[
https://issues.apache.org/jira/browse/KAFKA-12703?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17451134#comment-17451134
]
Ville Valtonen edited comment on KAFKA-12703 at 12/1/21, 3:44 PM:
------------------------------------------------------------------
What's the status on this issue? Any active development going on?
I can confirm, that it's possible to configure a client with unencrypted key
through the newly added configuration options 'ssl.keystore.key',
'ssl.keystore.certificate.chain' and 'ssl.truststore.certificates" in
[KIP-651|https://cwiki.apache.org/confluence/display/KAFKA/KIP-651+-+Support+PEM+format+for+SSL+certificates+and+private+key],
because 'ssl.key.password' is not enforced by validation then. But if you add
the same key and certificates through 'ssl.keystore.location' and
'ssl.truststore.location' while the types are set to 'PEM', the configuration
validation enforces to add 'ssl.key.password'. By adding a value, e.g. even an
empty string, for 'ssl.key.password', the default SSL engine proceeds to try to
decrypt the key and eventually throwing an exception. By encrypting the same
key with PKCS8 and providing a password, everything works.
Either the requirement for 'ssl.key.password' while using PEM-files should be
removed, add a mechanism to recognize whether the key is encrypted or not or
consolidate the behavior between the mechanisms of adding the key, i.e
requiring an encrypted key always. In the current form the feature and its
documentation is hard to interpret.
was (Author: JIRAUSER280982):
What's the status on this issue? Any active development going on?
I can confirm, that it's possible to configure a client with unencrypted key
through the newly added configuration options 'ssl.keystore.key',
'ssl.keystore.certificate.chain' and 'ssl.truststore.certificates" in
[KIP-651|https://cwiki.apache.org/confluence/display/KAFKA/KIP-651+-+Support+PEM+format+for+SSL+certificates+and+private+key],
because 'ssl.key.password' is not enforced by validation then. But if you add
the same key and certificates through 'ssl.keystore.location' and
'ssl.truststore.location' while the types are set to 'PEM', the configuration
validation enforces to add 'ssl.key.password'. By adding a value, e.g. even an
empty string, for 'ssl.key.password', the default SSL engine proceeds to try to
decrypt the key and eventually throwing an exception. By encrypting the same
key with PKCS8 and providing a password, everything works.
Either the requirement for 'ssl.key.password' while using PEM-files should be
removed or consolidate the behavior between the mechanisms of adding the key,
i.e requiring an encrypted key always. In the current form the feature and its
documentation is hard to interpret.
> Unencrypted PEM files can't be loaded
> -------------------------------------
>
> Key: KAFKA-12703
> URL: https://issues.apache.org/jira/browse/KAFKA-12703
> Project: Kafka
> Issue Type: Bug
> Components: clients
> Affects Versions: 2.8.0
> Reporter: Brian Bascoy
> Priority: Major
>
> Unencrypted PEM files seem to be internally [supported in the
> codebase|https://github.com/apache/kafka/blob/a46beb9d29781e0709baf596601122f770a5fa31/clients/src/main/java/org/apache/kafka/common/security/ssl/DefaultSslEngineFactory.java#L509]
> but setting an ssl.key.password is currently enforced by createKeystore (on
> DefaultSslEngineFactory). I was unable to find a reason for this, so I wonder
> if this limitation could simply be removed:
>
> [https://github.com/pera/kafka/commit/8df2feab5fc6955cf8c89a7d132f05d8f562e16b]
>
> Thanks
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
