[
https://issues.apache.org/jira/browse/KAFKA-20437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18079657#comment-18079657
]
Atriya commented on KAFKA-20437:
--------------------------------
When i tried to reproduce it, while playing around with SSL and setting up self
signed certificate between controller and broker and broker client, I observed
when i try to create topic it throws error,
But OOM is not a real error reason, error is due to client sends plain text ->
Kafka and Kafka interprets the garbage bytes as a huge packet size and
allocates massive memory which throws {{{}OutOfMemoryError{}}}.
I might also look into this behaviour
{code:java}
./bin/kafka-topics.sh \
--create \
--topic test-topic \
--bootstrap-server localhost:9092
Error while executing topic command : The AdminClient thread has exited. Call:
createTopics
[2026-05-09 14:53:13,838] ERROR
org.apache.kafka.common.errors.TimeoutException: The AdminClient thread has
exited. Call: createTopics
(org.apache.kafka.tools.TopicCommand)
[2026-05-09 14:53:13,840] ERROR Uncaught exception in thread
'kafka-admin-client-thread | adminclient-1':
(org.apache.kafka.common.utils.internals.KafkaThread)
java.lang.OutOfMemoryError: Java heap space
at java.base/java.nio.HeapByteBuffer.<init>(HeapByteBuffer.java:71)
at java.base/java.nio.ByteBuffer.allocate(ByteBuffer.java:391)
at
org.apache.kafka.common.memory.MemoryPool$1.tryAllocate(MemoryPool.java:30)
at
org.apache.kafka.common.network.NetworkReceive.readFrom(NetworkReceive.java:103)
at
org.apache.kafka.common.network.KafkaChannel.receive(KafkaChannel.java:462)
at
org.apache.kafka.common.network.KafkaChannel.read(KafkaChannel.java:412)
at
org.apache.kafka.common.network.Selector.attemptRead(Selector.java:680)
at
org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:582)
at org.apache.kafka.common.network.Selector.poll(Selector.java:486)
at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:645)
at
org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.processRequests(KafkaAdminClient.java:1535)
at
org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1466)
at java.base/java.lang.Thread.runWith(Thread.java:1596)
at java.base/java.lang.Thread.run(Thread.java:1583) {code}
> Dynamic update of ssl.enabled.protocols does not seem to take effect
> --------------------------------------------------------------------
>
> Key: KAFKA-20437
> URL: https://issues.apache.org/jira/browse/KAFKA-20437
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 4.2.0, 4.1.1
> Reporter: Jakub Scholz
> Assignee: Daeho Kwon
> Priority: Major
>
> According to the
> [documentation|https://kafka.apache.org/42/configuration/broker-configs/#brokerconfigs_ssl.enabled.protocols],
> the `ssl.enabled.protocols` configuration option is dynamically configurable
> on a per-broker basis. However, it seems that it is not the case. When you
> try to update it, Kafka seemingly accepts the configuration change and
> reports success. But it ignores the change and the change is not applied
> unless you change it in the configuration file and restart the brokers.
> This is pretty dangerous, given that this is a security option and might lead
> to users thinking their security configuration, for example, allows only
> TLSv1.3 connections, while in reality it also allows TLSv1.2. And given the
> number of security regulations that various Kafka users might need to follow,
> this can easily be a regulatory challenge as well.
> So I think this should be fixed in the configuration model and in the
> documentation. Trying to dynamically configure this option should also be
> rejected by Kafka.
> _(I was able to reproduce this with Kafka 4.2.0 and 4.1.1. But I assume this
> affects older Kafka versions as well.)_
> ----
> Steps to reproduce:
> 1. Deploy a simple Kafka cluster with a single mixed role node following the
> quickstart ([https://kafka.apache.org/quickstart/])
> 2. Before starting the Kafka node, edit the server.properties and add a new
> SSL-based listener and configure a server certificate. The following lines
> are what I changed in {{{}server.properties{}}}:
> {code:java}
> listeners=PLAINTEXT://:9092,CONTROLLER://:9093,SSL://localhost:9094
> advertised.listeners=PLAINTEXT://localhost:9092,CONTROLLER://localhost:9093,SSL://localhost:9094
> ssl.client.auth=none
> ssl.keystore.location=/my/path/server-1.keystore
> ssl.keystore.password=123456{code}
> 3. Start the Kafka node with bin/kafka-server-start.sh
> config/server.properties
> 4. Try to connect with OpenSSL (You can also use Kafka client if you want)
> using TLSv1.2 => works as expected
> {code:java}
> $ openssl s_client -connect localhost:9094 -tls1_2
> Connecting to 127.0.0.1
> CONNECTED(00000005)
> ...
> New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Protocol: TLSv1.2
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES256-GCM-SHA384
> ...{code}
> 5. Try to connect with OpenSSL (You can also use Kafka client if you want)
> using TLSv1.3 => works as expected
> {code:java}
> $ openssl s_client -connect localhost:9094 -tls1_3
> Connecting to 127.0.0.1
> CONNECTED(00000005)
> ...
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> Protocol: TLSv1.3
> Server public key is 2048 bit
> This TLS version forbids renegotiation.
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 19 (self-signed certificate in certificate chain)
> ---
> ---
> Post-Handshake New Session Ticket arrived:
> SSL-Session:
> Protocol : TLSv1.3
> Cipher : TLS_AES_256_GCM_SHA384
> ...{code}
> 6. Change the ssl.enabled.protocols to TLSv1.3
> {code:java}
> $ bin/kafka-configs.sh --bootstrap-server localhost:9092 \
> --entity-type brokers \
>
> --entity-name 1 \
> --alter \
> --add-config "ssl.enabled.protocols=TLSv1.3"
> Completed updating config for broker 1.{code}
> 7. The Kafka log seems to reflect the change:
> {code:java}
> [2026-03-31 23:00:50,024] INFO [DynamicConfigPublisher controller id=1]
> Updating node 1 with new configuration : ssl.enabled.protocols -> TLSv1.3
> (kafka.server.metadata.DynamicConfigPublisher)
> [2026-03-31 23:00:50,026] INFO KafkaConfig values:
> ...
> ssl.allow.dn.changes = false
> ssl.allow.san.changes = false
> ssl.cipher.suites = []
> ssl.client.auth = none
> ssl.enabled.protocols = [TLSv1.3]
> ssl.endpoint.identification.algorithm = https
> ssl.engine.factory.class = null
> ssl.key.password = null
> ssl.keymanager.algorithm = SunX509
> ssl.keystore.certificate.chain = null
> ssl.keystore.key = null
> ssl.keystore.location =
> /Users/scholzj/development/my-kafka-client-sandbox/ssl-ca/keys/server-0.keystore
> ssl.keystore.password = [hidden]
> ssl.keystore.type = JKS
> ssl.principal.mapping.rules = DEFAULT
> ssl.protocol = TLSv1.3
> ssl.provider = null
> ssl.secure.random.implementation = null
> ssl.trustmanager.algorithm = PKIX
> ssl.truststore.certificates = null
> ssl.truststore.location = null
> ssl.truststore.password = null
> ssl.truststore.type = JKS
> ...
> (org.apache.kafka.common.config.AbstractConfig)
> [2026-03-31 23:00:50,034] INFO [DynamicConfigPublisher broker id=1] Updating
> node 1 with new configuration : ssl.enabled.protocols -> TLSv1.3
> (kafka.server.metadata.DynamicConfigPublisher)
> [2026-03-31 23:00:50,035] INFO KafkaConfig values:
> ...
> ssl.allow.dn.changes = false
> ssl.allow.san.changes = false
> ssl.cipher.suites = []
> ssl.client.auth = none
> ssl.enabled.protocols = [TLSv1.3]
> ssl.endpoint.identification.algorithm = https
> ssl.engine.factory.class = null
> ssl.key.password = null
> ssl.keymanager.algorithm = SunX509
> ssl.keystore.certificate.chain = null
> ssl.keystore.key = null
> ssl.keystore.location =
> /Users/scholzj/development/my-kafka-client-sandbox/ssl-ca/keys/server-0.keystore
> ssl.keystore.password = [hidden]
> ssl.keystore.type = JKS
> ssl.principal.mapping.rules = DEFAULT
> ssl.protocol = TLSv1.3
> ssl.provider = null
> ssl.secure.random.implementation = null
> ssl.trustmanager.algorithm = PKIX
> ssl.truststore.certificates = null
> ssl.truststore.location = null
> ssl.truststore.password = null
> ssl.truststore.type = JKS
> ...
> (org.apache.kafka.common.config.AbstractConfig)
> [2026-03-31 23:00:50,041] INFO Reconfiguring
> org.apache.kafka.common.network.SslChannelBuilder@2c7bed74, updated configs:
> Set() custom configs: {} (kafka.server.DynamicBrokerConfig)
> [2026-03-31 23:00:50,043] INFO Reconfiguring
> org.apache.kafka.common.network.SslChannelBuilder@4ac39bd6, updated configs:
> Set() custom configs: {} (kafka.server.DynamicBrokerConfig)
> [2026-03-31 23:00:50,045] INFO Reconfiguring
> org.apache.kafka.common.network.SslChannelBuilder@211381c9, updated configs:
> Set() custom configs: {} (kafka.server.DynamicBrokerConfig){code}
> 8. Try to connect with OpenSSL (You can also use Kafka client if you want)
> using TLSv1.2 => Still works, *NOT EXPECTED*
> {code:java}
> openssl s_client -connect localhost:9094 -tls1_2
> Connecting to 127.0.0.1
> ...
> New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Protocol: TLSv1.2
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES256-GCM-SHA384
> ...{code}
> 9. Only after I add ssl.enabled.protocols=TLSv1.3 to the server.properties
> file and restart the Kafka node, TLSv1.2 stops working as expected:
> {code:java}
> $ openssl s_client -connect localhost:9094 -tls1_2
> Connecting to 127.0.0.1
> CONNECTED(00000005)
> 00716C0B02000000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert
> protocol version:ssl/record/rec_layer_s3.c:918:SSL alert number 70
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 189 bytes
> Verification: OK
> ---
> New, (NONE), Cipher is (NONE)
> Protocol: TLSv1.2
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : 0000
> Session-ID:
> Session-ID-ctx:
> Master-Key:
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1774991157
> Timeout : 7200 (sec)
> Verify return code: 0 (ok)
> Extended master secret: no
> ---
> 00716C0B02000000:error:0A000197:SSL routines:SSL_shutdown:shutdown while in
> init:ssl/ssl_lib.c:2804:{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
