-
Notifications
You must be signed in to change notification settings - Fork 861
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SchemaRegistryConfig.EnableSslCertificateVerification does not allow to bypass CA check when client certificates is not used #1897
Comments
there's an argument that not supporting self signed certificates is a feature not a bug :-). yeah, it would be good to change this. |
Hello I assume this means that there that the missing support for client self signed certificates is a bug (or potentially a design flaw)? Currently we do not have a good way to connect to the Schema Registry with a .net client when the Schema Registry certificate has been issued and distributed by the Confluent for Kubernetes operator. Or rather - the only "good way" is to place/mount the CA certificate into /etc/ssl/certs (local certificate store). Br |
Description
I found in the sources, that when HttpClient is created, it bypasses the server SSL CA check only when we're using client certs.
confluent-kafka-dotnet/src/Confluent.SchemaRegistry/Rest/RestService.cs
Lines 67 to 78 in 895b72d
This does not work, when we're accessing a SchemaRegistry that is served via https with self-signed certificate, without using client certificates.
How to reproduce
EnableSslCertificateVerification = true
Checklist
Please provide the following information:
The text was updated successfully, but these errors were encountered: