Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL configuration should permit cipher suite selection #395

Open
godber opened this issue Nov 19, 2020 · 1 comment
Open

SSL configuration should permit cipher suite selection #395

godber opened this issue Nov 19, 2020 · 1 comment

Comments

@godber
Copy link
Member

godber commented Nov 19, 2020

Newer linux releases configure SSL to exclude older cipher suites by default. Like shown in this post here:

https://jonboulineau.me/blog/kafka/kafka-tls-issue

When debugging a kafka SSL connection using openssl s_client you will encounter the following error:

Verify return code: 68 (CA signature digest algorithm too weak)

Permitting specific cipher suites will allow users to work around this (for better or worse). At the very least, Teraslice users should be able to specify the cipher suites used in the kafka SSL connection. For kafkacat that is the command line argument -X ssl.cipher.suites=. See ssl.cipher.suites here: https://github.com/edenhill/librdkafka/blob/v1.5.2/CONFIGURATION.md

I think at the moment this would get configured on the connector config with all of the other SSL stuff.

@godber
Copy link
Member Author

godber commented Nov 19, 2020

I forgot to add on my initial post here that this isn't urgent and the error linked to doesn't impact us yet because our base image doesn't impose this SSL cipher constraint yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant