0

I'm using the Java library kafka-clients 3.0.0 since I have a K8s cluster with 3 brokers and I need to produce/consume on topics through microservices.

Both the Kafka brokers and clients have been correctly configured to authenticate clients through a mTLS protocol using a keystore and truststore. All the authentication and encryption communication works like a charm!

Here comes the issue: for security manners, the client certificates got renewed each day, so each certificate expires in 24 hours. When a client certificate got expired, the client is still able to communicate regularly with the Kafka brokers, both producing and consuming. I suppose this happens since the mTLS handshake between clients and brokers happens just the first time, when the producer/consumer get initialized, then there will be the same TCP channels to communicate.

Anyways, if it's working like that it seems to me a security issue. Does anybody know more about this kafka-clients behaviour? Is my hypothesis wrong? Is there a way to force the handshake after a while?

Thank you.

user7441088
  • 17
  • 5
  • You're renewing the certificate **every** day? For what reason? – Kayaman Feb 04 '22 at 09:56
  • It's for security requirements. But, the issue is not about the certificates validity time, since I could also have a certificate expiring in 1 week, but still when it got expired the Kafka clients would still be able to communicate with the brokers. – user7441088 Feb 04 '22 at 10:05
  • Of course, do you realize how ineffective it would be if it had to constantly be doing the handshake for existing connections? You could cut all the connections when you change the cert, and then let them reconnect if you really want to make sure every connection always switches to the new cert. – Kayaman Feb 04 '22 at 10:11
  • Sure, to me it's logical since Kafka is "near real-time oriented". But, it also seems unsafe that I can't have the control to reload dynamically the SSL context as I want. What you've described is something I'm already doing, but I was trying to understand if the behavior I described was actually correct. – user7441088 Feb 04 '22 at 10:16
  • How does it seem unsafe? Give me a concrete example. – Kayaman Feb 04 '22 at 10:26
  • If an attacker is able to steal my certificates, simple. – user7441088 Feb 04 '22 at 10:39
  • No, it's not simple. A normal certificate is valid for a year. If an attacker is able to steal your certificate, maybe they have access to the client and can easily steal all further certificates too. Wouldn't help you one bit to keep churning out new certificates every day. – Kayaman Feb 04 '22 at 10:59
  • But you're assuming what you are saying is an universal truth instead of knowing in which kind of environment I work and why I need this requirements. Anyway, this is pure off-topic from my question, thank you anyways. – user7441088 Feb 04 '22 at 13:08

0 Answers0