Skip to content

Discovery client and Schema Registry client performing SSL hostname validation even with `hostnameVerification` set to false

Summary

If the Discovery API or Schema Registry is deployed with an HTTPS certificate which doesn't always match the hostname the connections fail because of the Hostname Validation for HTTPS. The Client setting ssl.endpoint.identification.algorithm is used to enable/disable this check for Kafka. But this setting is not honoured for the other connections in the Axual Platform.

This is the case for ALL Axual Client 5 and 6 implementations

Steps to reproduce

  1. Use a SSL server certificate in Discovery service or Schema registry that doesn't include the domain name that it is serving in the list of SANs.
  2. Configure the Producer/Consumer using Axual Client
  3. During the communication initiation process, It'll complain with an error message something similar to No subject alternative DNS name matching <domain name> found.

Example Project

N/A

What is the current bug behavior?

With hostnameVerification set to false, the client application still try to verify the hostname of Discovery endpoint as well as Schema Registry endpoints.

What is the expected correct behavior?

When the configuration property is set to do not perform hostname validations, then don't check it for Discovery API and Schema Registry.

Relevant logs and/or screenshots

N/A

Possible fixes

Both SR and Discovery clients need to honour the hostnameVerification configuration that is passed into the client.