You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Anjali Sharma <sh...@gmail.com> on 2021/06/23 14:12:35 UTC
Mtls not working
Hi All,
While trying for mtls ssl.client.aut=required, From Client side we are
seeing some junk certificates which we have not imported on the client side?
Please help with this?
Thanks & Regards
Anjali
Re: Mtls not working
Posted by Ran Lupovich <ra...@gmail.com>.
Can you share your listeners propeties from server.properties
בתאריך יום ה׳, 24 ביוני 2021, 19:49, מאת Anjali Sharma <
sharma.anjali.2699@gmail.com>:
> But in the pcap I am able to see that it is taking some junk certificates
> from client side
>
> On Thu, Jun 24, 2021, 21:58 Ran Lupovich <ra...@gmail.com> wrote:
>
> > Make sure that the date and time on the server is correct (The wrong time
> > will cause the SSL certificate connection to fail).
> >
> > בתאריך יום ה׳, 24 ביוני 2021, 19:18, מאת Anjali Sharma <
> > sharma.anjali.2699@gmail.com>:
> >
> > > openssl s_client -connect 10.54.65.99:28105
> > > socket: Bad file descriptor
> > > connect:errno=9
> > >
> > > This is the output we are getting
> > >
> > >
> > > On Thu, Jun 24, 2021 at 6:04 PM Shilin Wu <sh...@confluent.io.invalid>
> > > wrote:
> > >
> > > > I think your port may not even be enabled with SSL.
> > > >
> > > > do this
> > > > "openssl s_client -connect <host>:<port>"
> > > > and show the result ?
> > > >
> > > >
> > > >
> > > > [image: Confluent] <https://www.confluent.io>
> > > > Wu Shilin
> > > > Solution Architect
> > > > +6581007012
> > > > Follow us: [image: Blog]
> > > > <
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > >[image:
> > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > <https://youtube.com/confluent>
> > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > >
> > > >
> > > > On Thu, Jun 24, 2021 at 8:32 PM Anjali Sharma <
> > > > sharma.anjali.2699@gmail.com>
> > > > wrote:
> > > >
> > > > > This is the error we are getting
> > > > >
> > > > >
> > > > > [2021-06-22 10:59:45,049] ERROR [Consumer clientId=consumer-1,
> > > > > groupId=test-consumer-group] Connection to node -1 failed
> > > authentication
> > > > > due to: SSL handshake failed
> (org.apache.kafka.clients.NetworkClient)
> > > > > [2021-06-22 10:59:45,051] ERROR Authentication failed: terminating
> > > > consumer
> > > > > process (kafka.tools.ConsoleConsumer$)
> > > > > org.apache.kafka.common.errors.SslAuthenticationException: SSL
> > > handshake
> > > > > failed
> > > > > Caused by: javax.net.ssl.SSLException: Unsupported record version
> > > > > Unknown-211.79
> > > > >
> > > > >
> > > > > On Thu, Jun 24, 2021, 17:59 Shilin Wu <sh...@confluent.io.invalid>
> > > wrote:
> > > > >
> > > > > > You need to make sure the following one by one... Or you can post
> > the
> > > > > > message of error here so we can see exact error.
> > > > > >
> > > > > >
> > > > > > > > > > > 1. Client trust store need to trust the server cert's
> > > issuer
> > > > > cert
> > > > > > > > (AKA
> > > > > > > > > > the
> > > > > > > > > > > CA cert)
> > > > > > > > > > > 2. The client must have a keystore that can be trusted
> by
> > > > > > server's
> > > > > > > > > trust
> > > > > > > > > > > store.
> > > > > > > > > > > 3. The server needs to be accessed either via FQDN, or
> > one
> > > of
> > > > > the
> > > > > > > SAN
> > > > > > > > > > > address. If you are doing self sign, you can add many
> DNS
> > > > alias
> > > > > > and
> > > > > > > > > even
> > > > > > > > > > ip
> > > > > > > > > > > addresses to the server's cert.
> > > > > > > > > > > 4. Make sure the server cert has extended key usage of
> > > > > > serverAuth,
> > > > > > > > > client
> > > > > > > > > > > cert has extended key usage of clientAuth. Actually you
> > can
> > > > > have
> > > > > > > > both -
> > > > > > > > > > if
> > > > > > > > > > > you are generating yourself.
> > > > > >
> > > > > > [image: Confluent] <https://www.confluent.io>
> > > > > > Wu Shilin
> > > > > > Solution Architect
> > > > > > +6581007012
> > > > > > Follow us: [image: Blog]
> > > > > > <
> > > > > >
> > > > >
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > > > >[image:
> > > > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > > > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > > > <https://youtube.com/confluent>
> > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > > > >
> > > > > >
> > > > > > On Thu, Jun 24, 2021 at 8:26 PM Anjali Sharma <
> > > > > > sharma.anjali.2699@gmail.com>
> > > > > > wrote:
> > > > > >
> > > > > > > Thanks for this but we are trying to do this on command line
> but
> > > > > getting
> > > > > > > this bad certificate error
> > > > > > >
> > > > > > > On Thu, Jun 24, 2021, 17:52 Shilin Wu
> <shwu@confluent.io.invalid
> > >
> > > > > wrote:
> > > > > > >
> > > > > > > > you may do openssl s_client -connect kafkahost:port to dump
> the
> > > > cert.
> > > > > > > >
> > > > > > > > See if the cert makes sense.
> > > > > > > >
> > > > > > > > To test if your SSL works, you may try use this java program
> to
> > > > test
> > > > > if
> > > > > > > you
> > > > > > > > have SSL trust issue - if it connects ok, the cert trust is
> > > mostly
> > > > to
> > > > > > be
> > > > > > > > okay. (remember to change your host name in code, and jks
> path
> > in
> > > > > > command
> > > > > > > > line options.
> > > > > > > >
> > > > > > > >
> > > > > > > > java -Djavax.net.ssl.trustStore=truststore.jks
> > > > > > > > -Djavax.net.ssl.trustStorePassword=changeme Test
> > > > > > > >
> > > > > > > > import java.net.*;
> > > > > > > >
> > > > > > > > import java.io.*;
> > > > > > > >
> > > > > > > > import javax.net.ssl.*;
> > > > > > > >
> > > > > > > >
> > > > > > > > /*
> > > > > > > >
> > > > > > > > * This example demostrates how to use a SSLSocket as client
> to
> > > > > > > >
> > > > > > > > * send a HTTP request and get response from an HTTPS server.
> > > > > > > >
> > > > > > > > * It assumes that the client is not behind a firewall
> > > > > > > >
> > > > > > > > */
> > > > > > > >
> > > > > > > >
> > > > > > > > public class Test {
> > > > > > > >
> > > > > > > >
> > > > > > > > public static void main(String[] args) throws Exception {
> > > > > > > >
> > > > > > > > try {
> > > > > > > >
> > > > > > > > SSLSocketFactory factory =
> > > > > > > >
> > > > > > > >
> > (SSLSocketFactory)SSLSocketFactory.getDefault();
> > > > > > > >
> > > > > > > > SSLSocket socket =
> > > > > > > >
> > > > > > > > (SSLSocket)factory.createSocket("cp-kafka1",
> > > 9093);
> > > > > > > >
> > > > > > > >
> > > > > > > > /*
> > > > > > > >
> > > > > > > > * send http request
> > > > > > > >
> > > > > > > > *
> > > > > > > >
> > > > > > > > * Before any application data is sent or
> received,
> > > the
> > > > > > > >
> > > > > > > > * SSL socket will do SSL handshaking first to
> set
> > up
> > > > > > > >
> > > > > > > > * the security attributes.
> > > > > > > >
> > > > > > > > *
> > > > > > > >
> > > > > > > > * SSL handshaking can be initiated by either
> > > flushing
> > > > > data
> > > > > > > >
> > > > > > > > * down the pipe, or by starting the handshaking
> by
> > > > hand.
> > > > > > > >
> > > > > > > > *
> > > > > > > >
> > > > > > > > * Handshaking is started manually in this
> example
> > > > > because
> > > > > > > >
> > > > > > > > * PrintWriter catches all IOExceptions
> (including
> > > > > > > >
> > > > > > > > * SSLExceptions), sets an internal error flag,
> and
> > > > then
> > > > > > > >
> > > > > > > > * returns without rethrowing the exception.
> > > > > > > >
> > > > > > > > *
> > > > > > > >
> > > > > > > > * Unfortunately, this means any error messages
> are
> > > > lost,
> > > > > > > >
> > > > > > > > * which caused lots of confusion for others
> using
> > > this
> > > > > > > >
> > > > > > > > * code. The only way to tell there was an error
> > is
> > > to
> > > > > > call
> > > > > > > >
> > > > > > > > * PrintWriter.checkError().
> > > > > > > >
> > > > > > > > */
> > > > > > > >
> > > > > > > > socket.startHandshake();
> > > > > > > >
> > > > > > > >
> > > > > > > > socket.close();
> > > > > > > >
> > > > > > > >
> > > > > > > > } catch (Exception e) {
> > > > > > > >
> > > > > > > > e.printStackTrace();
> > > > > > > >
> > > > > > > > }
> > > > > > > >
> > > > > > > > }
> > > > > > > >
> > > > > > > > }
> > > > > > > >
> > > > > > > > [image: Confluent] <https://www.confluent.io>
> > > > > > > > Wu Shilin
> > > > > > > > Solution Architect
> > > > > > > > +6581007012
> > > > > > > > Follow us: [image: Blog]
> > > > > > > > <
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > > > > > >[image:
> > > > > > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > > > > > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > > > > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > > > > > <https://youtube.com/confluent>
> > > > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > > > > > >
> > > > > > > >
> > > > > > > > On Thu, Jun 24, 2021 at 8:17 PM Anjali Sharma <
> > > > > > > > sharma.anjali.2699@gmail.com>
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > Had added those configuration but still seeing only junk
> > > > > certificates
> > > > > > > > from
> > > > > > > > > client side ? Any idea how to solve?
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Thanks
> > > > > > > > > Anjali
> > > > > > > > >
> > > > > > > > > On Thu, Jun 24, 2021, 17:44 Shilin Wu
> > > <shwu@confluent.io.invalid
> > > > >
> > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > ssl.truststore.location=/root/truststore.jks
> > > > > > > > > >
> > > > > > > > > > ssl.truststore.type=JKS
> > > > > > > > > >
> > > > > > > > > > ssl.truststore.password=changeme
> > > > > > > > > >
> > > > > > > > > > ssl.keystore.location=/root/alice.jks
> > > > > > > > > >
> > > > > > > > > > ssl.keystore.type=JKS
> > > > > > > > > >
> > > > > > > > > > ssl.keystore.password=changeme
> > > > > > > > > >
> > > > > > > > > > security.protocol=SSL
> > > > > > > > > >
> > > > > > > > > > bootstrap.server=cp-kafka1:9093
> > > > > > > > > >
> > > > > > > > > > ssl.endpoint.identification.algorithm=https
> > > > > > > > > >
> > > > > > > > > > This worked for me pretty well.
> > > > > > > > > >
> > > > > > > > > > Of course you need to generate those certs from open ssl.
> > > > > > > > > >
> > > > > > > > > > The trust store only contains the CA cert, the key store
> > > > contains
> > > > > > the
> > > > > > > > > > keypair for alice (the user here).
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > [image: Confluent] <https://www.confluent.io>
> > > > > > > > > > Wu Shilin
> > > > > > > > > > Solution Architect
> > > > > > > > > > +6581007012
> > > > > > > > > > Follow us: [image: Blog]
> > > > > > > > > > <
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > > > > > > > >[image:
> > > > > > > > > > Twitter] <https://twitter.com/ConfluentInc>[image:
> > LinkedIn]
> > > > > > > > > > <https://www.linkedin.com/company/confluent/>[image:
> > Slack]
> > > > > > > > > > <https://slackpass.io/confluentcommunity>[image:
> YouTube]
> > > > > > > > > > <https://youtube.com/confluent>
> > > > > > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Thu, Jun 24, 2021 at 11:38 AM Anjali Sharma <
> > > > > > > > > > sharma.anjali.2699@gmail.com>
> > > > > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > Thanks for this info can you please share what all
> needs
> > to
> > > > be
> > > > > > > > present
> > > > > > > > > on
> > > > > > > > > > > the client side for mtls as in what all configuration
> are
> > > > > needed
> > > > > > > that
> > > > > > > > > > side?
> > > > > > > > > > >
> > > > > > > > > > > Thanks
> > > > > > > > > > >
> > > > > > > > > > > On Thu, Jun 24, 2021, 07:51 Shilin Wu
> > > > > <shwu@confluent.io.invalid
> > > > > > >
> > > > > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > > A few things to check:
> > > > > > > > > > > >
> > > > > > > > > > > > 1. Client trust store need to trust the server cert's
> > > > issuer
> > > > > > cert
> > > > > > > > > (AKA
> > > > > > > > > > > the
> > > > > > > > > > > > CA cert)
> > > > > > > > > > > > 2. The client must have a keystore that can be
> trusted
> > by
> > > > > > > server's
> > > > > > > > > > trust
> > > > > > > > > > > > store.
> > > > > > > > > > > > 3. The server needs to be accessed either via FQDN,
> or
> > > one
> > > > of
> > > > > > the
> > > > > > > > SAN
> > > > > > > > > > > > address. If you are doing self sign, you can add many
> > DNS
> > > > > alias
> > > > > > > and
> > > > > > > > > > even
> > > > > > > > > > > ip
> > > > > > > > > > > > addresses to the server's cert.
> > > > > > > > > > > > 4. Make sure the server cert has extended key usage
> of
> > > > > > > serverAuth,
> > > > > > > > > > client
> > > > > > > > > > > > cert has extended key usage of clientAuth. Actually
> you
> > > can
> > > > > > have
> > > > > > > > > both -
> > > > > > > > > > > if
> > > > > > > > > > > > you are generating yourself.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > [image: Confluent] <https://www.confluent.io>
> > > > > > > > > > > > Wu Shilin
> > > > > > > > > > > > Solution Architect
> > > > > > > > > > > > +6581007012
> > > > > > > > > > > > Follow us: [image: Blog]
> > > > > > > > > > > > <
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > > > > > > > > > >[image:
> > > > > > > > > > > > Twitter] <https://twitter.com/ConfluentInc>[image:
> > > > LinkedIn]
> > > > > > > > > > > > <https://www.linkedin.com/company/confluent/>[image:
> > > > Slack]
> > > > > > > > > > > > <https://slackpass.io/confluentcommunity>[image:
> > > YouTube]
> > > > > > > > > > > > <https://youtube.com/confluent>
> > > > > > > > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/
> >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > On Thu, Jun 24, 2021 at 12:37 AM Anjali Sharma <
> > > > > > > > > > > > sharma.anjali.2699@gmail.com>
> > > > > > > > > > > > wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > Hi All,
> > > > > > > > > > > > >
> > > > > > > > > > > > > While trying for mtls ssl.client.aut=required, From
> > > > Client
> > > > > > side
> > > > > > > > we
> > > > > > > > > > are
> > > > > > > > > > > > > seeing some junk certificates which we have not
> > > imported
> > > > on
> > > > > > the
> > > > > > > > > > client
> > > > > > > > > > > > > side?
> > > > > > > > > > > > >
> > > > > > > > > > > > > Please help with this?
> > > > > > > > > > > > >
> > > > > > > > > > > > > Thanks & Regards
> > > > > > > > > > > > >
> > > > > > > > > > > > > Anjali
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: Mtls not working
Posted by Anjali Sharma <sh...@gmail.com>.
But in the pcap I am able to see that it is taking some junk certificates
from client side
On Thu, Jun 24, 2021, 21:58 Ran Lupovich <ra...@gmail.com> wrote:
> Make sure that the date and time on the server is correct (The wrong time
> will cause the SSL certificate connection to fail).
>
> בתאריך יום ה׳, 24 ביוני 2021, 19:18, מאת Anjali Sharma <
> sharma.anjali.2699@gmail.com>:
>
> > openssl s_client -connect 10.54.65.99:28105
> > socket: Bad file descriptor
> > connect:errno=9
> >
> > This is the output we are getting
> >
> >
> > On Thu, Jun 24, 2021 at 6:04 PM Shilin Wu <sh...@confluent.io.invalid>
> > wrote:
> >
> > > I think your port may not even be enabled with SSL.
> > >
> > > do this
> > > "openssl s_client -connect <host>:<port>"
> > > and show the result ?
> > >
> > >
> > >
> > > [image: Confluent] <https://www.confluent.io>
> > > Wu Shilin
> > > Solution Architect
> > > +6581007012
> > > Follow us: [image: Blog]
> > > <
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > >[image:
> > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > <https://youtube.com/confluent>
> > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > >
> > >
> > > On Thu, Jun 24, 2021 at 8:32 PM Anjali Sharma <
> > > sharma.anjali.2699@gmail.com>
> > > wrote:
> > >
> > > > This is the error we are getting
> > > >
> > > >
> > > > [2021-06-22 10:59:45,049] ERROR [Consumer clientId=consumer-1,
> > > > groupId=test-consumer-group] Connection to node -1 failed
> > authentication
> > > > due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
> > > > [2021-06-22 10:59:45,051] ERROR Authentication failed: terminating
> > > consumer
> > > > process (kafka.tools.ConsoleConsumer$)
> > > > org.apache.kafka.common.errors.SslAuthenticationException: SSL
> > handshake
> > > > failed
> > > > Caused by: javax.net.ssl.SSLException: Unsupported record version
> > > > Unknown-211.79
> > > >
> > > >
> > > > On Thu, Jun 24, 2021, 17:59 Shilin Wu <sh...@confluent.io.invalid>
> > wrote:
> > > >
> > > > > You need to make sure the following one by one... Or you can post
> the
> > > > > message of error here so we can see exact error.
> > > > >
> > > > >
> > > > > > > > > > 1. Client trust store need to trust the server cert's
> > issuer
> > > > cert
> > > > > > > (AKA
> > > > > > > > > the
> > > > > > > > > > CA cert)
> > > > > > > > > > 2. The client must have a keystore that can be trusted by
> > > > > server's
> > > > > > > > trust
> > > > > > > > > > store.
> > > > > > > > > > 3. The server needs to be accessed either via FQDN, or
> one
> > of
> > > > the
> > > > > > SAN
> > > > > > > > > > address. If you are doing self sign, you can add many DNS
> > > alias
> > > > > and
> > > > > > > > even
> > > > > > > > > ip
> > > > > > > > > > addresses to the server's cert.
> > > > > > > > > > 4. Make sure the server cert has extended key usage of
> > > > > serverAuth,
> > > > > > > > client
> > > > > > > > > > cert has extended key usage of clientAuth. Actually you
> can
> > > > have
> > > > > > > both -
> > > > > > > > > if
> > > > > > > > > > you are generating yourself.
> > > > >
> > > > > [image: Confluent] <https://www.confluent.io>
> > > > > Wu Shilin
> > > > > Solution Architect
> > > > > +6581007012
> > > > > Follow us: [image: Blog]
> > > > > <
> > > > >
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > > >[image:
> > > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > > <https://youtube.com/confluent>
> > > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > > >
> > > > >
> > > > > On Thu, Jun 24, 2021 at 8:26 PM Anjali Sharma <
> > > > > sharma.anjali.2699@gmail.com>
> > > > > wrote:
> > > > >
> > > > > > Thanks for this but we are trying to do this on command line but
> > > > getting
> > > > > > this bad certificate error
> > > > > >
> > > > > > On Thu, Jun 24, 2021, 17:52 Shilin Wu <shwu@confluent.io.invalid
> >
> > > > wrote:
> > > > > >
> > > > > > > you may do openssl s_client -connect kafkahost:port to dump the
> > > cert.
> > > > > > >
> > > > > > > See if the cert makes sense.
> > > > > > >
> > > > > > > To test if your SSL works, you may try use this java program to
> > > test
> > > > if
> > > > > > you
> > > > > > > have SSL trust issue - if it connects ok, the cert trust is
> > mostly
> > > to
> > > > > be
> > > > > > > okay. (remember to change your host name in code, and jks path
> in
> > > > > command
> > > > > > > line options.
> > > > > > >
> > > > > > >
> > > > > > > java -Djavax.net.ssl.trustStore=truststore.jks
> > > > > > > -Djavax.net.ssl.trustStorePassword=changeme Test
> > > > > > >
> > > > > > > import java.net.*;
> > > > > > >
> > > > > > > import java.io.*;
> > > > > > >
> > > > > > > import javax.net.ssl.*;
> > > > > > >
> > > > > > >
> > > > > > > /*
> > > > > > >
> > > > > > > * This example demostrates how to use a SSLSocket as client to
> > > > > > >
> > > > > > > * send a HTTP request and get response from an HTTPS server.
> > > > > > >
> > > > > > > * It assumes that the client is not behind a firewall
> > > > > > >
> > > > > > > */
> > > > > > >
> > > > > > >
> > > > > > > public class Test {
> > > > > > >
> > > > > > >
> > > > > > > public static void main(String[] args) throws Exception {
> > > > > > >
> > > > > > > try {
> > > > > > >
> > > > > > > SSLSocketFactory factory =
> > > > > > >
> > > > > > >
> (SSLSocketFactory)SSLSocketFactory.getDefault();
> > > > > > >
> > > > > > > SSLSocket socket =
> > > > > > >
> > > > > > > (SSLSocket)factory.createSocket("cp-kafka1",
> > 9093);
> > > > > > >
> > > > > > >
> > > > > > > /*
> > > > > > >
> > > > > > > * send http request
> > > > > > >
> > > > > > > *
> > > > > > >
> > > > > > > * Before any application data is sent or received,
> > the
> > > > > > >
> > > > > > > * SSL socket will do SSL handshaking first to set
> up
> > > > > > >
> > > > > > > * the security attributes.
> > > > > > >
> > > > > > > *
> > > > > > >
> > > > > > > * SSL handshaking can be initiated by either
> > flushing
> > > > data
> > > > > > >
> > > > > > > * down the pipe, or by starting the handshaking by
> > > hand.
> > > > > > >
> > > > > > > *
> > > > > > >
> > > > > > > * Handshaking is started manually in this example
> > > > because
> > > > > > >
> > > > > > > * PrintWriter catches all IOExceptions (including
> > > > > > >
> > > > > > > * SSLExceptions), sets an internal error flag, and
> > > then
> > > > > > >
> > > > > > > * returns without rethrowing the exception.
> > > > > > >
> > > > > > > *
> > > > > > >
> > > > > > > * Unfortunately, this means any error messages are
> > > lost,
> > > > > > >
> > > > > > > * which caused lots of confusion for others using
> > this
> > > > > > >
> > > > > > > * code. The only way to tell there was an error
> is
> > to
> > > > > call
> > > > > > >
> > > > > > > * PrintWriter.checkError().
> > > > > > >
> > > > > > > */
> > > > > > >
> > > > > > > socket.startHandshake();
> > > > > > >
> > > > > > >
> > > > > > > socket.close();
> > > > > > >
> > > > > > >
> > > > > > > } catch (Exception e) {
> > > > > > >
> > > > > > > e.printStackTrace();
> > > > > > >
> > > > > > > }
> > > > > > >
> > > > > > > }
> > > > > > >
> > > > > > > }
> > > > > > >
> > > > > > > [image: Confluent] <https://www.confluent.io>
> > > > > > > Wu Shilin
> > > > > > > Solution Architect
> > > > > > > +6581007012
> > > > > > > Follow us: [image: Blog]
> > > > > > > <
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > > > > >[image:
> > > > > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > > > > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > > > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > > > > <https://youtube.com/confluent>
> > > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > > > > >
> > > > > > >
> > > > > > > On Thu, Jun 24, 2021 at 8:17 PM Anjali Sharma <
> > > > > > > sharma.anjali.2699@gmail.com>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > Had added those configuration but still seeing only junk
> > > > certificates
> > > > > > > from
> > > > > > > > client side ? Any idea how to solve?
