Cmak: Support for ssl.endpoint.identification.algorithm

Created on 31 Aug 2018  路  5Comments  路  Source: yahoo/CMAK

Currently it seems impossible to disable SSL verification of the kafka broker by setting ssl.endpoint.identification.algorithm= in the consumer.properties.

I'm using the latest version build from master 1.3.3.21.

My consumer.properties

security.protocol=SASL_SSL
sasl.mechanism=PLAIN
ssl.truststore.location=/mnt/tls/kafka.server.truststure.jks
ssl.truststore.password=*****
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="kafka-user" password="*****";
ssl.endpoint.identification.algorithm=
key.deserializer=org.apache.kafka.common.serialization.ByteArrayDeserializer
value.deserializer=org.apache.kafka.common.serialization.ByteArrayDeserializer

Is there another way to disable the SSL verification?

km-74bb9cbbdf-hgc67 kafka-manager [error] o.a.k.c.NetworkClient - [Consumer clientId=consumer-1, groupId=KMOffsetCache-km-74bb9cbbdf-hgc67] Connection to node -7 failed authentication due to: SSL handshake failed
km-74bb9cbbdf-hgc67 kafka-manager [warn] k.m.a.c.KafkaManagedOffsetCache - Failed to process a message from offset topic on cluster testcluster!
km-74bb9cbbdf-hgc67 kafka-manager org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
km-74bb9cbbdf-hgc67 kafka-manager Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at org.apache.kafka.common.network.SslTransportLayer.handshakeWrap(SslTransportLayer.java:434) ~[org.apache.kafka.kafka-clients-1.1.0.jar:na]
km-74bb9cbbdf-hgc67 kafka-manager       at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:299) ~[org.apache.kafka.kafka-clients-1.1.0.jar:na]
km-74bb9cbbdf-hgc67 kafka-manager       at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:253) ~[org.apache.kafka.kafka-clients-1.1.0.jar:na]
km-74bb9cbbdf-hgc67 kafka-manager       at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:79) ~[org.apache.kafka.kafka-clients-1.1.0.jar:na]
km-74bb9cbbdf-hgc67 kafka-manager       at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:486) ~[org.apache.kafka.kafka-clients-1.1.0.jar:na]
km-74bb9cbbdf-hgc67 kafka-manager Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at java.security.AccessController.doPrivileged(Native Method) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.validator.Validator.validate(Validator.java:260) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.validator.Validator.validate(Validator.java:260) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[na:1.8.0_171]
km-74bb9cbbdf-hgc67 kafka-manager       at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601) ~[na:1.8.0_171]

All 5 comments

Did you go into the cluster config and change the security protocol to PLAINTEXT ?

Nope. Could you explain why I should do that? I would like to get the consumer stats. Since my brokers are reachable through SSL only - but do not have the published hostname in their certs - I'd like to disable the SSL verification during testing.

shouldn't it been configured in the broker level

Hi, we also have a need for this, is there any chance the change to allow that empty value will be accepted?

I have same problem.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

koldrid picture koldrid  路  3Comments

tanuj83 picture tanuj83  路  5Comments

sanjeevtripurari picture sanjeevtripurari  路  4Comments

rudrasharma picture rudrasharma  路  6Comments

PiotrBB picture PiotrBB  路  6Comments