This is an automated email from the ASF dual-hosted git repository.
kkarantasis pushed a commit to branch 2.5
in repository https://gitbox.apache.org/repos/asf/kafka.git
The following commit(s) were added to refs/heads/2.5 by this push:
new f61ee01 KAFKA-9771: Port patch for inter-worker Connect SSL from
Jetty 9.4.25 (#8369)
f61ee01 is described below
commit f61ee01e8421682b6d9aa2ee14aacf295b3a7702
Author: Chris Egerton <[email protected]>
AuthorDate: Fri Mar 27 10:33:40 2020 -0700
KAFKA-9771: Port patch for inter-worker Connect SSL from Jetty 9.4.25
(#8369)
For reasons outlined in https://issues.apache.org/jira/browse/KAFKA-9771
we can't upgrade to a version of Jetty with the bug fixed, or downgrade to
one prior to the introduction of the bug. Luckily, the actual fix is pretty
straightforward and can be ported over to Connect for use until it's possible
to upgrade to a version of Jetty with that bug fixed:
https://github.com/eclipse/jetty.project/pull/4404/files#diff-58640db0f8f2cd84b7e653d1c1540913R2188-R2193
The changes here have been verified locally; a test with multiple
certificates/multiple hostnames will be submitted in a follow up.
Reviewers: Jeff Huang <[email protected]>,
Konstantine Karantasis <[email protected]>
---
.../apache/kafka/connect/runtime/rest/util/SSLUtils.java | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git
a/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java
b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java
index 6b391d9..8e04995 100644
---
a/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java
+++
b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java
@@ -22,6 +22,7 @@ import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.connect.runtime.WorkerConfig;
import org.eclipse.jetty.util.ssl.SslContextFactory;
+import javax.net.ssl.X509ExtendedKeyManager;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
@@ -64,7 +65,20 @@ public class SSLUtils {
public static SslContextFactory
createClientSideSslContextFactory(WorkerConfig config) {
Map<String, Object> sslConfigValues =
config.valuesWithPrefixAllOrNothing("listeners.https.");
- final SslContextFactory.Client ssl = new SslContextFactory.Client();
+ // Override this method in order to avoid running into
+ // https://github.com/eclipse/jetty.project/issues/4385, which would
otherwise cause this to
+ // break when the keystore contains multiple certificates.
+ // The override here matches the bug fix in Jetty for that issue:
+ //
https://github.com/eclipse/jetty.project/pull/4404/files#diff-58640db0f8f2cd84b7e653d1c1540913R2188-R2193
+ // TODO: Remove this override when the version of Jetty for the
framework is bumped to
+ // 9.4.25 or later
+ final SslContextFactory.Client ssl = new SslContextFactory.Client() {
+ @Override
+ @SuppressWarnings("deprecation")
+ protected X509ExtendedKeyManager
newSniX509ExtendedKeyManager(X509ExtendedKeyManager keyManager) {
+ return keyManager;
+ }
+ };
configureSslContextFactoryKeyStore(ssl, sslConfigValues);
configureSslContextFactoryTrustStore(ssl, sslConfigValues);
