[jira] [Commented] (KAFKA-20437) Dynamic update of ssl.enabled.protocols does not seem to take effect

Sat, 09 May 2026 07:26:46 -0700 


    [ 
https://issues.apache.org/jira/browse/KAFKA-20437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18079695#comment-18079695
 ] 

Jakub Scholz commented on KAFKA-20437:
--------------------------------------

[~atriyap] I think there is a bunch of other issues for the OoM: for example 
https://issues.apache.org/jira/browse/KAFKA-4493 and 
https://issues.apache.org/jira/browse/KAFKA-4090.

 

> Dynamic update of ssl.enabled.protocols does not seem to take effect
> --------------------------------------------------------------------
>
>                 Key: KAFKA-20437
>                 URL: https://issues.apache.org/jira/browse/KAFKA-20437
>             Project: Kafka
>          Issue Type: Bug
>    Affects Versions: 4.2.0, 4.1.1
>            Reporter: Jakub Scholz
>            Assignee: Daeho Kwon
>            Priority: Major
>
> According to the 
> [documentation|https://kafka.apache.org/42/configuration/broker-configs/#brokerconfigs_ssl.enabled.protocols],
>  the `ssl.enabled.protocols` configuration option is dynamically configurable 
> on a per-broker basis. However, it seems that it is not the case. When you 
> try to update it, Kafka seemingly accepts the configuration change and 
> reports success. But it ignores the change and the change is not applied 
> unless you change it in the configuration file and restart the brokers.
> This is pretty dangerous, given that this is a security option and might lead 
> to users thinking their security configuration, for example, allows only 
> TLSv1.3 connections, while in reality it also allows TLSv1.2. And given the 
> number of security regulations that various Kafka users might need to follow, 
> this can easily be a regulatory challenge as well.
> So I think this should be fixed in the configuration model and in the 
> documentation. Trying to dynamically configure this option should also be 
> rejected by Kafka.
> _(I was able to reproduce this with Kafka 4.2.0 and 4.1.1. But I assume this 
> affects older Kafka versions as well.)_
> ----
> Steps to reproduce:
> 1. Deploy a simple Kafka cluster with a single mixed role node following the 
> quickstart ([https://kafka.apache.org/quickstart/])
> 2. Before starting the Kafka node, edit the server.properties and add a new 
> SSL-based listener and configure a server certificate. The following lines 
> are what I changed in {{{}server.properties{}}}:
> {code:java}
> listeners=PLAINTEXT://:9092,CONTROLLER://:9093,SSL://localhost:9094
> advertised.listeners=PLAINTEXT://localhost:9092,CONTROLLER://localhost:9093,SSL://localhost:9094
> ssl.client.auth=none
> ssl.keystore.location=/my/path/server-1.keystore
> ssl.keystore.password=123456{code}
> 3. Start the Kafka node with bin/kafka-server-start.sh 
> config/server.properties
> 4. Try to connect with OpenSSL (You can also use Kafka client if you want) 
> using TLSv1.2 => works as expected
> {code:java}
> $ openssl s_client -connect localhost:9094 -tls1_2
> Connecting to 127.0.0.1
> CONNECTED(00000005)
> ...
> New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Protocol: TLSv1.2
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
> ...{code}
> 5. Try to connect with OpenSSL (You can also use Kafka client if you want) 
> using TLSv1.3 => works as expected
> {code:java}
> $ openssl s_client -connect localhost:9094 -tls1_3
> Connecting to 127.0.0.1
> CONNECTED(00000005)
> ...
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> Protocol: TLSv1.3
> Server public key is 2048 bit
> This TLS version forbids renegotiation.
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 19 (self-signed certificate in certificate chain)
> ---
> ---
> Post-Handshake New Session Ticket arrived:
> SSL-Session:
>     Protocol  : TLSv1.3
>     Cipher    : TLS_AES_256_GCM_SHA384
> ...{code}
> 6. Change the ssl.enabled.protocols to TLSv1.3
> {code:java}
> $ bin/kafka-configs.sh --bootstrap-server localhost:9092 \
>   --entity-type brokers \                                                     
>                                                                               
>                                                           --entity-name 1 \
>   --alter \
>   --add-config "ssl.enabled.protocols=TLSv1.3"
> Completed updating config for broker 1.{code}
> 7. The Kafka log seems to reflect the change:
> {code:java}
> [2026-03-31 23:00:50,024] INFO [DynamicConfigPublisher controller id=1] 
