[
https://issues.apache.org/jira/browse/KAFKA-9319?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17036295#comment-17036295
]
ASF GitHub Bot commented on KAFKA-9319:
---------------------------------------
nizhikov commented on pull request #8106: KAFKA-9319: Fix generation of CA
certificate for system tests.
URL: https://github.com/apache/kafka/pull/8106
I perform system tests check to ensure that we can enable only `TLSv1.3` by
default.
I've found two issues:
1. CA certificate that is generated in `security_config.py` can't be
validated by the openjdk11, therefore, tests with SSL enabled failed. (Error
message is "TrustAnchor with subject "CN=SystemTestCA" is not a CA certificate")
2. The actual stack trace of the fail is hidden when the `ConfigException`
stack trace printed.
This PR fixes those 2 issues:
* ` --ext bc=ca:true` param for `keytool` added.
* SSL Validation exception printed in error log.
[Keytool
documentation](https://docs.oracle.com/en/java/javase/11/tools/keytool.html)
>Supported Named Extensions
> The keytool command supports these named extensions. The names aren't
case-sensitive.
> BC or BasicContraints
> Values:
> The full form is ca:{true|false}[,pathlen:len] or len, which is short for
ca:true,pathlen:len.
> When len is omitted, the resulting value is ca:true.
Command to run tests(openjdk11 used):
```
export tests="tests/kafkatest/tests/connect/connect_distributed_test.py"
TC_PATHS="$tests" bash tests/docker/run_tests.sh
```
java version in a docker container:
```
[nizhikov@sbt-qa-01 kafka]$ docker exec -it ducker04 bash
ducker@ducker04:/$ java -version
openjdk version "11.0.6" 2020-01-14
OpenJDK Runtime Environment 18.9 (build 11.0.6+10)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.6+10, mixed mode)
```
Exception in tests *without* new `ext` parameter:
```
[2020-02-13 10:17:46,244] DEBUG Created SSL context with keystore
SecurityStore(path=/mnt/security/test.keystore.jks, modificationTime=Thu Feb 13
10:17:43 UTC 2020), truststore
SecurityStore(path=/mnt/security/test.truststore.jks, modificationTime=Thu Feb
13 10:17:41 UTC 2020), provider SunJSSE.
(org.apache.kafka.common.security.ssl.SslEngineBuilder)
javax.net.ssl.SSLHandshakeException: PKIX path validation failed:
sun.security.validator.ValidatorException: TrustAnchor with subject
"CN=SystemTestCA" is not a CA certificate
at
java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:320)
at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
at
java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1332)
at
java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1207)
at
java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1150)
at
java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at
java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
at
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
at
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1048)
at java.base/java.security.AccessController.doPrivileged(Native
Method)
at
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:995)
at
org.apache.kafka.common.security.ssl.SslFactory$SslEngineValidator.handshake(SslFactory.java:360)
at
org.apache.kafka.common.security.ssl.SslFactory$SslEngineValidator.validate(SslFactory.java:301)
at
org.apache.kafka.common.security.ssl.SslFactory$SslEngineValidator.validate(SslFactory.java:282)
at
org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:98)
at
org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:168)
at
org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:157)
at
org.apache.kafka.common.network.ChannelBuilders.serverChannelBuilder(ChannelBuilders.java:97)
at kafka.network.Processor.<init>(SocketServer.scala:724)
at kafka.network.SocketServer.newProcessor(SocketServer.scala:367)
at
kafka.network.SocketServer.$anonfun$addDataPlaneProcessors$1(SocketServer.scala:252)
at
kafka.network.SocketServer.addDataPlaneProcessors(SocketServer.scala:251)
at
kafka.network.SocketServer.$anonfun$createDataPlaneAcceptorsAndProcessors$1(SocketServer.scala:214)
at
kafka.network.SocketServer.$anonfun$createDataPlaneAcceptorsAndProcessors$1$adapted(SocketServer.scala:211)
at
scala.collection.mutable.ResizableArray.foreach(ResizableArray.scala:62)
at
scala.collection.mutable.ResizableArray.foreach$(ResizableArray.scala:55)
at scala.collection.mutable.ArrayBuffer.foreach(ArrayBuffer.scala:49)
at
kafka.network.SocketServer.createDataPlaneAcceptorsAndProcessors(SocketServer.scala:211)
at kafka.network.SocketServer.startup(SocketServer.scala:122)
at kafka.server.KafkaServer.startup(KafkaServer.scala:242)
at
kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:44)
at kafka.Kafka$.main(Kafka.scala:82)
at kafka.Kafka.main(Kafka.scala)
Caused by: sun.security.validator.ValidatorException: PKIX path validation
failed: sun.security.validator.ValidatorException: TrustAnchor with subject
"CN=SystemTestCA" is not a CA certificate
at
java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:369)
at
java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:263)
at
java.base/sun.security.validator.Validator.validate(Validator.java:264)
at
java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at
java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:276)
at
java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
at
java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1310)
... 30 more
Caused by: sun.security.validator.ValidatorException: TrustAnchor with
subject "CN=SystemTestCA" is not a CA certificate
at
java.base/sun.security.validator.PKIXValidator.verifyTrustAnchor(PKIXValidator.java:393)
at
java.base/sun.security.validator.PKIXValidator.toArray(PKIXValidator.java:333)
at
java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:366)
... 36 more
```
### Committer Checklist (excluded from commit message)
- [ ] Verify design and implementation
- [ ] Verify test coverage and CI build status
- [ ] Verify documentation (including upgrade notes)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Run some system tests using TLSv1.3
> -----------------------------------
>
> Key: KAFKA-9319
> URL: https://issues.apache.org/jira/browse/KAFKA-9319
> Project: Kafka
> Issue Type: Test
> Reporter: Rajini Sivaram
> Assignee: Nikolay Izhikov
> Priority: Major
> Fix For: 2.5.0
>
>
> KAFKA-7251 enables TLSv1.3 for Kafka. We should get some system tests to run
> using TLSv1.3. Since TLSv1.3 is only supported from Java 11 onwards, we need
> a system test build that runs with JDK 11 to enable these tests.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
