是否可以在 Apache Kafka Java 客户端中禁用 SSL 证书验证?
[英]Is it possible to disable SSL certificate verification in Apache Kafka Java client?
问题描述
If I have a self-signed certificate, as a good citizen, I will import it to my keystore and configure Kafka client with "ssl.truststore.location" and "ssl.truststore.type" in order to use it.
如果我有一个自签名证书,作为一个好公民,我会将它导入我的密钥库并使用“ssl.truststore.location”和“ssl.truststore.type”配置 Kafka 客户端以便使用它。
If expect that a Common Name from certificate's subject can differ from the host's address that presented it, I can turn off the endpoint validation with "ssl.endpoint.identification.algorithm".如果期望证书主题的通用名称可能与提供它的主机地址不同,我可以使用“ssl.endpoint.identification.algorithm”关闭端点验证。
What if I wanted to skip the SSL validation altogether, not just for the hostname, so that I no longer need to copy the certificates around?如果我想完全跳过 SSL 验证,而不仅仅是主机名,这样我就不再需要复制证书怎么办? Analogous to the "-k" or "--insecure" setting in curl.类似于 curl 中的“-k”或“--insecure”设置。 Can I do it with a default Java client for Kafka?我可以使用 Kafka 的默认 Java 客户端吗?
1 个解决方案
解决方案1
3 2020-12-14 13:58:11
There is one way to accomplish it however it's not so straightforward.有一种方法可以实现它,但它并不是那么简单。
The idea is to implement the interface org.apache.kafka.common.security.auth.SslEngineFactory that will ignore the certificate validation.这个想法是实现接口 org.apache.kafka.common.security.auth.SslEngineFactory 将忽略证书验证。 When you use it as a client it should be enough to implement just the createClientSslEngine method in a way similar to this:当您将其用作客户端时,只需以类似于以下方式实现 createClientSslEngine 方法就足够了:
import org.apache.kafka.common.security.auth.SslEngineFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import java.io.IOException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.util.Map;
import java.util.Set;
public static class MySslEngineFactory implements SslEngineFactory {
@Override
public SSLEngine createClientSslEngine(String peerHost, int peerPort, String endpointIdentification) {
try {
TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() { return null; }
public void checkClientTrusted(X509Certificate[] certs, String authType) { }
public void checkServerTrusted(X509Certificate[] certs, String authType) { }
}};
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
SSLEngine sslEngine = sc.createSSLEngine(peerHost, peerPort);
sslEngine.setUseClientMode(true);
return sslEngine;
} catch (NoSuchAlgorithmException | KeyManagementException e) {
throw new RuntimeException(e);
}
}
@Override
public SSLEngine createServerSslEngine(String peerHost, int peerPort) {
return null;
}
@Override
public boolean shouldBeRebuilt(Map<String, Object> nextConfigs) {
return false;
}
@Override
public Set<String> reconfigurableConfigs() {
return null;
}
@Override
public KeyStore keystore() {
return null;
}
@Override
public KeyStore truststore() {
return null;
}
@Override
public void close() throws IOException {
}
@Override
public void configure(Map<String, ?> configs) {
}
}
After having this class finished you just configure it as a SSL_ENGINE_FACTORY_CLASS in kafka (producer or consumer) properties:完成此类后,您只需在 kafka(生产者或消费者)属性中将其配置为 SSL_ENGINE_FACTORY_CLASS:
props.put(SslConfigs.SSL_ENGINE_FACTORY_CLASS, MySslEngineFactory.class);
or if you don't want to use the constant:或者如果您不想使用常量:
props.put("ssl.engine.factory.class", MySslEngineFactory.class);
Make sure you don't use this setup in production!确保您不在生产中使用此设置!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.