> Updating node 1 with new configuration : ssl.enabled.protocols -> TLSv1.3 
> (kafka.server.metadata.DynamicConfigPublisher)
> [2026-03-31 23:00:50,026] INFO KafkaConfig values: 
>         ...
>         ssl.allow.dn.changes = false
>         ssl.allow.san.changes = false
>         ssl.cipher.suites = []
>         ssl.client.auth = none
>         ssl.enabled.protocols = [TLSv1.3]
>         ssl.endpoint.identification.algorithm = https
>         ssl.engine.factory.class = null
>         ssl.key.password = null
>         ssl.keymanager.algorithm = SunX509
>         ssl.keystore.certificate.chain = null
>         ssl.keystore.key = null
>         ssl.keystore.location = 
> /Users/scholzj/development/my-kafka-client-sandbox/ssl-ca/keys/server-0.keystore
>         ssl.keystore.password = [hidden]
>         ssl.keystore.type = JKS
>         ssl.principal.mapping.rules = DEFAULT
>         ssl.protocol = TLSv1.3
>         ssl.provider = null
>         ssl.secure.random.implementation = null
>         ssl.trustmanager.algorithm = PKIX
>         ssl.truststore.certificates = null
>         ssl.truststore.location = null
>         ssl.truststore.password = null
>         ssl.truststore.type = JKS
>         ...
>  (org.apache.kafka.common.config.AbstractConfig)
> [2026-03-31 23:00:50,034] INFO [DynamicConfigPublisher broker id=1] Updating 
> node 1 with new configuration : ssl.enabled.protocols -> TLSv1.3 
> (kafka.server.metadata.DynamicConfigPublisher)
> [2026-03-31 23:00:50,035] INFO KafkaConfig values: 
>         ...
>         ssl.allow.dn.changes = false
>         ssl.allow.san.changes = false
>         ssl.cipher.suites = []
>         ssl.client.auth = none
>         ssl.enabled.protocols = [TLSv1.3]
>         ssl.endpoint.identification.algorithm = https
>         ssl.engine.factory.class = null
>         ssl.key.password = null
>         ssl.keymanager.algorithm = SunX509
>         ssl.keystore.certificate.chain = null
>         ssl.keystore.key = null
>         ssl.keystore.location = 
> /Users/scholzj/development/my-kafka-client-sandbox/ssl-ca/keys/server-0.keystore
>         ssl.keystore.password = [hidden]
>         ssl.keystore.type = JKS
>         ssl.principal.mapping.rules = DEFAULT
>         ssl.protocol = TLSv1.3
>         ssl.provider = null
>         ssl.secure.random.implementation = null
>         ssl.trustmanager.algorithm = PKIX
>         ssl.truststore.certificates = null
>         ssl.truststore.location = null
>         ssl.truststore.password = null
>         ssl.truststore.type = JKS
>         ...
>  (org.apache.kafka.common.config.AbstractConfig)
> [2026-03-31 23:00:50,041] INFO Reconfiguring 
> org.apache.kafka.common.network.SslChannelBuilder@2c7bed74, updated configs: 
> Set() custom configs: {} (kafka.server.DynamicBrokerConfig)
> [2026-03-31 23:00:50,043] INFO Reconfiguring 
> org.apache.kafka.common.network.SslChannelBuilder@4ac39bd6, updated configs: 
> Set() custom configs: {} (kafka.server.DynamicBrokerConfig)
> [2026-03-31 23:00:50,045] INFO Reconfiguring 
> org.apache.kafka.common.network.SslChannelBuilder@211381c9, updated configs: 
> Set() custom configs: {} (kafka.server.DynamicBrokerConfig){code}
> 8. Try to connect with OpenSSL (You can also use Kafka client if you want) 
> using TLSv1.2 => Still works, *NOT EXPECTED*
> {code:java}
> openssl s_client -connect localhost:9094 -tls1_2        
> Connecting to 127.0.0.1
> ...
> New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Protocol: TLSv1.2
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
> ...{code}
> 9. Only after I add ssl.enabled.protocols=TLSv1.3 to the server.properties 
> file and restart the Kafka node, TLSv1.2 stops working as expected:
> {code:java}
> $ openssl s_client -connect localhost:9094 -tls1_2
> Connecting to 127.0.0.1
> CONNECTED(00000005)
> 00716C0B02000000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert 
> protocol version:ssl/record/rec_layer_s3.c:918:SSL alert number 70
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 189 bytes
> Verification: OK
> ---
> New, (NONE), Cipher is (NONE)
> Protocol: TLSv1.2
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : 0000
>     Session-ID: 
>     Session-ID-ctx: 
>     Master-Key: 
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Start Time: 1774991157
>     Timeout   : 7200 (sec)
>     Verify return code: 0 (ok)
>     Extended master secret: no
> ---
> 00716C0B02000000:error:0A000197:SSL routines:SSL_shutdown:shutdown while in 
> init:ssl/ssl_lib.c:2804:{code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to