MCP Kafka Schema Reg

SSL_TLS_SECURITY.md•9.37 kB

# SSL/TLS Security Enhancement Documentation ## Overview This document describes the enhanced SSL/TLS verification features implemented to address security issue [#24](https://github.com/aywengo/kafka-schema-reg-mcp/issues/24). These enhancements ensure secure communications with Schema Registry servers and OAuth providers by implementing explicit SSL certificate verification, custom CA bundle support, and certificate pinning framework. ## 🔒 Security Features ### 1. Explicit SSL/TLS Verification All HTTP requests now use explicit SSL verification instead of relying on library defaults. This includes: - **Schema Registry Communications**: All requests to Schema Registry instances - **OAuth Provider Communications**: JWKS fetching, OAuth discovery, token validation - **Secure Session Management**: Persistent sessions with proper SSL configuration ### 2. Custom CA Bundle Support Support for custom Certificate Authority bundles for enterprise environments: - Load custom CA certificates for internal/corporate environments - Validate against both system and custom CA stores - Automatic fallback to system CA bundle if custom bundle fails ### 3. Enhanced SSL Context Configuration - **TLS Version**: Minimum TLS 1.2 enforced - **Cipher Suites**: Strong cipher suites only (ECDHE+AESGCM, ECDHE+CHACHA20, etc.) - **Certificate Validation**: Full certificate chain validation - **Hostname Verification**: Strict hostname verification enabled ### 4. Certificate Pinning Framework Framework for certificate pinning (future enhancement): - Environment variable configuration - Extensible architecture for known Schema Registry providers - Comprehensive logging for pinning events ## 📝 Environment Variables ### Core SSL/TLS Configuration | Variable | Default | Description | |----------|---------|-------------| | `ENFORCE_SSL_TLS_VERIFICATION` | `true` | Enable/disable SSL certificate verification | | `CUSTOM_CA_BUNDLE_PATH` | `""` | Path to custom CA certificate bundle file | | `SSL_CERT_PINNING_ENABLED` | `false` | Enable certificate pinning (future enhancement) | ### Example Configuration ```bash # Basic configuration (recommended for production) ENFORCE_SSL_TLS_VERIFICATION=true # Enterprise environment with custom CA ENFORCE_SSL_TLS_VERIFICATION=true CUSTOM_CA_BUNDLE_PATH=/etc/ssl/certs/corporate-ca-bundle.pem # Development environment (not recommended for production) ENFORCE_SSL_TLS_VERIFICATION=false ``` ## 🚀 Implementation Details ### Registry Client Enhancements The `RegistryClient` class now includes: ```python class RegistryClient: def __init__(self, config: RegistryConfig): # ... existing code ... # Create secure session with SSL/TLS configuration self.session = self._create_secure_session() def _create_secure_session(self) -> requests.Session: """Create a secure requests session with proper SSL/TLS configuration.""" session = requests.Session() # Configure SSL verification if ENFORCE_SSL_TLS_VERIFICATION: session.verify = True # Use custom CA bundle if specified if CUSTOM_CA_BUNDLE_PATH and os.path.exists(CUSTOM_CA_BUNDLE_PATH): session.verify = CUSTOM_CA_BUNDLE_PATH # Mount secure adapter for HTTPS connections session.mount('https://', SecureHTTPAdapter()) return session ``` ### OAuth Provider Enhancements OAuth communications now use secure SSL contexts: ```python def create_secure_ssl_context() -> ssl.SSLContext: """Create a secure SSL context for OAuth HTTP requests.""" context = ssl.create_default_context() # Configure SSL context for maximum security context.check_hostname = True context.verify_mode = ssl.CERT_REQUIRED # Disable weak protocols and ciphers context.minimum_version = ssl.TLSVersion.TLSv1_2 context.set_ciphers('ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:!aNULL:!MD5:!DSS') return context ``` ### Enhanced Error Handling Improved error handling for SSL-related failures: - **SSL Certificate Errors**: Clear error messages for certificate validation failures - **CA Bundle Issues**: Warnings for missing or invalid CA bundle files - **Connection Timeouts**: Proper timeout handling for SSL handshakes - **Security Logging**: Comprehensive logging of SSL configuration and errors ## 🔧 Migration Guide ### From Previous Versions 1. **No Breaking Changes**: All existing configurations continue to work 2. **Default Security**: SSL verification is enabled by default 3. **Gradual Migration**: Can disable SSL verification temporarily during migration ### Recommended Steps 1. **Review Current Setup**: ```bash # Check current SSL configuration echo "ENFORCE_SSL_TLS_VERIFICATION=${ENFORCE_SSL_TLS_VERIFICATION:-true}" echo "CUSTOM_CA_BUNDLE_PATH=${CUSTOM_CA_BUNDLE_PATH:-none}" ``` 2. **Test SSL Connectivity**: ```bash # Test connection to your Schema Registry curl -v https://your-schema-registry.com/subjects ``` 3. **Configure Custom CA (if needed)**: ```bash # For enterprise environments export CUSTOM_CA_BUNDLE_PATH=/path/to/corporate-ca-bundle.pem ``` ## 🛡️ Security Best Practices ### Production Deployments 1. **Always Enable SSL Verification**: ```bash ENFORCE_SSL_TLS_VERIFICATION=true ``` 2. **Use Valid Certificates**: Ensure Schema Registry servers have valid SSL certificates 3. **Monitor SSL Logs**: Review SSL-related log messages for security events 4. **Regular Certificate Updates**: Keep CA bundles updated ### Enterprise Environments 1. **Custom CA Bundles**: Use corporate CA certificates when required 2. **Certificate Pinning**: Plan for certificate pinning implementation (future enhancement) 3. **Network Security**: Combine with network-level security measures 4. **Audit Logging**: Enable comprehensive SSL audit logging ### Development Environments 1. **Use Valid Certificates**: Even in development, use proper SSL certificates when possible 2. **Temporary Bypass**: Only disable SSL verification if absolutely necessary 3. **Clear Documentation**: Document any SSL verification bypasses ## 📊 Monitoring and Troubleshooting ### SSL Configuration Logging The system logs SSL configuration on startup: ``` INFO: SSL/TLS Verification: ENABLED INFO: Custom CA Bundle: /etc/ssl/certs/ca-bundle.pem (exists) INFO: Certificate Pinning: DISABLED INFO: Created secure session for registry 'production' at https://registry.company.com ``` ### Common Issues and Solutions #### Certificate Verification Failures **Issue**: SSL verification failed ``` ERROR: SSL verification failed: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed ``` **Solutions**: 1. Check certificate validity: `openssl s_client -connect registry.company.com:443` 2. Verify CA bundle path: `ls -la /path/to/ca-bundle.pem` 3. Test with curl: `curl -v --cacert /path/to/ca-bundle.pem https://registry.company.com` #### Custom CA Bundle Issues **Issue**: Custom CA bundle not found ``` WARNING: Custom CA Bundle: /path/to/ca-bundle.pem (FILE NOT FOUND) ``` **Solutions**: 1. Verify file path and permissions 2. Check file format (PEM format required) 3. Validate CA bundle content #### Connection Timeouts **Issue**: SSL handshake timeouts ``` ERROR: SSL handshake timeout ``` **Solutions**: 1. Check network connectivity 2. Verify SSL/TLS version support 3. Review firewall configurations ## 🔮 Future Enhancements ### Certificate Pinning Planned enhancements for certificate pinning: 1. **Known Provider Support**: Pre-configured pins for major Schema Registry providers 2. **Dynamic Pin Management**: Runtime pin updates and validation 3. **Pin Rotation**: Automated certificate pin rotation 4. **Comprehensive Logging**: Detailed pinning event logs ### Additional Security Features 1. **OCSP Stapling**: Online Certificate Status Protocol support 2. **Certificate Transparency**: CT log validation 3. **HPKP Support**: HTTP Public Key Pinning 4. **Security Headers**: Additional HTTP security headers ## 📚 References - [RFC 5280](https://tools.ietf.org/html/rfc5280) - Internet X.509 Public Key Infrastructure - [RFC 6125](https://tools.ietf.org/html/rfc6125) - Representation and Verification of Domain-Based Application Service Identity - [RFC 7469](https://tools.ietf.org/html/rfc7469) - Public Key Pinning Extension for HTTP - [OWASP Transport Layer Protection](https://owasp.org/www-project-cheat-sheets/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html) ## 🤝 Contributing When contributing SSL/TLS related features: 1. **Follow Security Principles**: Implement defense in depth 2. **Test Thoroughly**: Test with various certificate configurations 3. **Document Changes**: Update this documentation for any SSL/TLS changes 4. **Security Review**: Request security review for SSL/TLS modifications ## 📞 Support For SSL/TLS related issues: 1. **Review Logs**: Check application logs for SSL configuration and errors 2. **Verify Certificates**: Validate certificate chains and CA bundles 3. **Test Connectivity**: Use standard tools (curl, openssl) to test SSL connectivity 4. **Create Issues**: Report SSL/TLS issues with detailed error messages and configuration

Loading blob content...

Latest Blog Posts

What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash
What is Streamable HTTP in MCP?
By punkpeye on January 2, 2026.
Streamable HTTP

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/aywengo/kafka-schema-reg-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

SSL_TLS_SECURITY.md•9.37 kB