the host name in the broker’s certificate. Disable server host name verification by setting ssl.endpoint.identification.algorithm to an empty string. Type: string Default: https Importance: medium

Ran Lupovich
  • 1,655
  • 1
  • 6
  • 13