You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kafka.apache.org by kk...@apache.org on 2020/03/27 17:35:26 UTC
[kafka] branch 2.5 updated: KAFKA-9771: Port patch for inter-worker
Connect SSL from Jetty 9.4.25 (#8369)
This is an automated email from the ASF dual-hosted git repository.
kkarantasis pushed a commit to branch 2.5
in repository https://gitbox.apache.org/repos/asf/kafka.git
The following commit(s) were added to refs/heads/2.5 by this push:
new f61ee01 KAFKA-9771: Port patch for inter-worker Connect SSL from Jetty 9.4.25 (#8369)
f61ee01 is described below
commit f61ee01e8421682b6d9aa2ee14aacf295b3a7702
Author: Chris Egerton <ch...@confluent.io>
AuthorDate: Fri Mar 27 10:33:40 2020 -0700
KAFKA-9771: Port patch for inter-worker Connect SSL from Jetty 9.4.25 (#8369)
For reasons outlined in https://issues.apache.org/jira/browse/KAFKA-9771
we can't upgrade to a version of Jetty with the bug fixed, or downgrade to one prior to the introduction of the bug. Luckily, the actual fix is pretty straightforward and can be ported over to Connect for use until it's possible to upgrade to a version of Jetty with that bug fixed: https://github.com/eclipse/jetty.project/pull/4404/files#diff-58640db0f8f2cd84b7e653d1c1540913R2188-R2193
The changes here have been verified locally; a test with multiple certificates/multiple hostnames will be submitted in a follow up.
Reviewers: Jeff Huang <47...@users.noreply.github.com>, Konstantine Karantasis <ko...@confluent.io>
---
.../apache/kafka/connect/runtime/rest/util/SSLUtils.java | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java
index 6b391d9..8e04995 100644
--- a/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java
+++ b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java
@@ -22,6 +22,7 @@ import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.connect.runtime.WorkerConfig;
import org.eclipse.jetty.util.ssl.SslContextFactory;
+import javax.net.ssl.X509ExtendedKeyManager;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
@@ -64,7 +65,20 @@ public class SSLUtils {
public static SslContextFactory createClientSideSslContextFactory(WorkerConfig config) {
Map<String, Object> sslConfigValues = config.valuesWithPrefixAllOrNothing("listeners.https.");
- final SslContextFactory.Client ssl = new SslContextFactory.Client();
+ // Override this method in order to avoid running into
+ // https://github.com/eclipse/jetty.project/issues/4385, which would otherwise cause this to
+ // break when the keystore contains multiple certificates.
+ // The override here matches the bug fix in Jetty for that issue:
+ // https://github.com/eclipse/jetty.project/pull/4404/files#diff-58640db0f8f2cd84b7e653d1c1540913R2188-R2193
+ // TODO: Remove this override when the version of Jetty for the framework is bumped to
+ // 9.4.25 or later
+ final SslContextFactory.Client ssl = new SslContextFactory.Client() {
+ @Override
+ @SuppressWarnings("deprecation")
+ protected X509ExtendedKeyManager newSniX509ExtendedKeyManager(X509ExtendedKeyManager keyManager) {
+ return keyManager;
+ }
+ };
configureSslContextFactoryKeyStore(ssl, sslConfigValues);
configureSslContextFactoryTrustStore(ssl, sslConfigValues);