Re: Mtls not working

2021-06-24 Thread Ran Lupovich
Can you share your listeners propeties from server.properties בתאריך יום ה׳, 24 ביוני 2021, 19:49, מאת Anjali Sharma ‏< sharma.anjali.2...@gmail.com>: > But in the pcap I am able to see that it is taking some junk certificates > from client side > > On Thu, Jun 24, 2021, 21:58 Ran Lupovich

Re: Mtls not working

2021-06-24 Thread Anjali Sharma
But in the pcap I am able to see that it is taking some junk certificates from client side On Thu, Jun 24, 2021, 21:58 Ran Lupovich wrote: > Make sure that the date and time on the server is correct (The wrong time > will cause the SSL certificate connection to fail). > > בתאריך יום ה׳, 24

Re: Mtls not working

2021-06-24 Thread Ran Lupovich
Make sure that the date and time on the server is correct (The wrong time will cause the SSL certificate connection to fail). בתאריך יום ה׳, 24 ביוני 2021, 19:18, מאת Anjali Sharma ‏< sharma.anjali.2...@gmail.com>: > openssl s_client -connect 10.54.65.99:28105 > socket: Bad file descriptor >

Re: Mtls not working

2021-06-24 Thread Anjali Sharma
openssl s_client -connect 10.54.65.99:28105 socket: Bad file descriptor connect:errno=9 This is the output we are getting On Thu, Jun 24, 2021 at 6:04 PM Shilin Wu wrote: > I think your port may not even be enabled with SSL. > > do this > "openssl s_client -connect :" > and show the result ?

Re: Mtls not working

2021-06-24 Thread Shilin Wu
I think your port may not even be enabled with SSL. do this "openssl s_client -connect :" and show the result ? [image: Confluent] Wu Shilin Solution Architect +6581007012 Follow us: [image: Blog]

Re: Mtls not working

2021-06-24 Thread Anjali Sharma
This is the error we are getting [2021-06-22 10:59:45,049] ERROR [Consumer clientId=consumer-1, groupId=test-consumer-group] Connection to node -1 failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient) [2021-06-22 10:59:45,051] ERROR Authentication failed:

Re: Mtls not working

2021-06-24 Thread Shilin Wu
You need to make sure the following one by one... Or you can post the message of error here so we can see exact error. > > > > > 1. Client trust store need to trust the server cert's issuer cert > > (AKA > > > > the > > > > > CA cert) > > > > > 2. The client must have a keystore that can be

Re: Mtls not working

2021-06-24 Thread Anjali Sharma
Thanks for this but we are trying to do this on command line but getting this bad certificate error On Thu, Jun 24, 2021, 17:52 Shilin Wu wrote: > you may do openssl s_client -connect kafkahost:port to dump the cert. > > See if the cert makes sense. > > To test if your SSL works, you may try

Re: Mtls not working

2021-06-24 Thread Shilin Wu
you may do openssl s_client -connect kafkahost:port to dump the cert. See if the cert makes sense. To test if your SSL works, you may try use this java program to test if you have SSL trust issue - if it connects ok, the cert trust is mostly to be okay. (remember to change your host name in

Re: Mtls not working

2021-06-24 Thread Anjali Sharma
Had added those configuration but still seeing only junk certificates from client side ? Any idea how to solve? Thanks Anjali On Thu, Jun 24, 2021, 17:44 Shilin Wu wrote: > ssl.truststore.location=/root/truststore.jks > > ssl.truststore.type=JKS > > ssl.truststore.password=changeme > >

Re: Mtls not working

2021-06-24 Thread Shilin Wu
ssl.truststore.location=/root/truststore.jks ssl.truststore.type=JKS ssl.truststore.password=changeme ssl.keystore.location=/root/alice.jks ssl.keystore.type=JKS ssl.keystore.password=changeme security.protocol=SSL bootstrap.server=cp-kafka1:9093 ssl.endpoint.identification.algorithm=https

Re: Mtls not working

2021-06-23 Thread Anjali Sharma
Thanks for this info can you please share what all needs to be present on the client side for mtls as in what all configuration are needed that side? Thanks On Thu, Jun 24, 2021, 07:51 Shilin Wu wrote: > A few things to check: > > 1. Client trust store need to trust the server cert's issuer

Re: Mtls not working

2021-06-23 Thread Shilin Wu
A few things to check: 1. Client trust store need to trust the server cert's issuer cert (AKA the CA cert) 2. The client must have a keystore that can be trusted by server's trust store. 3. The server needs to be accessed either via FQDN, or one of the SAN address. If you are doing self sign, you

Fwd: Mtls not working

2021-06-23 Thread Anjali Sharma
Hi All, While trying for mtls ssl.client.aut=required, From Client side we are seeing some junk certificates which we have not imported on the client side? Please help with this? Thanks & Regards Anjali

Mtls not working

2021-06-23 Thread Anjali Sharma
Hi All, While trying for mtls ssl.client.aut=required, From Client side we are seeing some junk certificates which we have not imported on the client side? Please help with this? Thanks & Regards Anjali