Gergely Harmadás created KAFKA-20676:
----------------------------------------
Summary: Broker fails to start when ssl.cipher.suites contains
ciphers unavailable in the JSSE provider
Key: KAFKA-20676
URL: https://issues.apache.org/jira/browse/KAFKA-20676
Project: Kafka
Issue Type: Task
Components: core, security
Reporter: Gergely Harmadás
Assignee: Gergely Harmadás
When *ssl.cipher.suites* is configured with an unsupported cipher suite by the
JSSE provider the broker fails at startup
{code:java}
[2026-06-09 00:27:36,713] ERROR Exiting Kafka due to fatal exception during
startup. (kafka.Kafka$)
org.apache.kafka.common.config.ConfigException: Invalid value
java.lang.IllegalArgumentException: Unsupported CipherSuite:
TLS_AES_128_CCM_SHA256 for configuration A client SSLEngine created with the
provided settings can't connect to a server SSLEngine created with those
settings.
at
org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:103)
at
org.apache.kafka.common.network.SslChannelBuilder.configure(SslChannelBuilder.java:68)
at
org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:187)
at
org.apache.kafka.common.network.ChannelBuilders.serverChannelBuilder(ChannelBuilders.java:104)
at kafka.network.Processor.<init>(SocketServer.scala:863)
at kafka.network.Acceptor.newProcessor(SocketServer.scala:769)
at
kafka.network.Acceptor.$anonfun$addProcessors$1(SocketServer.scala:735)
at scala.collection.immutable.Range.foreach$mVc$sp(Range.scala:256)
at kafka.network.Acceptor.addProcessors(SocketServer.scala:734)
at kafka.network.DataPlaneAcceptor.configure(SocketServer.scala:455)
at
kafka.network.SocketServer.createDataPlaneAcceptorAndProcessors(SocketServer.scala:227)
at kafka.network.SocketServer.$anonfun$new$16(SocketServer.scala:153)
at
kafka.network.SocketServer.$anonfun$new$16$adapted(SocketServer.scala:153)
at scala.collection.IterableOnceOps.foreach(IterableOnce.scala:630)
at scala.collection.IterableOnceOps.foreach$(IterableOnce.scala:628)
at scala.collection.AbstractIterable.foreach(Iterable.scala:936)
at kafka.network.SocketServer.<init>(SocketServer.scala:153)
at kafka.server.BrokerServer.startup(BrokerServer.scala:292)
at
kafka.server.KafkaRaftServer.$anonfun$startup$2(KafkaRaftServer.scala:97)
at
kafka.server.KafkaRaftServer.$anonfun$startup$2$adapted(KafkaRaftServer.scala:97)
at scala.Option.foreach(Option.scala:437)
at kafka.server.KafkaRaftServer.startup(KafkaRaftServer.scala:97)
at kafka.Kafka$.main(Kafka.scala:98)
at kafka.Kafka.main(Kafka.scala)
[2026-06-09 00:27:36,714] INFO [ControllerServer id=1] shutting down
(kafka.server.ControllerServer){code}
This behavior has some drawbacks, e.g.:
* It is harder to complete JDK upgrades as new versions typically remove
support from weak ciphers. A broker that previously worked with a given
configuration can suddenly fail
* Running Kafka in FIPS environment with custom security policies usually
works with a reduces cipher list making it more likely to encounter this issue
As a possible improvement I would propose to only fail when there is no valid
cipher suite in the provided configuration, otherwise just filter out the
unsupported ciphers.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
