Closed wbarnha closed 6 months ago
When using FQDN's with trailing dots to connect to a broker, the trailing dot in the hostname should be stripped before using the hostname for validation against the server's certificate.
For instance, this code:
producer = KafkaProducer( bootstrap_servers="redpanda.redpanda.svc.cluster.local.:9093", security_protocol="SSL", )
Will cause certificate validation to fail when the subject name doesn't contain the trailing dot.
For some context, this is also a problem with librdkafka: https://github.com/confluentinc/librdkafka/issues/4348
The current stance from the OpenSSL team is this is an application layer issue: https://github.com/openssl/openssl/issues/11560
This change is
When using FQDN's with trailing dots to connect to a broker, the trailing dot in the hostname should be stripped before using the hostname for validation against the server's certificate.
For instance, this code:
Will cause certificate validation to fail when the subject name doesn't contain the trailing dot.
For some context, this is also a problem with librdkafka: https://github.com/confluentinc/librdkafka/issues/4348
The current stance from the OpenSSL team is this is an application layer issue: https://github.com/openssl/openssl/issues/11560
This change is