Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SchemaRegistryConfig.EnableSslCertificateVerification does not allow to bypass CA check when client certificates is not used #1897

Open
2 tasks done
dolifer opened this issue Sep 15, 2022 · 2 comments · May be fixed by #2174
Open
2 tasks done

SchemaRegistryConfig.EnableSslCertificateVerification does not allow to bypass CA check when client certificates is not used #1897

dolifer opened this issue Sep 15, 2022 · 2 comments · May be fixed by #2174
Labels
enhancement LOW

Comments

@dolifer
Copy link

dolifer commented Sep 15, 2022

Description

I found in the sources, that when HttpClient is created, it bypasses the server SSL CA check only when we're using client certs.

confluent-kafka-dotnet/src/Confluent.SchemaRegistry/Rest/RestService.cs

Lines 67 to 78 in 895b72d

.Select(uri =>
{
HttpClient client;
                    if (certificates.Count > 0)
                    {
                        client = new HttpClient(CreateHandler(certificates, enableSslCertificateVerification)) { BaseAddress = new Uri(uri, UriKind.Absolute), Timeout = TimeSpan.FromMilliseconds(timeoutMs) };
                    }
                    else
                    {
                        client = new HttpClient() { BaseAddress = new Uri(uri, UriKind.Absolute), Timeout = TimeSpan.FromMilliseconds(timeoutMs) };
                    }
return client;

This does not work, when we're accessing a SchemaRegistry that is served via https with self-signed certificate, without using client certificates.

How to reproduce

  • Use a self-signed certificate for the schema-registry
  • set EnableSslCertificateVerification = true
  • try to get schema, receive an error

HttpRequestException: The SSL connection could not be established, see inner exception.

var schemaRegistryConfig = new SchemaRegistryConfig
{
  Url = "https://localhost:8085",
  EnableSslCertificateVerification = false  // this does not work
};

using (var schemaRegistry = new CachedSchemaRegistryClient(schemaRegistryConfig))
{
  var subjects = await schemaRegistry.GetAllSubjectsAsync();

  foreach (var subject in subjects)
  {
    Console.WriteLine(subject);
  }
}

Checklist

Please provide the following information:

  • A complete (i.e. we can run it), minimal program demonstrating the problem. No need to supply a project file.
  • Confluent.Kafka nuget version - 1.8.2
@mhowlett
Copy link
Contributor

there's an argument that not supporting self signed certificates is a feature not a bug :-).

yeah, it would be good to change this.

@HansK-p
Copy link

HansK-p commented Dec 2, 2022
edited

Hello
We have the same problem in an environment where the self signed certificate has been issued by the Confluent for Kubernetes operator. As I understand it, this means that with our setup a self signed certificate is used for Schema Registry by design.

I assume this means that there that the missing support for client self signed certificates is a bug (or potentially a design flaw)? Currently we do not have a good way to connect to the Schema Registry with a .net client when the Schema Registry certificate has been issued and distributed by the Confluent for Kubernetes operator. Or rather - the only "good way" is to place/mount the CA certificate into /etc/ssl/certs (local certificate store).

Br
Hans K.

dolifer added a commit to dolifer/confluent-kafka-dotnet that referenced this issue Jan 7, 2023
@dolifer
(fix confluentinc#1897) : skip server SSL certs verification when con…
ab38836 
…figured
@dolifer dolifer linked a pull request Jan 17, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement LOW
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

(fix #1897) : skip server SSL certs verification when configured dolifer/confluent-kafka-dotnet
3 participants
@mhowlett @dolifer @HansK-p