> > > > > > > >
> > > > > > > >
> > > > > > > > Thanks
> > > > > > > > Anjali
> > > > > > > >
> > > > > > > > On Thu, Jun 24, 2021, 17:44 Shilin Wu
> > <shwu@confluent.io.invalid
> > > >
> > > > > > wrote:
> > > > > > > >
> > > > > > > > > ssl.truststore.location=/root/truststore.jks
> > > > > > > > >
> > > > > > > > > ssl.truststore.type=JKS
> > > > > > > > >
> > > > > > > > > ssl.truststore.password=changeme
> > > > > > > > >
> > > > > > > > > ssl.keystore.location=/root/alice.jks
> > > > > > > > >
> > > > > > > > > ssl.keystore.type=JKS
> > > > > > > > >
> > > > > > > > > ssl.keystore.password=changeme
> > > > > > > > >
> > > > > > > > > security.protocol=SSL
> > > > > > > > >
> > > > > > > > > bootstrap.server=cp-kafka1:9093
> > > > > > > > >
> > > > > > > > > ssl.endpoint.identification.algorithm=https
> > > > > > > > >
> > > > > > > > > This worked for me pretty well.
> > > > > > > > >
> > > > > > > > > Of course you need to generate those certs from open ssl.
> > > > > > > > >
> > > > > > > > > The trust store only contains the CA cert, the key store
> > > contains
> > > > > the
> > > > > > > > > keypair for alice (the user here).
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > [image: Confluent] <https://www.confluent.io>
> > > > > > > > > Wu Shilin
> > > > > > > > > Solution Architect
> > > > > > > > > +6581007012
> > > > > > > > > Follow us: [image: Blog]
> > > > > > > > > <
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > > > > > > >[image:
> > > > > > > > > Twitter] <https://twitter.com/ConfluentInc>[image:
> LinkedIn]
> > > > > > > > > <https://www.linkedin.com/company/confluent/>[image:
> Slack]
> > > > > > > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > > > > > > <https://youtube.com/confluent>
> > > > > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Thu, Jun 24, 2021 at 11:38 AM Anjali Sharma <
> > > > > > > > > sharma.anjali.2699@gmail.com>
> > > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > Thanks for this info can you please share what all needs
> to
> > > be
> > > > > > > present
> > > > > > > > on
> > > > > > > > > > the client side for mtls as in what all configuration are
> > > > needed
> > > > > > that
> > > > > > > > > side?
> > > > > > > > > >
> > > > > > > > > > Thanks
> > > > > > > > > >
> > > > > > > > > > On Thu, Jun 24, 2021, 07:51 Shilin Wu
> > > > <shwu@confluent.io.invalid
> > > > > >
> > > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > A few things to check:
> > > > > > > > > > >
> > > > > > > > > > > 1. Client trust store need to trust the server cert's
> > > issuer
> > > > > cert
> > > > > > > > (AKA
> > > > > > > > > > the
> > > > > > > > > > > CA cert)
> > > > > > > > > > > 2. The client must have a keystore that can be trusted
> by
> > > > > > server's
> > > > > > > > > trust
> > > > > > > > > > > store.
> > > > > > > > > > > 3. The server needs to be accessed either via FQDN, or
> > one
> > > of
> > > > > the
> > > > > > > SAN
> > > > > > > > > > > address. If you are doing self sign, you can add many
> DNS
> > > > alias
> > > > > > and
> > > > > > > > > even
> > > > > > > > > > ip
> > > > > > > > > > > addresses to the server's cert.
> > > > > > > > > > > 4. Make sure the server cert has extended key usage of
> > > > > > serverAuth,
> > > > > > > > > client
> > > > > > > > > > > cert has extended key usage of clientAuth. Actually you
> > can
> > > > > have
> > > > > > > > both -
> > > > > > > > > > if
> > > > > > > > > > > you are generating yourself.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > [image: Confluent] <https://www.confluent.io>
> > > > > > > > > > > Wu Shilin
> > > > > > > > > > > Solution Architect
> > > > > > > > > > > +6581007012
> > > > > > > > > > > Follow us: [image: Blog]
> > > > > > > > > > > <
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > > > > > > > > >[image:
> > > > > > > > > > > Twitter] <https://twitter.com/ConfluentInc>[image:
> > > LinkedIn]
> > > > > > > > > > > <https://www.linkedin.com/company/confluent/>[image:
> > > Slack]
> > > > > > > > > > > <https://slackpass.io/confluentcommunity>[image:
> > YouTube]
> > > > > > > > > > > <https://youtube.com/confluent>
> > > > > > > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > On Thu, Jun 24, 2021 at 12:37 AM Anjali Sharma <
> > > > > > > > > > > sharma.anjali.2699@gmail.com>
> > > > > > > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > > Hi All,
> > > > > > > > > > > >
> > > > > > > > > > > > While trying for mtls ssl.client.aut=required, From
> > > Client
> > > > > side
> > > > > > > we
> > > > > > > > > are
> > > > > > > > > > > > seeing some junk certificates which we have not
> > imported
> > > on
> > > > > the
> > > > > > > > > client
> > > > > > > > > > > > side?
> > > > > > > > > > > >
> > > > > > > > > > > > Please help with this?
> > > > > > > > > > > >
> > > > > > > > > > > > Thanks & Regards
> > > > > > > > > > > >
> > > > > > > > > > > > Anjali
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: Mtls not working
Posted by Ran Lupovich <ra...@gmail.com>.
Make sure that the date and time on the server is correct (The wrong time
will cause the SSL certificate connection to fail).
בתאריך יום ה׳, 24 ביוני 2021, 19:18, מאת Anjali Sharma <
sharma.anjali.2699@gmail.com>:
> openssl s_client -connect 10.54.65.99:28105
> socket: Bad file descriptor
> connect:errno=9
>
> This is the output we are getting
>
>
> On Thu, Jun 24, 2021 at 6:04 PM Shilin Wu <sh...@confluent.io.invalid>
> wrote:
>
> > I think your port may not even be enabled with SSL.
> >
> > do this
> > "openssl s_client -connect <host>:<port>"
> > and show the result ?
> >
> >
> >
> > [image: Confluent] <https://www.confluent.io>
> > Wu Shilin
> > Solution Architect
> > +6581007012
> > Follow us: [image: Blog]
> > <
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > >[image:
> > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > <https://youtube.com/confluent>
> > [image: Kafka Summit] <https://www.kafka-summit.org/>
> >
> >
> > On Thu, Jun 24, 2021 at 8:32 PM Anjali Sharma <
> > sharma.anjali.2699@gmail.com>
> > wrote:
> >
> > > This is the error we are getting
> > >
> > >
> > > [2021-06-22 10:59:45,049] ERROR [Consumer clientId=consumer-1,
> > > groupId=test-consumer-group] Connection to node -1 failed
> authentication
> > > due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
> > > [2021-06-22 10:59:45,051] ERROR Authentication failed: terminating
> > consumer
> > > process (kafka.tools.ConsoleConsumer$)
> > > org.apache.kafka.common.errors.SslAuthenticationException: SSL
> handshake
> > > failed
> > > Caused by: javax.net.ssl.SSLException: Unsupported record version
> > > Unknown-211.79
> > >
> > >
> > > On Thu, Jun 24, 2021, 17:59 Shilin Wu <sh...@confluent.io.invalid>
> wrote:
> > >
> > > > You need to make sure the following one by one... Or you can post the
> > > > message of error here so we can see exact error.
> > > >
> > > >
> > > > > > > > > 1. Client trust store need to trust the server cert's
> issuer
> > > cert
> > > > > > (AKA
> > > > > > > > the
> > > > > > > > > CA cert)
> > > > > > > > > 2. The client must have a keystore that can be trusted by
> > > > server's
> > > > > > > trust
> > > > > > > > > store.
> > > > > > > > > 3. The server needs to be accessed either via FQDN, or one
> of
> > > the
> > > > > SAN
> > > > > > > > > address. If you are doing self sign, you can add many DNS
> > alias
> > > > and
> > > > > > > even
> > > > > > > > ip
> > > > > > > > > addresses to the server's cert.
> > > > > > > > > 4. Make sure the server cert has extended key usage of
> > > > serverAuth,
> > > > > > > client
> > > > > > > > > cert has extended key usage of clientAuth. Actually you can
> > > have
> > > > > > both -
> > > > > > > > if
> > > > > > > > > you are generating yourself.
> > > >
> > > > [image: Confluent] <https://www.confluent.io>
> > > > Wu Shilin
> > > > Solution Architect
> > > > +6581007012
> > > > Follow us: [image: Blog]
> > > > <
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > >[image:
> > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > <https://youtube.com/confluent>
> > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > >
> > > >
> > > > On Thu, Jun 24, 2021 at 8:26 PM Anjali Sharma <
> > > > sharma.anjali.2699@gmail.com>
> > > > wrote:
> > > >
> > > > > Thanks for this but we are trying to do this on command line but
> > > getting
> > > > > this bad certificate error
> > > > >
> > > > > On Thu, Jun 24, 2021, 17:52 Shilin Wu <sh...@confluent.io.invalid>
> > > wrote:
> > > > >
> > > > > > you may do openssl s_client -connect kafkahost:port to dump the
> > cert.
> > > > > >
> > > > > > See if the cert makes sense.
> > > > > >
> > > > > > To test if your SSL works, you may try use this java program to
> > test
> > > if
> > > > > you
> > > > > > have SSL trust issue - if it connects ok, the cert trust is
> mostly
> > to
> > > > be
> > > > > > okay. (remember to change your host name in code, and jks path in
> > > > command
> > > > > > line options.
> > > > > >
> > > > > >
> > > > > > java -Djavax.net.ssl.trustStore=truststore.jks
> > > > > > -Djavax.net.ssl.trustStorePassword=changeme Test
> > > > > >
> > > > > > import java.net.*;
> > > > > >
> > > > > > import java.io.*;
> > > > > >
> > > > > > import javax.net.ssl.*;
> > > > > >
> > > > > >
> > > > > > /*
> > > > > >
> > > > > > * This example demostrates how to use a SSLSocket as client to
> > > > > >
> > > > > > * send a HTTP request and get response from an HTTPS server.
> > > > > >
> > > > > > * It assumes that the client is not behind a firewall
> > > > > >
> > > > > > */
> > > > > >
> > > > > >
> > > > > > public class Test {
> > > > > >
> > > > > >
> > > > > > public static void main(String[] args) throws Exception {
> > > > > >
> > > > > > try {
> > > > > >
> > > > > > SSLSocketFactory factory =
> > > > > >
> > > > > > (SSLSocketFactory)SSLSocketFactory.getDefault();
> > > > > >
> > > > > > SSLSocket socket =
> > > > > >
> > > > > > (SSLSocket)factory.createSocket("cp-kafka1",
> 9093);
> > > > > >
> > > > > >
> > > > > > /*
> > > > > >
> > > > > > * send http request
> > > > > >
> > > > > > *
> > > > > >
> > > > > > * Before any application data is sent or received,
> the
> > > > > >
> > > > > > * SSL socket will do SSL handshaking first to set up
> > > > > >
> > > > > > * the security attributes.
> > > > > >
> > > > > > *
> > > > > >
> > > > > > * SSL handshaking can be initiated by either
> flushing
> > > data
> > > > > >
> > > > > > * down the pipe, or by starting the handshaking by
> > hand.
> > > > > >
> > > > > > *
> > > > > >
> > > > > > * Handshaking is started manually in this example
> > > because
> > > > > >
> > > > > > * PrintWriter catches all IOExceptions (including
> > > > > >
> > > > > > * SSLExceptions), sets an internal error flag, and
> > then
> > > > > >
> > > > > > * returns without rethrowing the exception.
> > > > > >
> > > > > > *
> > > > > >
> > > > > > * Unfortunately, this means any error messages are
> > lost,
> > > > > >
> > > > > > * which caused lots of confusion for others using
> this
> > > > > >
> > > > > > * code. The only way to tell there was an error is
> to
> > > > call
> > > > > >
> > > > > > * PrintWriter.checkError().
> > > > > >
> > > > > > */
> > > > > >
> > > > > > socket.startHandshake();
> > > > > >
> > > > > >
> > > > > > socket.close();
> > > > > >
> > > > > >
> > > > > > } catch (Exception e) {
> > > > > >
> > > > > > e.printStackTrace();
> > > > > >
> > > > > > }
> > > > > >
> > > > > > }
> > > > > >
> > > > > > }
> > > > > >
> > > > > > [image: Confluent] <https://www.confluent.io>
> > > > > > Wu Shilin
> > > > > > Solution Architect
> > > > > > +6581007012
> > > > > > Follow us: [image: Blog]
> > > > > > <
> > > > > >
> > > > >
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > > > >[image:
> > > > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > > > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > > > <https://youtube.com/confluent>
> > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > > > >
> > > > > >
> > > > > > On Thu, Jun 24, 2021 at 8:17 PM Anjali Sharma <
> > > > > > sharma.anjali.2699@gmail.com>
> > > > > > wrote:
> > > > > >
> > > > > > > Had added those configuration but still seeing only junk
> > > certificates
> > > > > > from
> > > > > > > client side ? Any idea how to solve?
