Can you share your listeners propeties from server.properties
בתאריך יום ה׳, 24 ביוני 2021, 19:49, מאת Anjali Sharma < sharma.anjali.2...@gmail.com>: > But in the pcap I am able to see that it is taking some junk certificates > from client side > > On Thu, Jun 24, 2021, 21:58 Ran Lupovich <ranlupov...@gmail.com> wrote: > > > Make sure that the date and time on the server is correct (The wrong time > > will cause the SSL certificate connection to fail). > > > > בתאריך יום ה׳, 24 ביוני 2021, 19:18, מאת Anjali Sharma < > > sharma.anjali.2...@gmail.com>: > > > > > openssl s_client -connect 10.54.65.99:28105 > > > socket: Bad file descriptor > > > connect:errno=9 > > > > > > This is the output we are getting > > > > > > > > > On Thu, Jun 24, 2021 at 6:04 PM Shilin Wu <s...@confluent.io.invalid> > > > wrote: > > > > > > > I think your port may not even be enabled with SSL. > > > > > > > > do this > > > > "openssl s_client -connect <host>:<port>" > > > > and show the result ? > > > > > > > > > > > > > > > > [image: Confluent] <https://www.confluent.io> > > > > Wu Shilin > > > > Solution Architect > > > > +6581007012 > > > > Follow us: [image: Blog] > > > > < > > > > > > > > > > https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog > > > > >[image: > > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn] > > > > <https://www.linkedin.com/company/confluent/>[image: Slack] > > > > <https://slackpass.io/confluentcommunity>[image: YouTube] > > > > <https://youtube.com/confluent> > > > > [image: Kafka Summit] <https://www.kafka-summit.org/> > > > > > > > > > > > > On Thu, Jun 24, 2021 at 8:32 PM Anjali Sharma < > > > > sharma.anjali.2...@gmail.com> > > > > wrote: > > > > > > > > > This is the error we are getting > > > > > > > > > > > > > > > [2021-06-22 10:59:45,049] ERROR [Consumer clientId=consumer-1, > > > > > groupId=test-consumer-group] Connection to node -1 failed > > > authentication > > > > > due to: SSL handshake failed > (org.apache.kafka.clients.NetworkClient) > > > > > [2021-06-22 10:59:45,051] ERROR Authentication failed: terminating > > > > consumer > > > > > process (kafka.tools.ConsoleConsumer$) > > > > > org.apache.kafka.common.errors.SslAuthenticationException: SSL > > > handshake > > > > > failed > > > > > Caused by: javax.net.ssl.SSLException: Unsupported record version > > > > > Unknown-211.79 > > > > > > > > > > > > > > > On Thu, Jun 24, 2021, 17:59 Shilin Wu <s...@confluent.io.invalid> > > > wrote: > > > > > > > > > > > You need to make sure the following one by one... Or you can post > > the > > > > > > message of error here so we can see exact error. > > > > > > > > > > > > > > > > > > > > > > > 1. Client trust store need to trust the server cert's > > > issuer > > > > > cert > > > > > > > > (AKA > > > > > > > > > > the > > > > > > > > > > > CA cert) > > > > > > > > > > > 2. The client must have a keystore that can be trusted > by > > > > > > server's > > > > > > > > > trust > > > > > > > > > > > store. > > > > > > > > > > > 3. The server needs to be accessed either via FQDN, or > > one > > > of > > > > > the > > > > > > > SAN > > > > > > > > > > > address. If you are doing self sign, you can add many > DNS > > > > alias > > > > > > and > > > > > > > > > even > > > > > > > > > > ip > > > > > > > > > > > addresses to the server's cert. > > > > > > > > > > > 4. Make sure the server cert has extended key usage of > > > > > > serverAuth, > > > > > > > > > client > > > > > > > > > > > cert has extended key usage of clientAuth. Actually you > > can > > > > > have > > > > > > > > both - > > > > > > > > > > if > > > > > > > > > > > you are generating yourself. > > > > > > > > > > > > [image: Confluent] <https://www.confluent.io> > > > > > > Wu Shilin > > > > > > Solution Architect > > > > > > +6581007012 > > > > > > Follow us: [image: Blog] > > > > > > < > > > > > > > > > > > > > > > > > > > > > https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog > > > > > > >[image: > > > > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn] > > > > > > <https://www.linkedin.com/company/confluent/>[image: Slack] > > > > > > <https://slackpass.io/confluentcommunity>[image: YouTube] > > > > > > <https://youtube.com/confluent> > > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/> > > > > > > > > > > > > > > > > > > On Thu, Jun 24, 2021 at 8:26 PM Anjali Sharma < > > > > > > sharma.anjali.2...@gmail.com> > > > > > > wrote: > > > > > > > > > > > > > Thanks for this but we are trying to do this on command line > but > > > > > getting > > > > > > > this bad certificate error > > > > > > > > > > > > > > On Thu, Jun 24, 2021, 17:52 Shilin Wu > <s...@confluent.io.invalid > > > > > > > > wrote: > > > > > > > > > > > > > > > you may do openssl s_client -connect kafkahost:port to dump > the > > > > cert. > > > > > > > > > > > > > > > > See if the cert makes sense. > > > > > > > > > > > > > > > > To test if your SSL works, you may try use this java program > to > > > > test > > > > > if > > > > > > > you > > > > > > > > have SSL trust issue - if it connects ok, the cert trust is > > > mostly > > > > to > > > > > > be > > > > > > > > okay. (remember to change your host name in code, and jks > path > > in > > > > > > command > > > > > > > > line options. > > > > > > > > > > > > > > > > > > > > > > > > java -Djavax.net.ssl.trustStore=truststore.jks > > > > > > > > -Djavax.net.ssl.trustStorePassword=changeme Test > > > > > > > > > > > > > > > > import java.net.*; > > > > > > > > > > > > > > > > import java.io.*; > > > > > > > > > > > > > > > > import javax.net.ssl.*; > > > > > > > > > > > > > > > > > > > > > > > > /* > > > > > > > > > > > > > > > > * This example demostrates how to use a SSLSocket as client > to > > > > > > > > > > > > > > > > * send a HTTP request and get response from an HTTPS server. > > > > > > > > > > > > > > > > * It assumes that the client is not behind a firewall > > > > > > > > > > > > > > > > */ > > > > > > > > > > > > > > > > > > > > > > > > public class Test { > > > > > > > > > > > > > > > > > > > > > > > > public static void main(String[] args) throws Exception { > > > > > > > > > > > > > > > > try { > > > > > > > > > > > > > > > > SSLSocketFactory factory = > > > > > > > > > > > > > > > > > > (SSLSocketFactory)SSLSocketFactory.getDefault(); > > > > > > > > > > > > > > > > SSLSocket socket = > > > > > > > > > > > > > > > > (SSLSocket)factory.createSocket("cp-kafka1", > > > 9093); > > > > > > > > > > > > > > > > > > > > > > > > /* > > > > > > > > > > > > > > > > * send http request > > > > > > > > > > > > > > > > * > > > > > > > > > > > > > > > > * Before any application data is sent or > received, > > > the > > > > > > > > > > > > > > > > * SSL socket will do SSL handshaking first to > set > > up > > > > > > > > > > > > > > > > * the security attributes. > > > > > > > > > > > > > > > > * > > > > > > > > > > > > > > > > * SSL handshaking can be initiated by either > > > flushing > > > > > data > > > > > > > > > > > > > > > > * down the pipe, or by starting the handshaking > by > > > > hand. > > > > > > > > > > > > > > > > * > > > > > > > > > > > > > > > > * Handshaking is started manually in this > example > > > > > because > > > > > > > > > > > > > > > > * PrintWriter catches all IOExceptions > (including > > > > > > > > > > > > > > > > * SSLExceptions), sets an internal error flag, > and > > > > then > > > > > > > > > > > > > > > > * returns without rethrowing the exception. > > > > > > > > > > > > > > > > * > > > > > > > > > > > > > > > > * Unfortunately, this means any error messages > are > > > > lost, > > > > > > > > > > > > > > > > * which caused lots of confusion for others > using > > > this > > > > > > > > > > > > > > > > * code. The only way to tell there was an error > > is > > > to > > > > > > call > > > > > > > > > > > > > > > > * PrintWriter.checkError(). > > > > > > > > > > > > > > > > */ > > > > > > > > > > > > > > > > socket.startHandshake(); > > > > > > > > > > > > > > > > > > > > > > > > socket.close(); > > > > > > > > > > > > > > > > > > > > > > > > } catch (Exception e) { > > > > > > > > > > > > > > > > e.printStackTrace(); > > > > > > > > > > > > > > > > } > > > > > > > > > > > > > > > > } > > > > > > > > > > > > > > > > } > > > > > > > > > > > > > > > > [image: Confluent] <https://www.confluent.io> > > > > > > > > Wu Shilin > > > > > > > > Solution Architect > > > > > > > > +6581007012 > > > > > > > > Follow us: [image: Blog] > > > > > > > > < > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog > > > > > > > > >[image: > > > > > > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn] > > > > > > > > <https://www.linkedin.com/company/confluent/>[image: Slack] > > > > > > > > <https://slackpass.io/confluentcommunity>[image: YouTube] > > > > > > > > <https://youtube.com/confluent> > > > > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/> > > > > > > > > > > > > > > > > > > > > > > > > On Thu, Jun 24, 2021 at 8:17 PM Anjali Sharma < > > > > > > > > sharma.anjali.2...@gmail.com> > > > > > > > > wrote: > > > > > > > > > > > > > > > > > Had added those configuration but still seeing only junk > > > > > certificates > > > > > > > > from > > > > > > > > > client side ? Any idea how to solve? > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks > > > > > > > > > Anjali > > > > > > > > > > > > > > > > > > On Thu, Jun 24, 2021, 17:44 Shilin Wu > > > <s...