Chris Egerton created KAFKA-9771:
------------------------------------
Summary: Inter-worker SSL is broken for keystores with multiple
certificates
Key: KAFKA-9771
URL: https://issues.apache.org/jira/browse/KAFKA-9771
Project: Kafka
Issue Type: Bug
Components: KafkaConnect
Affects Versions: 2.5.0
Reporter: Chris Egerton
Assignee: Chris Egerton
The recent bump in Jetty version causes inter-worker communication to fail in
Connect when SSL is enabled and the keystore for the worker contains multiple
certificates (which it might, in the case that SNI is enabled and the worker's
REST interface is bound to multiple domain names). This is caused by [changes
introduced in Jetty 9.4.23|https://github.com/eclipse/jetty.project/pull/4085],
which are later [fixed in Jetty
9.4.25|https://github.com/eclipse/jetty.project/pull/4404].
We recently tried and failed to [upgrade to Jetty
9.4.25|https://github.com/apache/kafka/pull/8183], so upgrading the Jetty
version to fix this issue isn't a viable option. Additionally, the [earliest
clean version of Jetty|https://www.eclipse.org/jetty/security-reports.html] (at
the time of writing) with regards to CVEs is 9.4.24, so reverting to a
pre-9.4.23 version is also not a viable option.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