> > > > > > >
> > > > > > >
> > > > > > > Thanks
> > > > > > > Anjali
> > > > > > >
> > > > > > > On Thu, Jun 24, 2021, 17:44 Shilin Wu
> <shwu@confluent.io.invalid
> > >
> > > > > wrote:
> > > > > > >
> > > > > > > > ssl.truststore.location=/root/truststore.jks
> > > > > > > >
> > > > > > > > ssl.truststore.type=JKS
> > > > > > > >
> > > > > > > > ssl.truststore.password=changeme
> > > > > > > >
> > > > > > > > ssl.keystore.location=/root/alice.jks
> > > > > > > >
> > > > > > > > ssl.keystore.type=JKS
> > > > > > > >
> > > > > > > > ssl.keystore.password=changeme
> > > > > > > >
> > > > > > > > security.protocol=SSL
> > > > > > > >
> > > > > > > > bootstrap.server=cp-kafka1:9093
> > > > > > > >
> > > > > > > > ssl.endpoint.identification.algorithm=https
> > > > > > > >
> > > > > > > > This worked for me pretty well.
> > > > > > > >
> > > > > > > > Of course you need to generate those certs from open ssl.
> > > > > > > >
> > > > > > > > The trust store only contains the CA cert, the key store
> > contains
> > > > the
> > > > > > > > keypair for alice (the user here).
> > > > > > > >
> > > > > > > >
> > > > > > > > [image: Confluent] <https://www.confluent.io>
> > > > > > > > Wu Shilin
> > > > > > > > Solution Architect
> > > > > > > > +6581007012
> > > > > > > > Follow us: [image: Blog]
> > > > > > > > <
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > > > > > >[image:
> > > > > > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > > > > > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > > > > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > > > > > <https://youtube.com/confluent>
> > > > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > > > > > >
> > > > > > > >
> > > > > > > > On Thu, Jun 24, 2021 at 11:38 AM Anjali Sharma <
> > > > > > > > sharma.anjali.2699@gmail.com>
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > Thanks for this info can you please share what all needs to
> > be
> > > > > > present
> > > > > > > on
> > > > > > > > > the client side for mtls as in what all configuration are
> > > needed
> > > > > that
> > > > > > > > side?
> > > > > > > > >
> > > > > > > > > Thanks
> > > > > > > > >
> > > > > > > > > On Thu, Jun 24, 2021, 07:51 Shilin Wu
> > > <shwu@confluent.io.invalid
> > > > >
> > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > A few things to check:
> > > > > > > > > >
> > > > > > > > > > 1. Client trust store need to trust the server cert's
> > issuer
> > > > cert
> > > > > > > (AKA
> > > > > > > > > the
> > > > > > > > > > CA cert)
> > > > > > > > > > 2. The client must have a keystore that can be trusted by
> > > > > server's
> > > > > > > > trust
> > > > > > > > > > store.
> > > > > > > > > > 3. The server needs to be accessed either via FQDN, or
> one
> > of
> > > > the
> > > > > > SAN
> > > > > > > > > > address. If you are doing self sign, you can add many DNS
> > > alias
> > > > > and
> > > > > > > > even
> > > > > > > > > ip
> > > > > > > > > > addresses to the server's cert.
> > > > > > > > > > 4. Make sure the server cert has extended key usage of
> > > > > serverAuth,
> > > > > > > > client
> > > > > > > > > > cert has extended key usage of clientAuth. Actually you
> can
> > > > have
> > > > > > > both -
> > > > > > > > > if
> > > > > > > > > > you are generating yourself.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > [image: Confluent] <https://www.confluent.io>
> > > > > > > > > > Wu Shilin
> > > > > > > > > > Solution Architect
> > > > > > > > > > +6581007012
> > > > > > > > > > Follow us: [image: Blog]
> > > > > > > > > > <
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > > > > > > > >[image:
> > > > > > > > > > Twitter] <https://twitter.com/ConfluentInc>[image:
> > LinkedIn]
> > > > > > > > > > <https://www.linkedin.com/company/confluent/>[image:
> > Slack]
> > > > > > > > > > <https://slackpass.io/confluentcommunity>[image:
> YouTube]
> > > > > > > > > > <https://youtube.com/confluent>
> > > > > > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Thu, Jun 24, 2021 at 12:37 AM Anjali Sharma <
> > > > > > > > > > sharma.anjali.2699@gmail.com>
> > > > > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > Hi All,
> > > > > > > > > > >
> > > > > > > > > > > While trying for mtls ssl.client.aut=required, From
> > Client
> > > > side
> > > > > > we
> > > > > > > > are
> > > > > > > > > > > seeing some junk certificates which we have not
> imported
> > on
> > > > the
> > > > > > > > client
> > > > > > > > > > > side?
> > > > > > > > > > >
> > > > > > > > > > > Please help with this?
> > > > > > > > > > >
> > > > > > > > > > > Thanks & Regards
> > > > > > > > > > >
> > > > > > > > > > > Anjali
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: Mtls not working
Posted by Anjali Sharma <sh...@gmail.com>.
openssl s_client -connect 10.54.65.99:28105
socket: Bad file descriptor
connect:errno=9
This is the output we are getting
On Thu, Jun 24, 2021 at 6:04 PM Shilin Wu <sh...@confluent.io.invalid> wrote:
> I think your port may not even be enabled with SSL.
>
> do this
> "openssl s_client -connect <host>:<port>"
> and show the result ?
>
>
>
> [image: Confluent] <https://www.confluent.io>
> Wu Shilin
> Solution Architect
> +6581007012
> Follow us: [image: Blog]
> <
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> >[image:
> Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> <https://www.linkedin.com/company/confluent/>[image: Slack]
> <https://slackpass.io/confluentcommunity>[image: YouTube]
> <https://youtube.com/confluent>
> [image: Kafka Summit] <https://www.kafka-summit.org/>
>
>
> On Thu, Jun 24, 2021 at 8:32 PM Anjali Sharma <
> sharma.anjali.2699@gmail.com>
> wrote:
>
> > This is the error we are getting
> >
> >
> > [2021-06-22 10:59:45,049] ERROR [Consumer clientId=consumer-1,
> > groupId=test-consumer-group] Connection to node -1 failed authentication
> > due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
> > [2021-06-22 10:59:45,051] ERROR Authentication failed: terminating
> consumer
> > process (kafka.tools.ConsoleConsumer$)
> > org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake
> > failed
> > Caused by: javax.net.ssl.SSLException: Unsupported record version
> > Unknown-211.79
> >
> >
> > On Thu, Jun 24, 2021, 17:59 Shilin Wu <sh...@confluent.io.invalid> wrote:
> >
> > > You need to make sure the following one by one... Or you can post the
> > > message of error here so we can see exact error.
> > >
> > >
> > > > > > > > 1. Client trust store need to trust the server cert's issuer
> > cert
> > > > > (AKA
> > > > > > > the
> > > > > > > > CA cert)
> > > > > > > > 2. The client must have a keystore that can be trusted by
> > > server's
> > > > > > trust
> > > > > > > > store.
> > > > > > > > 3. The server needs to be accessed either via FQDN, or one of
> > the
> > > > SAN
> > > > > > > > address. If you are doing self sign, you can add many DNS
> alias
> > > and
> > > > > > even
> > > > > > > ip
> > > > > > > > addresses to the server's cert.
> > > > > > > > 4. Make sure the server cert has extended key usage of
> > > serverAuth,
> > > > > > client
> > > > > > > > cert has extended key usage of clientAuth. Actually you can
> > have
> > > > > both -
> > > > > > > if
> > > > > > > > you are generating yourself.
> > >
> > > [image: Confluent] <https://www.confluent.io>
> > > Wu Shilin
> > > Solution Architect
> > > +6581007012
> > > Follow us: [image: Blog]
> > > <
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > >[image:
> > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > <https://youtube.com/confluent>
> > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > >
> > >
> > > On Thu, Jun 24, 2021 at 8:26 PM Anjali Sharma <
> > > sharma.anjali.2699@gmail.com>
> > > wrote:
> > >
> > > > Thanks for this but we are trying to do this on command line but
> > getting
> > > > this bad certificate error
> > > >
> > > > On Thu, Jun 24, 2021, 17:52 Shilin Wu <sh...@confluent.io.invalid>
> > wrote:
> > > >
> > > > > you may do openssl s_client -connect kafkahost:port to dump the
> cert.
> > > > >
> > > > > See if the cert makes sense.
> > > > >
> > > > > To test if your SSL works, you may try use this java program to
> test
> > if
> > > > you
> > > > > have SSL trust issue - if it connects ok, the cert trust is mostly
> to
> > > be
> > > > > okay. (remember to change your host name in code, and jks path in
> > > command
> > > > > line options.
> > > > >
> > > > >
> > > > > java -Djavax.net.ssl.trustStore=truststore.jks
> > > > > -Djavax.net.ssl.trustStorePassword=changeme Test
> > > > >
> > > > > import java.net.*;
> > > > >
> > > > > import java.io.*;
> > > > >
> > > > > import javax.net.ssl.*;
> > > > >
> > > > >
> > > > > /*
> > > > >
> > > > > * This example demostrates how to use a SSLSocket as client to
> > > > >
> > > > > * send a HTTP request and get response from an HTTPS server.
> > > > >
> > > > > * It assumes that the client is not behind a firewall
> > > > >
> > > > > */
> > > > >
> > > > >
> > > > > public class Test {
> > > > >
> > > > >
> > > > > public static void main(String[] args) throws Exception {
> > > > >
> > > > > try {
> > > > >
> > > > > SSLSocketFactory factory =
> > > > >
> > > > > (SSLSocketFactory)SSLSocketFactory.getDefault();
> > > > >
> > > > > SSLSocket socket =
> > > > >
> > > > > (SSLSocket)factory.createSocket("cp-kafka1", 9093);
> > > > >
> > > > >
> > > > > /*
> > > > >
> > > > > * send http request
> > > > >
> > > > > *
> > > > >
> > > > > * Before any application data is sent or received, the
> > > > >
> > > > > * SSL socket will do SSL handshaking first to set up
> > > > >
> > > > > * the security attributes.
> > > > >
> > > > > *
> > > > >
> > > > > * SSL handshaking can be initiated by either flushing
> > data
> > > > >
> > > > > * down the pipe, or by starting the handshaking by
> hand.
> > > > >
> > > > > *
> > > > >
> > > > > * Handshaking is started manually in this example
> > because
> > > > >
> > > > > * PrintWriter catches all IOExceptions (including
> > > > >
> > > > > * SSLExceptions), sets an internal error flag, and
> then
> > > > >
> > > > > * returns without rethrowing the exception.
> > > > >
> > > > > *
> > > > >
> > > > > * Unfortunately, this means any error messages are
> lost,
> > > > >
> > > > > * which caused lots of confusion for others using this
> > > > >
> > > > > * code. The only way to tell there was an error is to
> > > call
> > > > >
> > > > > * PrintWriter.checkError().
> > > > >
> > > > > */
> > > > >
> > > > > socket.startHandshake();
> > > > >
> > > > >
> > > > > socket.close();
> > > > >
> > > > >
> > > > > } catch (Exception e) {
> > > > >
> > > > > e.printStackTrace();
> > > > >
> > > > > }
> > > > >
> > > > > }
> > > > >
> > > > > }
> > > > >
> > > > > [image: Confluent] <https://www.confluent.io>
> > > > > Wu Shilin
> > > > > Solution Architect
> > > > > +6581007012
> > > > > Follow us: [image: Blog]
> > > > > <
> > > > >
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > > >[image:
> > > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > > <https://youtube.com/confluent>
> > > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > > >
> > > > >
> > > > > On Thu, Jun 24, 2021 at 8:17 PM Anjali Sharma <
> > > > > sharma.anjali.2699@gmail.com>
> > > > > wrote:
> > > > >
> > > > > > Had added those configuration but still seeing only junk
> > certificates
> > > > > from
> > > > > > client side ? Any idea how to solve?
> > > > > >
> > > > > >
> > > > > > Thanks
> > > > > > Anjali
> > > > > >
> > > > > > On Thu, Jun 24, 2021, 17:44 Shilin Wu <shwu@confluent.io.invalid
> >
> > > > wrote:
> > > > > >
> > > > > > > ssl.truststore.location=/root/truststore.jks
> > > > > > >
> > > > > > > ssl.truststore.type=JKS
> > > > > > >
> > > > > > > ssl.truststore.password=changeme
> > > > > > >
> > > > > > > ssl.keystore.location=/root/alice.jks
> > > > > > >
> > > > > > > ssl.keystore.type=JKS
> > > > > > >
> > > > > > > ssl.keystore.password=changeme
> > > > > > >
> > > > > > > security.protocol=SSL
> > > > > > >
> > > > > > > bootstrap.server=cp-kafka1:9093
> > > > > > >
> > > > > > > ssl.endpoint.identification.algorithm=https
> > > > > > >
> > > > > > > This worked for me pretty well.
> > > > > > >
> > > > > > > Of course you need to generate those certs from open ssl.
> > > > > > >
> > > > > > > The trust store only contains the CA cert, the key store
> contains
> > > the
> > > > > > > keypair for alice (the user here).
> > > > > > >
> > > > > > >
> > > > > > > [image: Confluent] <https://www.confluent.io>
> > > > > > > Wu Shilin
> > > > > > > Solution Architect
> > > > > > > +6581007012
> > > > > > > Follow us: [image: Blog]
> > > > > > > <
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > > > > >[image:
> > > > > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > > > > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > > > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > > > > <https://youtube.com/confluent>
> > > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > > > > >
> > > > > > >
> > > > > > > On Thu, Jun 24, 2021 at 11:38 AM Anjali Sharma <
> > > > > > > sharma.anjali.2699@gmail.com>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > Thanks for this info can you please share what all needs to
> be
> > > > > present
> > > > > > on
> > > > > > > > the client side for mtls as in what all configuration are
> > needed
> > > > that
> > > > > > > side?
> > > > > > > >
> > > > > > > > Thanks
> > > > > > > >
> > > > > > > > On Thu, Jun 24, 2021, 07:51 Shilin Wu
> > <shwu@confluent.io.invalid
> > > >
> > > > > > wrote:
> > > > > > > >
> > > > > > > > > A few things to check:
> > > > > > > > >
> > > > > > > > > 1. Client trust store need to trust the server cert's
> issuer
> > > cert
> > > > > > (AKA
> > > > > > > > the
> > > > > > > > > CA cert)
> > > > > > > > > 2. The client must have a keystore that can be trusted by
> > > > server's
> > > > > > > trust
> > > > > > > > > store.
> > > > > > > > > 3. The server needs to be accessed either via FQDN, or one
> of
> > > the
> > > > > SAN
> > > > > > > > > address. If you are doing self sign, you can add many DNS
> > alias
> > > > and
> > > > > > > even
> > > > > > > > ip
> > > > > > > > > addresses to the server's cert.
> > > > > > > > > 4. Make sure the server cert has extended key usage of
> > > > serverAuth,
> > > > > > > client
> > > > > > > > > cert has extended key usage of clientAuth. Actually you can
> > > have
> > > > > > both -
> > > > > > > > if
> > > > > > > > > you are generating yourself.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > [image: Confluent] <https://www.confluent.io>
> > > > > > > > > Wu Shilin
> > > > > > > > > Solution Architect
> > > > > > > > > +6581007012
> > > > > > > > > Follow us: [image: Blog]
> > > > > > > > > <
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > > > > > > >[image:
> > > > > > > > > Twitter] <https://twitter.com/ConfluentInc>[image:
> LinkedIn]
> > > > > > > > > <https://www.linkedin.com/company/confluent/>[image:
> Slack]
> > > > > > > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > > > > > > <https://youtube.com/confluent>
> > > > > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Thu, Jun 24, 2021 at 12:37 AM Anjali Sharma <
> > > > > > > > > sharma.anjali.2699@gmail.com>
> > > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > Hi All,
> > > > > > > > > >
> > > > > > > > > > While trying for mtls ssl.client.aut=required, From
> Client
> > > side
> > > > > we
> > > > > > > are
> > > > > > > > > > seeing some junk certificates which we have not imported
> on
> > > the
> > > > > > > client
> > > > > > > > > > side?
> > > > > > > > > >
> > > > > > > > > > Please help with this?
> > > > > > > > > >
> > > > > > > > > > Thanks & Regards
> > > > > > > > > >
> > > > > > > > > > Anjali
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: Mtls not working
Posted by Shilin Wu <sh...@confluent.io.INVALID>.
I think your port may not even be enabled with SSL.
do this
"openssl s_client -connect <host>:<port>"
and show the result ?
[image: Confluent] <https://www.confluent.io>
Wu Shilin
Solution Architect
+6581007012
Follow us: [image: Blog]
<https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog>[image:
Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
<https://www.linkedin.com/company/confluent/>[image: Slack]
<https://slackpass.io/confluentcommunity>[image: YouTube]
<https://youtube.com/confluent>
[image: Kafka Summit] <https://www.kafka-summit.org/>
On Thu, Jun 24, 2021 at 8:32 PM Anjali Sharma <sh...@gmail.com>
wrote:
> This is the error we are getting
>
>
> [2021-06-22 10:59:45,049] ERROR [Consumer clientId=consumer-1,
> groupId=test-consumer-group] Connection to node -1 failed authentication
> due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
> [2021-06-22 10:59:45,051] ERROR Authentication failed: terminating consumer
> process (kafka.tools.ConsoleConsumer$)
> org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake
> failed
> Caused by: javax.net.ssl.SSLException: Unsupported record version
> Unknown-211.79
>
>
> On Thu, Jun 24, 2021, 17:59 Shilin Wu <sh...@confluent.io.invalid> wrote:
>
> > You need to make sure the following one by one... Or you can post the
> > message of error here so we can see exact error.
> >
> >
> > > > > > > 1. Client trust store need to trust the server cert's issuer
> cert
> > > > (AKA
> > > > > > the
> > > > > > > CA cert)
> > > > > > > 2. The client must have a keystore that can be trusted by
> > server's
> > > > > trust
> > > > > > > store.
> > > > > > > 3. The server needs to be accessed either via FQDN, or one of
> the
> > > SAN
> > > > > > > address. If you are doing self sign, you can add many DNS alias
> > and
> > > > > even
> > > > > > ip
> > > > > > > addresses to the server's cert.
> > > > > > > 4. Make sure the server cert has extended key usage of
> > serverAuth,
> > > > > client
> > > > > > > cert has extended key usage of clientAuth. Actually you can
> have
> > > > both -
> > > > > > if
> > > > > > > you are generating yourself.
> >
> > [image: Confluent] <https://www.confluent.io>
> > Wu Shilin
> > Solution Architect
> > +6581007012
> > Follow us: [image: Blog]
> > <
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > >[image:
> > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > <https://youtube.com/confluent>
> > [image: Kafka Summit] <https://www.kafka-summit.org/>
> >
> >
> > On Thu, Jun 24, 2021 at 8:26 PM Anjali Sharma <
> > sharma.anjali.2699@gmail.com>
> > wrote:
> >
> > > Thanks for this but we are trying to do this on command line but
> getting
> > > this bad certificate error
> > >
> > > On Thu, Jun 24, 2021, 17:52 Shilin Wu <sh...@confluent.io.invalid>
> wrote:
> > >
> > > > you may do openssl s_client -connect kafkahost:port to dump the cert.
> > > >
> > > > See if the cert makes sense.
> > > >
> > > > To test if your SSL works, you may try use this java program to test
> if
> > > you
> > > > have SSL trust issue - if it connects ok, the cert trust is mostly to
> > be
> > > > okay. (remember to change your host name in code, and jks path in
> > command
> > > > line options.
> > > >
> > > >
> > > > java -Djavax.net.ssl.trustStore=truststore.jks
> > > > -Djavax.net.ssl.trustStorePassword=changeme Test
> > > >
> > > > import java.net.*;
> > > >
> > > > import java.io.*;
> > > >
> > > > import javax.net.ssl.*;
> > > >
> > > >
> > > > /*
> > > >
> > > > * This example demostrates how to use a SSLSocket as client to
> > > >
> > > > * send a HTTP request and get response from an HTTPS server.
> > > >
> > > > * It assumes that the client is not behind a firewall
> > > >
> > > > */
> > > >
> > > >
> > > > public class Test {
> > > >
> > > >
> > > > public static void main(String[] args) throws Exception {
> > > >
> > > > try {
> > > >
> > > > SSLSocketFactory factory =
> > > >
> > > > (SSLSocketFactory)SSLSocketFactory.getDefault();
> > > >
> > > > SSLSocket socket =
> > > >
> > > > (SSLSocket)factory.createSocket("cp-kafka1", 9093);
> > > >
> > > >
> > > > /*
> > > >
> > > > * send http request
> > > >
> > > > *
> > > >
> > > > * Before any application data is sent or received, the
> > > >
> > > > * SSL socket will do SSL handshaking first to set up
> > > >
> > > > * the security attributes.
> > > >
> > > > *
> > > >
> > > > * SSL handshaking can be initiated by either flushing
> data
> > > >
> > > > * down the pipe, or by starting the handshaking by hand.
> > > >
> > > > *
> > > >
> > > > * Handshaking is started manually in this example
> because
> > > >
> > > > * PrintWriter catches all IOExceptions (including
> > > >
> > > > * SSLExceptions), sets an internal error flag, and then
> > > >
> > > > * returns without rethrowing the exception.
> > > >
> > > > *
> > > >
> > > > * Unfortunately, this means any error messages are lost,
> > > >
> > > > * which caused lots of confusion for others using this
> > > >
> > > > * code. The only way to tell there was an error is to
> > call
> > > >
> > > > * PrintWriter.checkError().
> > > >
> > > > */
> > > >
> > > > socket.startHandshake();
> > > >
> > > >
> > > > socket.close();
> > > >
> > > >
> > > > } catch (Exception e) {
> > > >
> > > > e.printStackTrace();
> > > >
> > > > }
> > > >
> > > > }
> > > >
> > > > }
> > > >
> > > > [image: Confluent] <https://www.confluent.io>
> > > > Wu Shilin
> > > > Solution Architect
> > > > +6581007012
> > > > Follow us: [image: Blog]
> > > > <
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > >[image:
> > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > <https://youtube.com/confluent>
> > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > >
> > > >
> > > > On Thu, Jun 24, 2021 at 8:17 PM Anjali Sharma <
> > > > sharma.anjali.2699@gmail.com>
> > > > wrote:
> > > >
> > > > > Had added those configuration but still seeing only junk
> certificates
> > > > from
> > > > > client side ? Any idea how to solve?
> > > > >
> > > > >
> > > > > Thanks
> > > > > Anjali
> > > > >
> > > > > On Thu, Jun 24, 2021, 17:44 Shilin Wu <sh...@confluent.io.invalid>
> > > wrote:
> > > > >
> > > > > > ssl.truststore.location=/root/truststore.jks
> > > > > >
> > > > > > ssl.truststore.type=JKS
> > > > > >
> > > > > > ssl.truststore.password=changeme
> > > > > >
> > > > > > ssl.keystore.location=/root/alice.jks
> > > > > >
> > > > > > ssl.keystore.type=JKS
> > > > > >
> > > > > > ssl.keystore.password=changeme
> > > > > >
> > > > > > security.protocol=SSL
> > > > > >
> > > > > > bootstrap.server=cp-kafka1:9093
> > > > > >
> > > > > > ssl.endpoint.identification.algorithm=https
> > > > > >
> > > > > > This worked for me pretty well.
> > > > > >
> > > > > > Of course you need to generate those certs from open ssl.
> > > > > >
> > > > > > The trust store only contains the CA cert, the key store contains
> > the
> > > > > > keypair for alice (the user here).
> > > > > >
> > > > > >
> > > > > > [image: Confluent] <https://www.confluent.io>
> > > > > > Wu Shilin
> > > > > > Solution Architect
> > > > > > +6581007012
> > > > > > Follow us: [image: Blog]
> > > > > > <
> > > > > >
> > > > >
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > > > >[image:
> > > > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > > > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > > > <https://youtube.com/confluent>
> > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > > > >
> > > > > >
> > > > > > On Thu, Jun 24, 2021 at 11:38 AM Anjali Sharma <
> > > > > > sharma.anjali.2699@gmail.com>
> > > > > > wrote:
> > > > > >
> > > > > > > Thanks for this info can you please share what all needs to be
> > > > present
> > > > > on
> > > > > > > the client side for mtls as in what all configuration are
> needed
> > > that
> > > > > > side?