@confluent.io.invalid > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > ssl.truststore.location=/root/truststore.jks > > > > > > > > > > > > > > > > > > > > ssl.truststore.type=JKS > > > > > > > > > > > > > > > > > > > > ssl.truststore.password=changeme > > > > > > > > > > > > > > > > > > > > ssl.keystore.location=/root/alice.jks > > > > > > > > > > > > > > > > > > > > ssl.keystore.type=JKS > > > > > > > > > > > > > > > > > > > > ssl.keystore.password=changeme > > > > > > > > > > > > > > > > > > > > security.protocol=SSL > > > > > > > > > > > > > > > > > > > > bootstrap.server=cp-kafka1:9093 > > > > > > > > > > > > > > > > > > > > ssl.endpoint.identification.algorithm=https > > > > > > > > > > > > > > > > > > > > This worked for me pretty well. > > > > > > > > > > > > > > > > > > > > Of course you need to generate those certs from open ssl. > > > > > > > > > > > > > > > > > > > > The trust store only contains the CA cert, the key store > > > > contains > > > > > > the > > > > > > > > > > keypair for alice (the user here). > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > [image: Confluent] <https://www.confluent.io> > > > > > > > > > > Wu Shilin > > > > > > > > > > Solution Architect > > > > > > > > > > +6581007012 > > > > > > > > > > Follow us: [image: Blog] > > > > > > > > > > < > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog > > > > > > > > > > >[image: > > > > > > > > > > Twitter] <https://twitter.com/ConfluentInc>[image: > > LinkedIn] > > > > > > > > > > <https://www.linkedin.com/company/confluent/>[image: > > Slack] > > > > > > > > > > <https://slackpass.io/confluentcommunity>[image: > YouTube] > > > > > > > > > > <https://youtube.com/confluent> > > > > > > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Thu, Jun 24, 2021 at 11:38 AM Anjali Sharma < > > > > > > > > > > sharma.anjali.2...@gmail.com> > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > Thanks for this info can you please share what all > needs > > to > > > > be > > > > > > > > present > > > > > > > > > on > > > > > > > > > > > the client side for mtls as in what all configuration > are > > > > > needed > > > > > > > that > > > > > > > > > > side? > > > > > > > > > > > > > > > > > > > > > > Thanks > > > > > > > > > > > > > > > > > > > > > > On Thu, Jun 24, 2021, 07:51 Shilin Wu > > > > > <s...@confluent.io.invalid > > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > A few things to check: > > > > > > > > > > > > > > > > > > > > > > > > 1. Client trust store need to trust the server cert's > > > > issuer > > > > > > cert > > > > > > > > > (AKA > > > > > > > > > > > the > > > > > > > > > > > > CA cert) > > > > > > > > > > > > 2. The client must have a keystore that can be > trusted > > by > > > > > > > server's > > > > > > > > > > trust > > > > > > > > > > > > store. > > > > > > > > > > > > 3. The server needs to be accessed either via FQDN, > or > > > one > > > > of > > > > > > the > > > > > > > > SAN > > > > > > > > > > > > address. If you are doing self sign, you can add many > > DNS > > > > > alias > > > > > > > and > > > > > > > > > > even > > > > > > > > > > > ip > > > > > > > > > > > > addresses to the server's cert. > > > > > > > > > > > > 4. Make sure the server cert has extended key usage > of > > > > > > > serverAuth, > > > > > > > > > > client > > > > > > > > > > > > cert has extended key usage of clientAuth. Actually > you > > > can > > > > > > have > > > > > > > > > both - > > > > > > > > > > > if > > > > > > > > > > > > you are generating yourself. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > [image: Confluent] <https://www.confluent.io> > > > > > > > > > > > > Wu Shilin > > > > > > > > > > > > Solution Architect > > > > > > > > > > > > +6581007012 > > > > > > > > > > > > Follow us: [image: Blog] > > > > > > > > > > > > < > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog > > > > > > > > > > > > >[image: > > > > > > > > > > > > Twitter] <https://twitter.com/ConfluentInc>[image: > > > > LinkedIn] > > > > > > > > > > > > <https://www.linkedin.com/company/confluent/>[image: > > > > Slack] > > > > > > > > > > > > <https://slackpass.io/confluentcommunity>[image: > > > YouTube] > > > > > > > > > > > > <https://youtube.com/confluent> > > > > > > > > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Thu, Jun 24, 2021 at 12:37 AM Anjali Sharma < > > > > > > > > > > > > sharma.anjali.2...@gmail.com> > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > Hi All, > > > > > > > > > > > > > > > > > > > > > > > > > > While trying for mtls ssl.client.aut=required, From > > > > Client > > > > > > side > > > > > > > > we > > > > > > > > > > are > > > > > > > > > > > > > seeing some junk certificates which we have not > > > imported > > > > on > > > > > > the > > > > > > > > > > client > > > > > > > > > > > > > side? > > > > > > > > > > > > > > > > > > > > > > > > > > Please help with this? > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks & Regards > > > > > > > > > > > > > > > > > > > > > > > > > > Anjali > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
