Hi Mick, This can happen if you are using a DSS key, but the client only supports RSA-based ciphers, see the following for more details:
https://issues.apache.org/jira/secure/EditComment!default.jspa?id=12964371&commentId=15270520 Ismael On Tue, Jun 7, 2016 at 10:24 AM, Mick Mahoney <[email protected]> wrote: > Trying to configure Topbeat client --> Kafka connection to use TLS. > > Both of these are on the same server but other clients will be on different > servers. > > I have switched kafka debug on using the JVM '-Djavax.net.debug=ssl' switch > and full debug is below. > > Amongst the debug is the ciper suites error: > > TLS errors "fatal error: 40: no cipher suites in common". > > I'm unsure if this is a real error or a red herring ? And if its real what > to do to resolve the issue ? > > Really really appreciate it if anyone can look at the output and > configuration and either spot something wrong or recommend how I can debug > this further. > > Many Thanks, > > Mick > > > > kafka errors when client connects > ---------------------------------- > > Using SSLEngineImpl. > Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 > Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA > Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 > Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA > Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 > Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 > Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA > Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 > Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 > Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384 > Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 > Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA > Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 > Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 > Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 > Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA > Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 > Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA > Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA > Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > Allow unsafe renegotiation: false > Allow legacy hello messages: true > Is initial handshake: true > Is secure renegotiation: false > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 > for TLSv1 > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > for TLSv1 > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for > TLSv1 > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 > for TLSv1 > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for > TLSv1 > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for > TLSv1 > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for > TLSv1 > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 > for TLSv1.1 > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > for TLSv1.1 > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for > TLSv1.1 > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 > for TLSv1.1 > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for > TLSv1.1 > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for > TLSv1.1 > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for > TLSv1.1 > kafka-network-thread-0-SSL-3, READ: TLSv1 Handshake, length = 150 > *** ClientHello, TLSv1 > RandomCookie: GMT: 1465224258 bytes = { 243, 102, 129, 42, 130, 52, 105, > 250, 96, 55, 251, 141, 5, 67, 244, 184, 13, 159, 131, 197, 185, 15, 168, > 172, 250, 153, 170, 161 } > Session ID: {} > Cipher Suites: [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, > TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, > TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, > TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, > TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, > TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_SEED_CBC_SHA, > TLS_DHE_DSS_WITH_SEED_CBC_SHA, TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, > TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, > SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, > TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, > TLS_RSA_WITH_SEED_CBC_SHA, TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, > SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_IDEA_CBC_SHA, > TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, > TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, > SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, > TLS_EMPTY_RENEGOTIATION_INFO_SCSV] > Compression Methods: { 0 } > Extension ec_point_formats, formats: [uncompressed, > ansiX962_compressed_prime, ansiX962_compressed_char2] > Extension elliptic_curves, curve names: {secp521r1, secp384r1, secp256r1} > Unsupported extension type_35, data: > Unsupported extension type_15, data: 01 > *** > %% Initialized: [Session-12, SSL_NULL_WITH_NULL_NULL] > kafka-network-thread-0-SSL-3, fatal error: 40: no cipher suites in common > javax.net.ssl.SSLHandshakeException: no cipher suites in common > %% Invalidated: [Session-12, SSL_NULL_WITH_NULL_NULL] > kafka-network-thread-0-SSL-3, SEND TLSv1 ALERT: fatal, description = > handshake_failure > kafka-network-thread-0-SSL-3, WRITE: TLSv1 Alert, length = 2 > kafka-network-thread-0-SSL-3, fatal: engine already closed. Rethrowing > javax.net.ssl.SSLHandshakeException: no cipher suites in common > kafka-network-thread-0-SSL-3, called closeOutbound() > kafka-network-thread-0-SSL-3, closeOutboundInternal() > kafka-network-thread-0-SSL-3, called closeInbound() > kafka-network-thread-0-SSL-3, fatal: engine already closed. Rethrowing > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > kafka-network-thread-0-SSL-3, called closeOutbound() > kafka-network-thread-0-SSL-3, closeOutboundInternal() > > > > SSL cert generation > -------------------- > (from http://docs.confluent.io/2.0.0/kafka/ssl.html) > > #!/bin/bash > keytool -keystore kafka.server.keystore.jks -alias localhost -validity 365 > -genkey > openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 > keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file > ca-cert > keytool -keystore kafka.client.truststore.jks -alias CARoot -import -file > ca-cert > keytool -keystore kafka.server.keystore.jks -alias localhost -certreq -file > cert-file > openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed > -days 365 -CAcreateserial -passin pass:test1234 > keytool -keystore kafka.server.keystore.jks -alias CARoot -import -file > ca-cert > keytool -keystore kafka.server.keystore.jks -alias localhost -import -file > cert-signed > > > > kafka server.properties > ----------------------- > > listeners=PLAINTEXT://kafkaserver:9092,SSL://kafkaserver:9093 > > security.protocol=SSL > > ssl.truststore.location=/root/certs2/kafka.client.truststore.jks > ssl.truststore.password=test1234 > ssl.enabled.protocols = TLSv1.2,TLSv1.1,TLSv1 > ssl.truststore.type=JKS > ssl.client.auth=none > > > openssl test > ------------- > > > >> openssl s_client -debug -connect kafkaserver:9093 -tls1 > > CONNECTED(00000003) > write to 0x10a92b0 [0x11b7183] (155 bytes => 155 (0x9B)) > 0000 - 16 03 01 00 96 01 00 00-92 03 01 57 56 8a 57 97 ...........WV.W. > 0010 - e9 7c 0a 33 b7 f3 c7 2c-1d 09 2e a7 c7 ac df ef .|.3...,........ > 0020 - 15 ed e4 f4 49 74 c7 9b-b8 c8 ee 00 00 4c c0 14 ....It.......L.. > 0030 - c0 0a 00 39 00 38 00 88-00 87 c0 0f c0 05 00 35 ...9.8.........5 > 0040 - 00 84 c0 13 c0 09 00 33-00 32 c0 12 c0 08 00 9a .......3.2...... > 0050 - 00 99 00 45 00 44 00 16-00 13 c0 0e c0 04 c0 0d ...E.D.......... > 0060 - c0 03 00 2f 00 96 00 41-00 0a 00 07 c0 11 c0 07 .../...A........ > 0070 - c0 0c c0 02 00 05 00 04-00 ff 01 00 00 1d 00 0b ................ > 0080 - 00 04 03 00 01 02 00 0a-00 08 00 06 00 19 00 18 ................ > 0090 - 00 17 00 23 00 00 00 0f-00 01 01 ...#....... > read from 0x10a92b0 [0x11b2c33] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF)) > write:errno=104 > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 0 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > Key-Arg : None > Krb5 Principal: None > PSK identity: None > PSK identity hint: None > Start Time: 1465289303 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > --- > > > Client Configuration > -------------------- > > cp /root/certs2/ca-cert /etc/pki/ca-trust/source/anchors/ca-cert.pem > update-ca-trust > > > topbeat.yml > ----------- > > kafka: > > # Array of hosts to connect to. > hosts: ["kafkaserver:9093"] > topic: "elktopbeat" > client_id: "elk" > > tls: > # List of root certificates for HTTPS server verifications > #certificate_authorities: ["/etc/pki/root/ca.pem"] > certificate_authorities: ["/etc/pki/tls/certs/ca-bundle.crt"] > > # Certificate for TLS client authentication > #certificate: "/etc/pki/client/cert.pem" > > # Client Certificate Key > #certificate_key: "/etc/pki/client/cert.key" >