> > > > > > >
> > > > > > > Thanks
> > > > > > >
> > > > > > > On Thu, Jun 24, 2021, 07:51 Shilin Wu
> <shwu@confluent.io.invalid
> > >
> > > > > wrote:
> > > > > > >
> > > > > > > > A few things to check:
> > > > > > > >
> > > > > > > > 1. Client trust store need to trust the server cert's issuer
> > cert
> > > > > (AKA
> > > > > > > the
> > > > > > > > CA cert)
> > > > > > > > 2. The client must have a keystore that can be trusted by
> > > server's
> > > > > > trust
> > > > > > > > store.
> > > > > > > > 3. The server needs to be accessed either via FQDN, or one of
> > the
> > > > SAN
> > > > > > > > address. If you are doing self sign, you can add many DNS
> alias
> > > and
> > > > > > even
> > > > > > > ip
> > > > > > > > addresses to the server's cert.
> > > > > > > > 4. Make sure the server cert has extended key usage of
> > > serverAuth,
> > > > > > client
> > > > > > > > cert has extended key usage of clientAuth. Actually you can
> > have
> > > > > both -
> > > > > > > if
> > > > > > > > you are generating yourself.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > [image: Confluent] <https://www.confluent.io>
> > > > > > > > Wu Shilin
> > > > > > > > Solution Architect
> > > > > > > > +6581007012
> > > > > > > > Follow us: [image: Blog]
> > > > > > > > <
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > > > > > >[image:
> > > > > > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > > > > > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > > > > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > > > > > <https://youtube.com/confluent>
> > > > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > > > > > >
> > > > > > > >
> > > > > > > > On Thu, Jun 24, 2021 at 12:37 AM Anjali Sharma <
> > > > > > > > sharma.anjali.2699@gmail.com>
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > Hi All,
> > > > > > > > >
> > > > > > > > > While trying for mtls ssl.client.aut=required, From Client
> > side
> > > > we
> > > > > > are
> > > > > > > > > seeing some junk certificates which we have not imported on
> > the
> > > > > > client
> > > > > > > > > side?
> > > > > > > > >
> > > > > > > > > Please help with this?
> > > > > > > > >
> > > > > > > > > Thanks & Regards
> > > > > > > > >
> > > > > > > > > Anjali
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: Mtls not working
Posted by Anjali Sharma <sh...@gmail.com>.
This is the error we are getting
[2021-06-22 10:59:45,049] ERROR [Consumer clientId=consumer-1,
groupId=test-consumer-group] Connection to node -1 failed authentication
due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
[2021-06-22 10:59:45,051] ERROR Authentication failed: terminating consumer
process (kafka.tools.ConsoleConsumer$)
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake
failed
Caused by: javax.net.ssl.SSLException: Unsupported record version
Unknown-211.79
On Thu, Jun 24, 2021, 17:59 Shilin Wu <sh...@confluent.io.invalid> wrote:
> You need to make sure the following one by one... Or you can post the
> message of error here so we can see exact error.
>
>
> > > > > > 1. Client trust store need to trust the server cert's issuer cert
> > > (AKA
> > > > > the
> > > > > > CA cert)
> > > > > > 2. The client must have a keystore that can be trusted by
> server's
> > > > trust
> > > > > > store.
> > > > > > 3. The server needs to be accessed either via FQDN, or one of the
> > SAN
> > > > > > address. If you are doing self sign, you can add many DNS alias
> and
> > > > even
> > > > > ip
> > > > > > addresses to the server's cert.
> > > > > > 4. Make sure the server cert has extended key usage of
> serverAuth,
> > > > client
> > > > > > cert has extended key usage of clientAuth. Actually you can have
> > > both -
> > > > > if
> > > > > > you are generating yourself.
>
> [image: Confluent] <https://www.confluent.io>
> Wu Shilin
> Solution Architect
> +6581007012
> Follow us: [image: Blog]
> <
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> >[image:
> Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> <https://www.linkedin.com/company/confluent/>[image: Slack]
> <https://slackpass.io/confluentcommunity>[image: YouTube]
> <https://youtube.com/confluent>
> [image: Kafka Summit] <https://www.kafka-summit.org/>
>
>
> On Thu, Jun 24, 2021 at 8:26 PM Anjali Sharma <
> sharma.anjali.2699@gmail.com>
> wrote:
>
> > Thanks for this but we are trying to do this on command line but getting
> > this bad certificate error
> >
> > On Thu, Jun 24, 2021, 17:52 Shilin Wu <sh...@confluent.io.invalid> wrote:
> >
> > > you may do openssl s_client -connect kafkahost:port to dump the cert.
> > >
> > > See if the cert makes sense.
> > >
> > > To test if your SSL works, you may try use this java program to test if
> > you
> > > have SSL trust issue - if it connects ok, the cert trust is mostly to
> be
> > > okay. (remember to change your host name in code, and jks path in
> command
> > > line options.
> > >
> > >
> > > java -Djavax.net.ssl.trustStore=truststore.jks
> > > -Djavax.net.ssl.trustStorePassword=changeme Test
> > >
> > > import java.net.*;
> > >
> > > import java.io.*;
> > >
> > > import javax.net.ssl.*;
> > >
> > >
> > > /*
> > >
> > > * This example demostrates how to use a SSLSocket as client to
> > >
> > > * send a HTTP request and get response from an HTTPS server.
> > >
> > > * It assumes that the client is not behind a firewall
> > >
> > > */
> > >
> > >
> > > public class Test {
> > >
> > >
> > > public static void main(String[] args) throws Exception {
> > >
> > > try {
> > >
> > > SSLSocketFactory factory =
> > >
> > > (SSLSocketFactory)SSLSocketFactory.getDefault();
> > >
> > > SSLSocket socket =
> > >
> > > (SSLSocket)factory.createSocket("cp-kafka1", 9093);
> > >
> > >
> > > /*
> > >
> > > * send http request
> > >
> > > *
> > >
> > > * Before any application data is sent or received, the
> > >
> > > * SSL socket will do SSL handshaking first to set up
> > >
> > > * the security attributes.
> > >
> > > *
> > >
> > > * SSL handshaking can be initiated by either flushing data
> > >
> > > * down the pipe, or by starting the handshaking by hand.
> > >
> > > *
> > >
> > > * Handshaking is started manually in this example because
> > >
> > > * PrintWriter catches all IOExceptions (including
> > >
> > > * SSLExceptions), sets an internal error flag, and then
> > >
> > > * returns without rethrowing the exception.
> > >
> > > *
> > >
> > > * Unfortunately, this means any error messages are lost,
> > >
> > > * which caused lots of confusion for others using this
> > >
> > > * code. The only way to tell there was an error is to
> call
> > >
> > > * PrintWriter.checkError().
> > >
> > > */
> > >
> > > socket.startHandshake();
> > >
> > >
> > > socket.close();
> > >
> > >
> > > } catch (Exception e) {
> > >
> > > e.printStackTrace();
> > >
> > > }
> > >
> > > }
> > >
> > > }
> > >
> > > [image: Confluent] <https://www.confluent.io>
> > > Wu Shilin
> > > Solution Architect
> > > +6581007012
> > > Follow us: [image: Blog]
> > > <
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > >[image:
> > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > <https://youtube.com/confluent>
> > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > >
> > >
> > > On Thu, Jun 24, 2021 at 8:17 PM Anjali Sharma <
> > > sharma.anjali.2699@gmail.com>
> > > wrote:
> > >
> > > > Had added those configuration but still seeing only junk certificates
> > > from
> > > > client side ? Any idea how to solve?
> > > >
> > > >
> > > > Thanks
> > > > Anjali
> > > >
> > > > On Thu, Jun 24, 2021, 17:44 Shilin Wu <sh...@confluent.io.invalid>
> > wrote:
> > > >
> > > > > ssl.truststore.location=/root/truststore.jks
> > > > >
> > > > > ssl.truststore.type=JKS
> > > > >
> > > > > ssl.truststore.password=changeme
> > > > >
> > > > > ssl.keystore.location=/root/alice.jks
> > > > >
> > > > > ssl.keystore.type=JKS
> > > > >
> > > > > ssl.keystore.password=changeme
> > > > >
> > > > > security.protocol=SSL
> > > > >
> > > > > bootstrap.server=cp-kafka1:9093
> > > > >
> > > > > ssl.endpoint.identification.algorithm=https
> > > > >
> > > > > This worked for me pretty well.
> > > > >
> > > > > Of course you need to generate those certs from open ssl.
> > > > >
> > > > > The trust store only contains the CA cert, the key store contains
> the
> > > > > keypair for alice (the user here).
> > > > >
> > > > >
> > > > > [image: Confluent] <https://www.confluent.io>
> > > > > Wu Shilin
> > > > > Solution Architect
> > > > > +6581007012
> > > > > Follow us: [image: Blog]
> > > > > <
> > > > >
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > > >[image:
> > > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > > <https://youtube.com/confluent>
> > > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > > >
> > > > >
> > > > > On Thu, Jun 24, 2021 at 11:38 AM Anjali Sharma <
> > > > > sharma.anjali.2699@gmail.com>
> > > > > wrote:
> > > > >
> > > > > > Thanks for this info can you please share what all needs to be
> > > present
> > > > on
> > > > > > the client side for mtls as in what all configuration are needed
> > that
> > > > > side?
> > > > > >
> > > > > > Thanks
> > > > > >
> > > > > > On Thu, Jun 24, 2021, 07:51 Shilin Wu <shwu@confluent.io.invalid
> >
> > > > wrote:
> > > > > >
> > > > > > > A few things to check:
> > > > > > >
> > > > > > > 1. Client trust store need to trust the server cert's issuer
> cert
> > > > (AKA
> > > > > > the
> > > > > > > CA cert)
> > > > > > > 2. The client must have a keystore that can be trusted by
> > server's
> > > > > trust
> > > > > > > store.
> > > > > > > 3. The server needs to be accessed either via FQDN, or one of
> the
> > > SAN
> > > > > > > address. If you are doing self sign, you can add many DNS alias
> > and
> > > > > even
> > > > > > ip
> > > > > > > addresses to the server's cert.
> > > > > > > 4. Make sure the server cert has extended key usage of
> > serverAuth,
> > > > > client
> > > > > > > cert has extended key usage of clientAuth. Actually you can
> have
> > > > both -
> > > > > > if
> > > > > > > you are generating yourself.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > [image: Confluent] <https://www.confluent.io>
> > > > > > > Wu Shilin
> > > > > > > Solution Architect
> > > > > > > +6581007012
> > > > > > > Follow us: [image: Blog]
> > > > > > > <
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > > > > >[image:
> > > > > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > > > > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > > > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > > > > <https://youtube.com/confluent>
> > > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > > > > >
> > > > > > >
> > > > > > > On Thu, Jun 24, 2021 at 12:37 AM Anjali Sharma <
> > > > > > > sharma.anjali.2699@gmail.com>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > Hi All,
> > > > > > > >
> > > > > > > > While trying for mtls ssl.client.aut=required, From Client
> side
> > > we
> > > > > are
> > > > > > > > seeing some junk certificates which we have not imported on
> the
> > > > > client
> > > > > > > > side?
> > > > > > > >
> > > > > > > > Please help with this?
> > > > > > > >
> > > > > > > > Thanks & Regards
> > > > > > > >
> > > > > > > > Anjali
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: Mtls not working
Posted by Shilin Wu <sh...@confluent.io.INVALID>.
You need to make sure the following one by one... Or you can post the
message of error here so we can see exact error.
> > > > > 1. Client trust store need to trust the server cert's issuer cert
> > (AKA
> > > > the
> > > > > CA cert)
> > > > > 2. The client must have a keystore that can be trusted by server's
> > > trust
> > > > > store.
> > > > > 3. The server needs to be accessed either via FQDN, or one of the
> SAN
> > > > > address. If you are doing self sign, you can add many DNS alias
and
> > > even
> > > > ip
> > > > > addresses to the server's cert.
> > > > > 4. Make sure the server cert has extended key usage of serverAuth,
> > > client
> > > > > cert has extended key usage of clientAuth. Actually you can have
> > both -
> > > > if
> > > > > you are generating yourself.
