kafka
kafka copied to clipboard
oleksiyk
Encrypt communication using self-signed certificate
Hi, this package supports client authentication using a certificate and a key but it's really common on local networks to just have encrypted communication usually using self-signed certificates.
Would you be interested in a PR including this? We have a lot of projects in java, ruby and elixir and the popular clients all supports this, so I think this would be a nice addition to this library. I have a local version working with the self-signed certificate, the configuration would be something like:
Kafka.Producer({
connectionString: 'kafka://<something>'
ssl: {
ca: '/path/to/my-cert.crt' // or fs.readFileSync('my-cert.crt')
}
})
I don't see any sense in this, this package comes with SSL tests using self-signed certificates. You can also pass any SSL options that Node's tls.connect function accepts, including the ca option.
@oleksiyk it doesn't solve the same problem. I may be wrong, but looking at the code I can see that the library doesn't pass the ssl options if it doesn't have the cert and the key configuration (https://github.com/oleksiyk/kafka/blob/master/lib/connection.js#L70).
From the TLS module:
When using certificates that are not chainable to a well-known CA, the certificate's CA must be explicitly specified as a trusted or the connection will fail to authenticate
So, you are using SSL connection without certificate and key? And you just want to verify server's certificate with self-signed CA?
Yes. This option is available in other libraries. In the librdkafka, for example, the option is:
ssl.ca.location - File or directory path to CA certificate(s) for verifying the broker's key
https://github.com/edenhill/librdkafka/blob/0.9.4.x/CONFIGURATION.md