[jira] [Commented] (KAFKA-9771) Inter-worker SSL is broken for keystores with multiple certificates

Thu, 26 Mar 2020 15:01:20 -0700 


    [ 
https://issues.apache.org/jira/browse/KAFKA-9771?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17068085#comment-17068085
 ] 

ASF GitHub Bot commented on KAFKA-9771:
---------------------------------------

C0urante commented on pull request #8369: KAFKA-9771: Port patch for 
inter-worker Connect SSL from Jetty 9.4.25
URL: https://github.com/apache/kafka/pull/8369
 
 
   [Jira](https://issues.apache.org/jira/browse/KAFKA-9771)
   
   For reasons outlined in the ticket, we can't upgrade to a version of Jetty 
with the bug fixed, or one prior to the introduction of the bug. Luckily, the 
actual fix is pretty straightforward and can be ported over to Connect for use 
until it's possible to upgrade to a version of Jetty with that bug fixed: 
https://github.com/eclipse/jetty.project/pull/4404/files#diff-58640db0f8f2cd84b7e653d1c1540913R2188-R2193
   
   The changes here have been verified locally; currently investigating how 
they can best be tested via unit/integration/system tests.
   
   ### Committer Checklist (excluded from commit message)
   - [ ] Verify design and implementation 
   - [ ] Verify test coverage and CI build status
   - [ ] Verify documentation (including upgrade notes)
   
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


> Inter-worker SSL is broken for keystores with multiple certificates
> -------------------------------------------------------------------
>
>                 Key: KAFKA-9771
>                 URL: https://issues.apache.org/jira/browse/KAFKA-9771
>             Project: Kafka
>          Issue Type: Bug
>          Components: KafkaConnect
>    Affects Versions: 2.5.0
>            Reporter: Chris Egerton
>            Assignee: Chris Egerton
>            Priority: Blocker
>
> The recent bump in Jetty version causes inter-worker communication to fail in 
> Connect when SSL is enabled and the keystore for the worker contains multiple 
> certificates (which it might, in the case that SNI is enabled and the 
> worker's REST interface is bound to multiple domain names). This is caused by 
> [changes introduced in Jetty 
> 9.4.23|https://github.com/eclipse/jetty.project/pull/4085], which are later 
> [fixed in Jetty 9.4.25|https://github.com/eclipse/jetty.project/pull/4404].
> We recently tried and failed to [upgrade to Jetty 
> 9.4.25|https://github.com/apache/kafka/pull/8183], so upgrading the Jetty 
> version to fix this issue isn't a viable option. Additionally, the [earliest 
> clean version of Jetty|https://www.eclipse.org/jetty/security-reports.html] 
> (at the time of writing) with regards to CVEs is 9.4.24, so reverting to a 
> pre-9.4.23 version is also not a viable option.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to