[image: Confluent] <https://www.confluent.io>
Wu Shilin
Solution Architect
+6581007012
Follow us: [image: Blog]
<https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog>[image:
Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
<https://www.linkedin.com/company/confluent/>[image: Slack]
<https://slackpass.io/confluentcommunity>[image: YouTube]
<https://youtube.com/confluent>
[image: Kafka Summit] <https://www.kafka-summit.org/>
On Thu, Jun 24, 2021 at 8:26 PM Anjali Sharma <sh...@gmail.com>
wrote:
> Thanks for this but we are trying to do this on command line but getting
> this bad certificate error
>
> On Thu, Jun 24, 2021, 17:52 Shilin Wu <sh...@confluent.io.invalid> wrote:
>
> > you may do openssl s_client -connect kafkahost:port to dump the cert.
> >
> > See if the cert makes sense.
> >
> > To test if your SSL works, you may try use this java program to test if
> you
> > have SSL trust issue - if it connects ok, the cert trust is mostly to be
> > okay. (remember to change your host name in code, and jks path in command
> > line options.
> >
> >
> > java -Djavax.net.ssl.trustStore=truststore.jks
> > -Djavax.net.ssl.trustStorePassword=changeme Test
> >
> > import java.net.*;
> >
> > import java.io.*;
> >
> > import javax.net.ssl.*;
> >
> >
> > /*
> >
> > * This example demostrates how to use a SSLSocket as client to
> >
> > * send a HTTP request and get response from an HTTPS server.
> >
> > * It assumes that the client is not behind a firewall
> >
> > */
> >
> >
> > public class Test {
> >
> >
> > public static void main(String[] args) throws Exception {
> >
> > try {
> >
> > SSLSocketFactory factory =
> >
> > (SSLSocketFactory)SSLSocketFactory.getDefault();
> >
> > SSLSocket socket =
> >
> > (SSLSocket)factory.createSocket("cp-kafka1", 9093);
> >
> >
> > /*
> >
> > * send http request
> >
> > *
> >
> > * Before any application data is sent or received, the
> >
> > * SSL socket will do SSL handshaking first to set up
> >
> > * the security attributes.
> >
> > *
> >
> > * SSL handshaking can be initiated by either flushing data
> >
> > * down the pipe, or by starting the handshaking by hand.
> >
> > *
> >
> > * Handshaking is started manually in this example because
> >
> > * PrintWriter catches all IOExceptions (including
> >
> > * SSLExceptions), sets an internal error flag, and then
> >
> > * returns without rethrowing the exception.
> >
> > *
> >
> > * Unfortunately, this means any error messages are lost,
> >
> > * which caused lots of confusion for others using this
> >
> > * code. The only way to tell there was an error is to call
> >
> > * PrintWriter.checkError().
> >
> > */
> >
> > socket.startHandshake();
> >
> >
> > socket.close();
> >
> >
> > } catch (Exception e) {
> >
> > e.printStackTrace();
> >
> > }
> >
> > }
> >
> > }
> >
> > [image: Confluent] <https://www.confluent.io>
> > Wu Shilin
> > Solution Architect
> > +6581007012
> > Follow us: [image: Blog]
> > <
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > >[image:
> > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > <https://youtube.com/confluent>
> > [image: Kafka Summit] <https://www.kafka-summit.org/>
> >
> >
> > On Thu, Jun 24, 2021 at 8:17 PM Anjali Sharma <
> > sharma.anjali.2699@gmail.com>
> > wrote:
> >
> > > Had added those configuration but still seeing only junk certificates
> > from
> > > client side ? Any idea how to solve?
> > >
> > >
> > > Thanks
> > > Anjali
> > >
> > > On Thu, Jun 24, 2021, 17:44 Shilin Wu <sh...@confluent.io.invalid>
> wrote:
> > >
> > > > ssl.truststore.location=/root/truststore.jks
> > > >
> > > > ssl.truststore.type=JKS
> > > >
> > > > ssl.truststore.password=changeme
> > > >
> > > > ssl.keystore.location=/root/alice.jks
> > > >
> > > > ssl.keystore.type=JKS
> > > >
> > > > ssl.keystore.password=changeme
> > > >
> > > > security.protocol=SSL
> > > >
> > > > bootstrap.server=cp-kafka1:9093
> > > >
> > > > ssl.endpoint.identification.algorithm=https
> > > >
> > > > This worked for me pretty well.
> > > >
> > > > Of course you need to generate those certs from open ssl.
> > > >
> > > > The trust store only contains the CA cert, the key store contains the
> > > > keypair for alice (the user here).
> > > >
> > > >
> > > > [image: Confluent] <https://www.confluent.io>
> > > > Wu Shilin
> > > > Solution Architect
> > > > +6581007012
> > > > Follow us: [image: Blog]
> > > > <
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > >[image:
> > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > <https://youtube.com/confluent>
> > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > >
> > > >
> > > > On Thu, Jun 24, 2021 at 11:38 AM Anjali Sharma <
> > > > sharma.anjali.2699@gmail.com>
> > > > wrote:
> > > >
> > > > > Thanks for this info can you please share what all needs to be
> > present
> > > on
> > > > > the client side for mtls as in what all configuration are needed
> that
> > > > side?
> > > > >
> > > > > Thanks
> > > > >
> > > > > On Thu, Jun 24, 2021, 07:51 Shilin Wu <sh...@confluent.io.invalid>
> > > wrote:
> > > > >
> > > > > > A few things to check:
> > > > > >
> > > > > > 1. Client trust store need to trust the server cert's issuer cert
> > > (AKA
> > > > > the
> > > > > > CA cert)
> > > > > > 2. The client must have a keystore that can be trusted by
> server's
> > > > trust
> > > > > > store.
> > > > > > 3. The server needs to be accessed either via FQDN, or one of the
> > SAN
> > > > > > address. If you are doing self sign, you can add many DNS alias
> and
> > > > even
> > > > > ip
> > > > > > addresses to the server's cert.
> > > > > > 4. Make sure the server cert has extended key usage of
> serverAuth,
> > > > client
> > > > > > cert has extended key usage of clientAuth. Actually you can have
> > > both -
> > > > > if
> > > > > > you are generating yourself.
> > > > > >
> > > > > >
> > > > > >
> > > > > > [image: Confluent] <https://www.confluent.io>
> > > > > > Wu Shilin
> > > > > > Solution Architect
> > > > > > +6581007012
> > > > > > Follow us: [image: Blog]
> > > > > > <
> > > > > >
> > > > >
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > > > >[image:
> > > > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > > > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > > > <https://youtube.com/confluent>
> > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > > > >
> > > > > >
> > > > > > On Thu, Jun 24, 2021 at 12:37 AM Anjali Sharma <
> > > > > > sharma.anjali.2699@gmail.com>
> > > > > > wrote:
> > > > > >
> > > > > > > Hi All,
> > > > > > >
> > > > > > > While trying for mtls ssl.client.aut=required, From Client side
> > we
> > > > are
> > > > > > > seeing some junk certificates which we have not imported on the
> > > > client
> > > > > > > side?
> > > > > > >
> > > > > > > Please help with this?
> > > > > > >
> > > > > > > Thanks & Regards
> > > > > > >
> > > > > > > Anjali
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: Mtls not working
Posted by Anjali Sharma <sh...@gmail.com>.
Thanks for this but we are trying to do this on command line but getting
this bad certificate error
On Thu, Jun 24, 2021, 17:52 Shilin Wu <sh...@confluent.io.invalid> wrote:
> you may do openssl s_client -connect kafkahost:port to dump the cert.
>
> See if the cert makes sense.
>
> To test if your SSL works, you may try use this java program to test if you
> have SSL trust issue - if it connects ok, the cert trust is mostly to be
> okay. (remember to change your host name in code, and jks path in command
> line options.
>
>
> java -Djavax.net.ssl.trustStore=truststore.jks
> -Djavax.net.ssl.trustStorePassword=changeme Test
>
> import java.net.*;
>
> import java.io.*;
>
> import javax.net.ssl.*;
>
>
> /*
>
> * This example demostrates how to use a SSLSocket as client to
>
> * send a HTTP request and get response from an HTTPS server.
>
> * It assumes that the client is not behind a firewall
>
> */
>
>
> public class Test {
>
>
> public static void main(String[] args) throws Exception {
>
> try {
>
> SSLSocketFactory factory =
>
> (SSLSocketFactory)SSLSocketFactory.getDefault();
>
> SSLSocket socket =
>
> (SSLSocket)factory.createSocket("cp-kafka1", 9093);
>
>
> /*
>
> * send http request
>
> *
>
> * Before any application data is sent or received, the
>
> * SSL socket will do SSL handshaking first to set up
>
> * the security attributes.
>
> *
>
> * SSL handshaking can be initiated by either flushing data
>
> * down the pipe, or by starting the handshaking by hand.
>
> *
>
> * Handshaking is started manually in this example because
>
> * PrintWriter catches all IOExceptions (including
>
> * SSLExceptions), sets an internal error flag, and then
>
> * returns without rethrowing the exception.
>
> *
>
> * Unfortunately, this means any error messages are lost,
>
> * which caused lots of confusion for others using this
>
> * code. The only way to tell there was an error is to call
>
> * PrintWriter.checkError().
>
> */
>
> socket.startHandshake();
>
>
> socket.close();
>
>
> } catch (Exception e) {
>
> e.printStackTrace();
>
> }
>
> }
>
> }
>
> [image: Confluent] <https://www.confluent.io>
> Wu Shilin
> Solution Architect
> +6581007012
> Follow us: [image: Blog]
> <
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> >[image:
> Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> <https://www.linkedin.com/company/confluent/>[image: Slack]
> <https://slackpass.io/confluentcommunity>[image: YouTube]
> <https://youtube.com/confluent>
> [image: Kafka Summit] <https://www.kafka-summit.org/>
>
>
> On Thu, Jun 24, 2021 at 8:17 PM Anjali Sharma <
> sharma.anjali.2699@gmail.com>
> wrote:
>
> > Had added those configuration but still seeing only junk certificates
> from
> > client side ? Any idea how to solve?
> >
> >
> > Thanks
> > Anjali
> >
> > On Thu, Jun 24, 2021, 17:44 Shilin Wu <sh...@confluent.io.invalid> wrote:
> >
> > > ssl.truststore.location=/root/truststore.jks
> > >
> > > ssl.truststore.type=JKS
> > >
> > > ssl.truststore.password=changeme
> > >
> > > ssl.keystore.location=/root/alice.jks
> > >
> > > ssl.keystore.type=JKS
> > >
> > > ssl.keystore.password=changeme
> > >
> > > security.protocol=SSL
> > >
> > > bootstrap.server=cp-kafka1:9093
> > >
> > > ssl.endpoint.identification.algorithm=https
> > >
> > > This worked for me pretty well.
> > >
> > > Of course you need to generate those certs from open ssl.
> > >
> > > The trust store only contains the CA cert, the key store contains the
> > > keypair for alice (the user here).
> > >
> > >
> > > [image: Confluent] <https://www.confluent.io>
> > > Wu Shilin
> > > Solution Architect
> > > +6581007012
> > > Follow us: [image: Blog]
> > > <
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > >[image:
> > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > <https://youtube.com/confluent>
> > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > >
> > >
> > > On Thu, Jun 24, 2021 at 11:38 AM Anjali Sharma <
> > > sharma.anjali.2699@gmail.com>
> > > wrote:
> > >
> > > > Thanks for this info can you please share what all needs to be
> present
> > on
> > > > the client side for mtls as in what all configuration are needed that
> > > side?
> > > >
> > > > Thanks
> > > >
> > > > On Thu, Jun 24, 2021, 07:51 Shilin Wu <sh...@confluent.io.invalid>
> > wrote:
> > > >
> > > > > A few things to check:
> > > > >
> > > > > 1. Client trust store need to trust the server cert's issuer cert
> > (AKA
> > > > the
> > > > > CA cert)
> > > > > 2. The client must have a keystore that can be trusted by server's
> > > trust
> > > > > store.
> > > > > 3. The server needs to be accessed either via FQDN, or one of the
> SAN
> > > > > address. If you are doing self sign, you can add many DNS alias and
> > > even
> > > > ip
> > > > > addresses to the server's cert.
