stackoom
  简体   繁体   中英

How does SASL_SSL security protocol work? Does client verify the server (X.509 cert)?

 原文  2021-06-13 01:28:41       java/ ssl/ sasl

Question

How SSL works is well know as it's quite widely used and described well every where. In short - SSL involves

  1. Verifying server authenticity by client by verifying the servers X.509 certificate.
  2. Then arriving at a symmetric key using diffie-hellman key exchange algorithm.

But I am not sure what happens with security.protocol=SASL_SSL . Clients and Server communication of few technologies like Kafka etc rely on this security protocol as one of the option. Here I am worried about the point 1 above. If i get a wrong broker address (as a trick ) from some one, does SASL_SSL verify the server certificate or not is my question . If it does, then I can be sure that the received broker is not genuine and my application will not publish or subscribe to messages from this server and my data is safe.

Edit 1: Following @steffen-ullrich answer and comments And little more dig, i see below. Looks like the certificate validation is happening when used through chrome and probably its loaded in the cacerts too. So the java code is able to authenticate the server.. so seems ok..

Edit 2: Right the certificates DST and ISRG are preloaded in the JDK 11 cacerts, so the client is able to authenticate the server as commented by Stephen. 在此处输入图像描述

2 answers

solution1
 1  2021-06-13 02:57:30

What you are asking is related to another configuration please read the following description.

ssl.endpoint.identification.algorithm The endpoint identification algorithm used by clients to validate server host name. The default value is https. Clients including client connections created by the broker for inter-broker communication verify that the broker host name matches the host name in the broker's certificate. Disable server host name verification by setting ssl.endpoint.identification.algorithm to an empty string. Type: string Default: https Importance: medium

solution2
 1 ACCPTED  2021-06-13 05:08:31

SASL is a standard for authentication of the client - see Simple Authentication and Security Layer . SASL_SSL simply means that the client authentication (SASL) is used over a protected connection (SSL) to prevent interception instead of over a plain connection.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to configure kafka consumer with sasl mechanism PLAIN and with security protocol SASL_SSL in java? x.509 Cert - How to generate store file? How to make a Java client for a WCF service secured with X.509? SSL Certificate X.509 Export Spring Security With X.509 Certificate Kafka SaslAuthenticationException Occuring on Ad-hoc basis for SASL_SSL Protocol How to verify server (peer) name after x509 SSL/TLS handshake using SSLEngine? javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No X509TrustManager implementation available How do you get a users X.509 certificate over an HTTP request - (without SSL) SSL mutual authentication FAIL on Android Client accepts servers certificate but server does not get the client cert
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM