-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL support (Kafka 0.9+) revisit #643
Comments
The ciphers available in go and Java are fairly standard and have quite a bit of overlap by default. If they can't find one in common then I suspect one or the other is misconfigured. Since I don't know of a way to change the available ciphers for go (short of recompiling the go toolchain from scratch) I must assume that something is configured oddly about your Java installation. By default both openjdk and oracle have plenty of common cipher suites available. |
As a note, we've been using the SSL support in production from sarama for months now and it's been flawless, so I too suspect a JVM config issue. |
Yeah, I ran this java code http://stackoverflow.com/questions/20000020/enabled-ciphers-on-ubuntu-openjdk-7 to print the available ciphers in the JVM (both openjdk and oracle) and the list was long, with many common ciphers supported by the Go configuration. However, when I ran a sslscan against the Kafka broker the list was much shorter and none of them where common with those in Go. So I too suspect a JVM config issue. And since I'm not a Java entusiast nor expert, I've chosen the go with default settings when installing anything Java related. So the "working" out-of-the-box Java installation I was hoping for is not a fact. Guess I have to start digging and debugging the JVM. |
@tcrayford: Which platform do run Kafka on, which Java and version, and what are the supported ciphers if you run a sslscan against a broker? Also which Go version and platform do you run Sarama on? I have installed Kafka on a Ubuntu 14.04 cloud machine, tested with openjdk7 and oracle8. sslscan lists the following ciphers for openjdk7 (even less supported ciphers in oracle8):
Tested with Go 1.6 on both OSX and Ubuntu 14.04. |
Might be interested in this ticket https://issues.apache.org/jira/browse/KAFKA-3647 |
I have been testing Kafka with lots of different versions of Java but the supported server ciphers never change. |
@jabbors we use Ubuntu and oracle8 and we've never had to tweak anything. |
@elvarb, thanks for this link, I did install the JCE as suggested but still no go. I'll post to the kafka issue and let them know I also experience the same issue. @tcrayford, do you mind sharing your kafka configuration? Could be a trivial setup I'm overseeing as I don't get it to work. This is currently my ssl config.
|
@jabbors we don't do much more than the standard config does, just add an SSL listener and a key/truststore |
@tcrayford it's currently pointing to a problem with the jks / certs that results in only the DSS ciphers being used, do you think it might be something related to how the certs are created? |
When you create the keystore use -keyalg RSA, then you will get the right ciphers. |
Thanks @elvarb, got it working with the keying RSA parameter. |
Thank you @elvarb, I just hit the same issue and spent a lot of time trying to figure out what the cause was, until stumbling across your comment. |
Hi,
SSL support it suppose to be working according to issue #581.
However, I've spent two days trying to get it working with Kafka 0.9.0. I can connect to to my kafka cluster with
openssl s_client -connect domain.com:9093 -tls1
so I know it is configured correctly.But when I try connecting with sarama I get errors:
In the kafka logs I see the following errors
Further investigation using Wireshark indicates that the Kafka server does not respond with a ServerHello in the TLS handshake. Which is all due to Sarama and Kafka couldn't agree on common cipher.
This issue is probably not in Sarama, more correctly in Go TLS or in Java, but I'd like to know how people claims this is working.
The text was updated successfully, but these errors were encountered: