SSL 期间 Kafka 在 openshift 上运行时出错
[英]Error in Kafka running on openshift during SSL
问题描述
I have Kafka running on openshift and have exposed a route (TLS passthrough) to access the Kafka broker.
我让 Kafka 在 openshift 上运行,并公开了访问 Kafka 代理的路由(TLS 直通)。 Below are server.properties of the broker.下面是代理的 server.properties。 Note that openshift service is port forwarding message to 9043. I have keystore and certificate on Kafka broker and ca-cert on the client.请注意,openshift 服务是将消息端口转发到 9043。我在 Kafka 代理上有密钥库和证书,在客户端有 ca-cert。
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
listeners=INTERNAL://0.0.0.0:9092,EXTERNAL://0.0.0.0:9043
advertised.listeners=INTERNAL://localhost:9092,EXTERNAL:abc:9043
inter.broker.listener.name=INTERNAL
listener.security.protocol.map=INTERNAL:PLAINTEXT,EXTERNAL:SSL
ssl.client.auth=none
security.protocol=SSL
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
ssl.keystore.location =
ssl.keystore.password =
ssl.key.password =
ssl.truststore.location =
ssl.truststore.password =
ssl.endpoint.identification.algorithm=
I am trying to access the route using Kafka producer on my local as below我正在尝试使用本地的 Kafka 生产者访问路由,如下所示
kafka-console-producer.bat --broker-list abc:443 --producer-property security.protocol=SSL --producer-property ssl.truststore.password=*** --producer-property ssl.truststore.location=ca.crt --topic dummy
I am getting below error on Kafka pod.我在 Kafka pod 上遇到错误。
data-plane-kafka-network-thread-0-ListenerName(EXTERNAL)-SSL-3, READ: TLSv1.2 Handshake, length = 347
check handshake state: client_hello[1]
data-plane-kafka-network-thread-0-ListenerName(EXTERNAL)-SSL-3, fatal error: 10: Handshake message sequence violation, 1
javax.net.ssl.SSLProtocolException: Handshake message sequence violation, 1
%% Invalidated: [Session-1, SSL_NULL_WITH_NULL_NULL]
%% Invalidated: [Session-2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
data-plane-kafka-network-thread-0-ListenerName(EXTERNAL)-SSL-3, SEND TLSv1.2 ALERT: fatal, description = unexpected_message
data-plane-kafka-network-thread-0-ListenerName(EXTERNAL)-SSL-3, WRITE: TLSv1.2 Alert, length = 2
data-plane-kafka-network-thread-0-ListenerName(EXTERNAL)-SSL-3, called closeOutbound()
data-plane-kafka-network-thread-0-ListenerName(EXTERNAL)-SSL-3, closeOutboundInternal()
data-plane-kafka-network-thread-0-ListenerName(EXTERNAL)-SSL-3, called closeInbound()
data-plane-kafka-network-thread-0-ListenerName(EXTERNAL)-SSL-3, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
[2020-08-01 23:30:26,397] INFO [SocketServer brokerId=0] Failed authentication with /10.X.X.X (SSL handshake failed) (org.apache.kafka.common.network.Selector)
Below is error on producer client以下是生产者客户端的错误
) )
javax.net.ssl|ERROR|0E|kafka-producer-network-thread | console-producer|2020-08-01 19:40:02.523 CDT|TransportContext.java:313|Fatal (CERTIFICATE_UNKNOWN): Extended key usage does not permit use for TLS server authentication (
"throwable" : {
sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS server authentication
Any ideas on what could be the problem.关于可能是什么问题的任何想法。
1 个解决方案
解决方案1
0 2020-08-03 19:45:42
After some research we figured out that the extended key usage on certificate was set as client auth.经过一些研究,我们发现证书上的扩展密钥用法设置为客户端身份验证。 We updated the same, added the SAN and were able to connect.我们更新了相同的内容,添加了 SAN 并能够连接。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.