Sorry, the link should have been (it's public, anyone can access): https://issues.apache.org/jira/browse/KAFKA-3647?focusedCommentId=15270520&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15270520
Ismael On Tue, Jun 7, 2016 at 12:43 PM, Mick Mahoney <[email protected]> wrote: > Hi Ismael, > > Thanks for the reply - i don't have permissions to see that link - is there > any chance you can expand on it in the thread please ? > > Thanks, > Mick > > On Tue, Jun 7, 2016 at 12:39 PM, Ismael Juma <[email protected]> wrote: > > > Hi Mick, > > > > This can happen if you are using a DSS key, but the client only supports > > RSA-based ciphers, see the following for more details: > > > > > > > https://issues.apache.org/jira/secure/EditComment!default.jspa?id=12964371&commentId=15270520 > > > > Ismael > > > > On Tue, Jun 7, 2016 at 10:24 AM, Mick Mahoney <[email protected] > > > > wrote: > > > > > Trying to configure Topbeat client --> Kafka connection to use TLS. > > > > > > Both of these are on the same server but other clients will be on > > different > > > servers. > > > > > > I have switched kafka debug on using the JVM '-Djavax.net.debug=ssl' > > switch > > > and full debug is below. > > > > > > Amongst the debug is the ciper suites error: > > > > > > TLS errors "fatal error: 40: no cipher suites in common". > > > > > > I'm unsure if this is a real error or a red herring ? And if its real > > what > > > to do to resolve the issue ? > > > > > > Really really appreciate it if anyone can look at the output and > > > configuration and either spot something wrong or recommend how I can > > debug > > > this further. > > > > > > Many Thanks, > > > > > > Mick > > > > > > > > > > > > kafka errors when client connects > > > ---------------------------------- > > > > > > Using SSLEngineImpl. > > > Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 > > > Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA > > > Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 > > > Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA > > > Ignoring unavailable cipher suite: > > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 > > > Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 > > > Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA > > > Ignoring unavailable cipher suite: > TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 > > > Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 > > > Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384 > > > Ignoring unavailable cipher suite: > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 > > > Ignoring unavailable cipher suite: > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > > > Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA > > > Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 > > > Ignoring unavailable cipher suite: > > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 > > > Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 > > > Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA > > > Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 > > > Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA > > > Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA > > > Ignoring unavailable cipher suite: > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > > > Allow unsafe renegotiation: false > > > Allow legacy hello messages: true > > > Is initial handshake: true > > > Is secure renegotiation: false > > > Ignoring unsupported cipher suite: > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 > > > for TLSv1 > > > Ignoring unsupported cipher suite: > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > > > for TLSv1 > > > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for > > > TLSv1 > > > Ignoring unsupported cipher suite: > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 > > > for TLSv1 > > > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 > > for > > > TLSv1 > > > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 > > for > > > TLSv1 > > > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 > > for > > > TLSv1 > > > Ignoring unsupported cipher suite: > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 > > > for TLSv1.1 > > > Ignoring unsupported cipher suite: > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > > > for TLSv1.1 > > > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for > > > TLSv1.1 > > > Ignoring unsupported cipher suite: > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 > > > for TLSv1.1 > > > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 > > for > > > TLSv1.1 > > > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 > > for > > > TLSv1.1 > > > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 > > for > > > TLSv1.1 > > > kafka-network-thread-0-SSL-3, READ: TLSv1 Handshake, length = 150 > > > *** ClientHello, TLSv1 > > > RandomCookie: GMT: 1465224258 bytes = { 243, 102, 129, 42, 130, 52, > 105, > > > 250, 96, 55, 251, 141, 5, 67, 244, 184, 13, 159, 131, 197, 185, 15, > 168, > > > 172, 250, 153, 170, 161 } > > > Session ID: {} > > > Cipher Suites: [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, > > > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, > > > TLS_DHE_DSS_WITH_AES_256_CBC_SHA, > TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, > > > TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, > > > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, > > > TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, > > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, > > > TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, > > > TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_SEED_CBC_SHA, > > > TLS_DHE_DSS_WITH_SEED_CBC_SHA, TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, > > > TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, > SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, > > > SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, > > > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, > TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, > > > TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, > > > TLS_RSA_WITH_SEED_CBC_SHA, TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, > > > SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_IDEA_CBC_SHA, > > > TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, > > > TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, > > > SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, > > > TLS_EMPTY_RENEGOTIATION_INFO_SCSV] > > > Compression Methods: { 0 } > > > Extension ec_point_formats, formats: [uncompressed, > > > ansiX962_compressed_prime, ansiX962_compressed_char2] > > > Extension elliptic_curves, curve names: {secp521r1, secp384r1, > secp256r1} > > > Unsupported extension type_35, data: > > > Unsupported extension type_15, data: 01 > > > *** > > > %% Initialized: [Session-12, SSL_NULL_WITH_NULL_NULL] > > > kafka-network-thread-0-SSL-3, fatal error: 40: no cipher suites in > common > > > javax.net.ssl.SSLHandshakeException: no cipher suites in common > > > %% Invalidated: [Session-12, SSL_NULL_WITH_NULL_NULL] > > > kafka-network-thread-0-SSL-3, SEND TLSv1 ALERT: fatal, description = > > > handshake_failure > > > kafka-network-thread-0-SSL-3, WRITE: TLSv1 Alert, length = 2 > > > kafka-network-thread-0-SSL-3, fatal: engine already closed. Rethrowing > > > javax.net.ssl.SSLHandshakeException: no cipher suites in common > > > kafka-network-thread-0-SSL-3, called closeOutbound() > > > kafka-network-thread-0-SSL-3, closeOutboundInternal() > > > kafka-network-thread-0-SSL-3, called closeInbound() > > > kafka-network-thread-0-SSL-3, fatal: engine already closed. Rethrowing > > > javax.net.ssl.SSLException: Inbound closed before receiving peer's > > > close_notify: possible truncation attack? > > > kafka-network-thread-0-SSL-3, called closeOutbound() > > > kafka-network-thread-0-SSL-3, closeOutboundInternal() > > > > > > > > > > > > SSL cert generation > > > -------------------- > > > (from http://docs.confluent.io/2.0.0/kafka/ssl.html) > > > > > > #!/bin/bash > > > keytool -keystore kafka.server.keystore.jks -alias localhost -validity > > 365 > > > -genkey > > > openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 > > > keytool -keystore kafka.server.truststore.jks -alias CARoot -import > -file > > > ca-cert > > > keytool -keystore kafka.client.truststore.jks -alias CARoot -import > -file > > > ca-cert > > > keytool -keystore kafka.server.keystore.jks -alias localhost -certreq > > -file > > > cert-file > > > openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out > > cert-signed > > > -days 365 -CAcreateserial -passin pass:test1234 > > > keytool -keystore kafka.server.keystore.jks -alias CARoot -import -file > > > ca-cert > > > keytool -keystore kafka.server.keystore.jks -alias localhost -import > > -file > > > cert-signed > > > > > > > > > > > > kafka server.properties > > > ----------------------- > > > > > > listeners=PLAINTEXT://kafkaserver:9092,SSL://kafkaserver:9093 > > > > > > security.protocol=SSL > > > > > > ssl.truststore.location=/root/certs2/kafka.client.truststore.jks > > > ssl.truststore.password=test1234 > > > ssl.enabled.protocols = TLSv1.2,TLSv1.1,TLSv1 > > > ssl.truststore.type=JKS > > > ssl.client.auth=none > > > > > > > > > openssl test > > > ------------- > > > > > > > > > >> openssl s_client -debug -connect kafkaserver:9093 -tls1 > > > > > > CONNECTED(00000003) > > > write to 0x10a92b0 [0x11b7183] (155 bytes => 155 (0x9B)) > > > 0000 - 16 03 01 00 96 01 00 00-92 03 01 57 56 8a 57 97 > ...........WV.W. > > > 0010 - e9 7c 0a 33 b7 f3 c7 2c-1d 09 2e a7 c7 ac df ef > .|.3...,........ > > > 0020 - 15 ed e4 f4 49 74 c7 9b-b8 c8 ee 00 00 4c c0 14 > ....It.......L.. > > > 0030 - c0 0a 00 39 00 38 00 88-00 87 c0 0f c0 05 00 35 > ...9.8.........5 > > > 0040 - 00 84 c0 13 c0 09 00 33-00 32 c0 12 c0 08 00 9a > .......3.2...... > > > 0050 - 00 99 00 45 00 44 00 16-00 13 c0 0e c0 04 c0 0d > ...E.D.......... > > > 0060 - c0 03 00 2f 00 96 00 41-00 0a 00 07 c0 11 c0 07 > .../...A........ > > > 0070 - c0 0c c0 02 00 05 00 04-00 ff 01 00 00 1d 00 0b > ................ > > > 0080 - 00 04 03 00 01 02 00 0a-00 08 00 06 00 19 00 18 > ................ > > > 0090 - 00 17 00 23 00 00 00 0f-00 01 01 ...#....... > > > read from 0x10a92b0 [0x11b2c33] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF)) > > > write:errno=104 > > > --- > > > no peer certificate available > > > --- > > > No client certificate CA names sent > > > --- > > > SSL handshake has read 0 bytes and written 0 bytes > > > --- > > > New, (NONE), Cipher is (NONE) > > > Secure Renegotiation IS NOT supported > > > Compression: NONE > > > Expansion: NONE > > > SSL-Session: > > > Protocol : TLSv1 > > > Cipher : 0000 > > > Session-ID: > > > Session-ID-ctx: > > > Master-Key: > > > Key-Arg : None > > > Krb5 Principal: None > > > PSK identity: None > > > PSK identity hint: None > > > Start Time: 1465289303 > > > Timeout : 7200 (sec) > > > Verify return code: 0 (ok) > > > --- > > > > > > > > > Client Configuration > > > -------------------- > > > > > > cp /root/certs2/ca-cert /etc/pki/ca-trust/source/anchors/ca-cert.pem > > > update-ca-trust > > > > > > > > > topbeat.yml > > > ----------- > > > > > > kafka: > > > > > > # Array of hosts to connect to. > > > hosts: ["kafkaserver:9093"] > > > topic: "elktopbeat" > > > client_id: "elk" > > > > > > tls: > > > # List of root certificates for HTTPS server verifications > > > #certificate_authorities: ["/etc/pki/root/ca.pem"] > > > certificate_authorities: ["/etc/pki/tls/certs/ca-bundle.crt"] > > > > > > # Certificate for TLS client authentication > > > #certificate: "/etc/pki/client/cert.pem" > > > > > > # Client Certificate Key > > > #certificate_key: "/etc/pki/client/cert.key" > > > > > >