> > > > > 4. Make sure the server cert has extended key usage of serverAuth,
> > > client
> > > > > cert has extended key usage of clientAuth. Actually you can have
> > both -
> > > > if
> > > > > you are generating yourself.
> > > > >
> > > > >
> > > > >
> > > > > [image: Confluent] <https://www.confluent.io>
> > > > > Wu Shilin
> > > > > Solution Architect
> > > > > +6581007012
> > > > > Follow us: [image: Blog]
> > > > > <
> > > > >
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > > >[image:
> > > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > > <https://youtube.com/confluent>
> > > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > > >
> > > > >
> > > > > On Thu, Jun 24, 2021 at 12:37 AM Anjali Sharma <
> > > > > sharma.anjali.2699@gmail.com>
> > > > > wrote:
> > > > >
> > > > > > Hi All,
> > > > > >
> > > > > > While trying for mtls ssl.client.aut=required, From Client side
> we
> > > are
> > > > > > seeing some junk certificates which we have not imported on the
> > > client
> > > > > > side?
> > > > > >
> > > > > > Please help with this?
> > > > > >
> > > > > > Thanks & Regards
> > > > > >
> > > > > > Anjali
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: Mtls not working
Posted by Shilin Wu <sh...@confluent.io.INVALID>.
you may do openssl s_client -connect kafkahost:port to dump the cert.
See if the cert makes sense.
To test if your SSL works, you may try use this java program to test if you
have SSL trust issue - if it connects ok, the cert trust is mostly to be
okay. (remember to change your host name in code, and jks path in command
line options.
java -Djavax.net.ssl.trustStore=truststore.jks
-Djavax.net.ssl.trustStorePassword=changeme Test
import java.net.*;
import java.io.*;
import javax.net.ssl.*;
/*
* This example demostrates how to use a SSLSocket as client to
* send a HTTP request and get response from an HTTPS server.
* It assumes that the client is not behind a firewall
*/
public class Test {
public static void main(String[] args) throws Exception {
try {
SSLSocketFactory factory =
(SSLSocketFactory)SSLSocketFactory.getDefault();
SSLSocket socket =
(SSLSocket)factory.createSocket("cp-kafka1", 9093);
/*
* send http request
*
* Before any application data is sent or received, the
* SSL socket will do SSL handshaking first to set up
* the security attributes.
*
* SSL handshaking can be initiated by either flushing data
* down the pipe, or by starting the handshaking by hand.
*
* Handshaking is started manually in this example because
* PrintWriter catches all IOExceptions (including
* SSLExceptions), sets an internal error flag, and then
* returns without rethrowing the exception.
*
* Unfortunately, this means any error messages are lost,
* which caused lots of confusion for others using this
* code. The only way to tell there was an error is to call
* PrintWriter.checkError().
*/
socket.startHandshake();
socket.close();
} catch (Exception e) {
e.printStackTrace();
}
}
}
[image: Confluent] <https://www.confluent.io>
Wu Shilin
Solution Architect
+6581007012
Follow us: [image: Blog]
<https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog>[image:
Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
<https://www.linkedin.com/company/confluent/>[image: Slack]
<https://slackpass.io/confluentcommunity>[image: YouTube]
<https://youtube.com/confluent>
[image: Kafka Summit] <https://www.kafka-summit.org/>
On Thu, Jun 24, 2021 at 8:17 PM Anjali Sharma <sh...@gmail.com>
wrote:
> Had added those configuration but still seeing only junk certificates from
> client side ? Any idea how to solve?
>
>
> Thanks
> Anjali
>
> On Thu, Jun 24, 2021, 17:44 Shilin Wu <sh...@confluent.io.invalid> wrote:
>
> > ssl.truststore.location=/root/truststore.jks
> >
> > ssl.truststore.type=JKS
> >
> > ssl.truststore.password=changeme
> >
> > ssl.keystore.location=/root/alice.jks
> >
> > ssl.keystore.type=JKS
> >
> > ssl.keystore.password=changeme
> >
> > security.protocol=SSL
> >
> > bootstrap.server=cp-kafka1:9093
> >
> > ssl.endpoint.identification.algorithm=https
> >
> > This worked for me pretty well.
> >
> > Of course you need to generate those certs from open ssl.
> >
> > The trust store only contains the CA cert, the key store contains the
> > keypair for alice (the user here).
> >
> >
> > [image: Confluent] <https://www.confluent.io>
> > Wu Shilin
> > Solution Architect
> > +6581007012
> > Follow us: [image: Blog]
> > <
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > >[image:
> > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > <https://youtube.com/confluent>
> > [image: Kafka Summit] <https://www.kafka-summit.org/>
> >
> >
> > On Thu, Jun 24, 2021 at 11:38 AM Anjali Sharma <
> > sharma.anjali.2699@gmail.com>
> > wrote:
> >
> > > Thanks for this info can you please share what all needs to be present
> on
> > > the client side for mtls as in what all configuration are needed that
> > side?
> > >
> > > Thanks
> > >
> > > On Thu, Jun 24, 2021, 07:51 Shilin Wu <sh...@confluent.io.invalid>
> wrote:
> > >
> > > > A few things to check:
> > > >
> > > > 1. Client trust store need to trust the server cert's issuer cert
> (AKA
> > > the
> > > > CA cert)
> > > > 2. The client must have a keystore that can be trusted by server's
> > trust
> > > > store.
> > > > 3. The server needs to be accessed either via FQDN, or one of the SAN
> > > > address. If you are doing self sign, you can add many DNS alias and
> > even
> > > ip
> > > > addresses to the server's cert.
> > > > 4. Make sure the server cert has extended key usage of serverAuth,
> > client
> > > > cert has extended key usage of clientAuth. Actually you can have
> both -
> > > if
> > > > you are generating yourself.
> > > >
> > > >
> > > >
> > > > [image: Confluent] <https://www.confluent.io>
> > > > Wu Shilin
> > > > Solution Architect
> > > > +6581007012
> > > > Follow us: [image: Blog]
> > > > <
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > >[image:
> > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > <https://youtube.com/confluent>
> > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > >
> > > >
> > > > On Thu, Jun 24, 2021 at 12:37 AM Anjali Sharma <
> > > > sharma.anjali.2699@gmail.com>
> > > > wrote:
> > > >
> > > > > Hi All,
> > > > >
> > > > > While trying for mtls ssl.client.aut=required, From Client side we
> > are
> > > > > seeing some junk certificates which we have not imported on the
> > client
> > > > > side?
> > > > >
> > > > > Please help with this?
> > > > >
> > > > > Thanks & Regards
> > > > >
> > > > > Anjali
> > > > >
> > > >
> > >
> >
>
Re: Mtls not working
Posted by Anjali Sharma <sh...@gmail.com>.
Had added those configuration but still seeing only junk certificates from
client side ? Any idea how to solve?
Thanks
Anjali
On Thu, Jun 24, 2021, 17:44 Shilin Wu <sh...@confluent.io.invalid> wrote:
> ssl.truststore.location=/root/truststore.jks
>
> ssl.truststore.type=JKS
>
> ssl.truststore.password=changeme
>
> ssl.keystore.location=/root/alice.jks
>
> ssl.keystore.type=JKS
>
> ssl.keystore.password=changeme
>
> security.protocol=SSL
>
> bootstrap.server=cp-kafka1:9093
>
> ssl.endpoint.identification.algorithm=https
>
> This worked for me pretty well.
>
> Of course you need to generate those certs from open ssl.
>
> The trust store only contains the CA cert, the key store contains the
> keypair for alice (the user here).
>
>
> [image: Confluent] <https://www.confluent.io>
> Wu Shilin
> Solution Architect
> +6581007012
> Follow us: [image: Blog]
> <
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> >[image:
> Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> <https://www.linkedin.com/company/confluent/>[image: Slack]
> <https://slackpass.io/confluentcommunity>[image: YouTube]
> <https://youtube.com/confluent>
> [image: Kafka Summit] <https://www.kafka-summit.org/>
>
>
> On Thu, Jun 24, 2021 at 11:38 AM Anjali Sharma <
> sharma.anjali.2699@gmail.com>
> wrote:
>
> > Thanks for this info can you please share what all needs to be present on
> > the client side for mtls as in what all configuration are needed that
> side?
> >
> > Thanks
> >
> > On Thu, Jun 24, 2021, 07:51 Shilin Wu <sh...@confluent.io.invalid> wrote:
> >
> > > A few things to check:
> > >
> > > 1. Client trust store need to trust the server cert's issuer cert (AKA
> > the
> > > CA cert)
> > > 2. The client must have a keystore that can be trusted by server's
> trust
> > > store.
> > > 3. The server needs to be accessed either via FQDN, or one of the SAN
> > > address. If you are doing self sign, you can add many DNS alias and
> even
> > ip
> > > addresses to the server's cert.
> > > 4. Make sure the server cert has extended key usage of serverAuth,
> client
> > > cert has extended key usage of clientAuth. Actually you can have both -
> > if
> > > you are generating yourself.
> > >
> > >
> > >
> > > [image: Confluent] <https://www.confluent.io>
> > > Wu Shilin
> > > Solution Architect
> > > +6581007012
> > > Follow us: [image: Blog]
> > > <
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > >[image:
> > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > <https://youtube.com/confluent>
> > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > >
> > >
> > > On Thu, Jun 24, 2021 at 12:37 AM Anjali Sharma <
> > > sharma.anjali.2699@gmail.com>
> > > wrote:
> > >
> > > > Hi All,
> > > >
> > > > While trying for mtls ssl.client.aut=required, From Client side we
> are
> > > > seeing some junk certificates which we have not imported on the
> client
> > > > side?
> > > >
> > > > Please help with this?
> > > >
> > > > Thanks & Regards
> > > >
> > > > Anjali
> > > >
> > >
> >
>
Re: Mtls not working
Posted by Shilin Wu <sh...@confluent.io.INVALID>.
ssl.truststore.location=/root/truststore.jks
ssl.truststore.type=JKS
ssl.truststore.password=changeme
ssl.keystore.location=/root/alice.jks
ssl.keystore.type=JKS
ssl.keystore.password=changeme
security.protocol=SSL
bootstrap.server=cp-kafka1:9093
ssl.endpoint.identification.algorithm=https
This worked for me pretty well.
Of course you need to generate those certs from open ssl.
The trust store only contains the CA cert, the key store contains the
keypair for alice (the user here).
[image: Confluent] <https://www.confluent.io>
Wu Shilin
Solution Architect
+6581007012
Follow us: [image: Blog]
<https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog>[image:
Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
<https://www.linkedin.com/company/confluent/>[image: Slack]
<https://slackpass.io/confluentcommunity>[image: YouTube]
<https://youtube.com/confluent>
[image: Kafka Summit] <https://www.kafka-summit.org/>
On Thu, Jun 24, 2021 at 11:38 AM Anjali Sharma <sh...@gmail.com>
wrote:
> Thanks for this info can you please share what all needs to be present on
> the client side for mtls as in what all configuration are needed that side?
>
> Thanks
>
> On Thu, Jun 24, 2021, 07:51 Shilin Wu <sh...@confluent.io.invalid> wrote:
>
> > A few things to check:
> >
> > 1. Client trust store need to trust the server cert's issuer cert (AKA
> the
> > CA cert)
> > 2. The client must have a keystore that can be trusted by server's trust
> > store.
> > 3. The server needs to be accessed either via FQDN, or one of the SAN
> > address. If you are doing self sign, you can add many DNS alias and even
> ip
> > addresses to the server's cert.
> > 4. Make sure the server cert has extended key usage of serverAuth, client
> > cert has extended key usage of clientAuth. Actually you can have both -
> if
> > you are generating yourself.
> >
> >
> >
> > [image: Confluent] <https://www.confluent.io>
> > Wu Shilin
> > Solution Architect
> > +6581007012
> > Follow us: [image: Blog]
> > <
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > >[image:
> > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > <https://youtube.com/confluent>
> > [image: Kafka Summit] <https://www.kafka-summit.org/>
> >
> >
> > On Thu, Jun 24, 2021 at 12:37 AM Anjali Sharma <
> > sharma.anjali.2699@gmail.com>
> > wrote:
> >
> > > Hi All,
> > >
> > > While trying for mtls ssl.client.aut=required, From Client side we are
> > > seeing some junk certificates which we have not imported on the client
> > > side?
> > >
> > > Please help with this?
> > >
> > > Thanks & Regards
> > >
> > > Anjali
> > >
> >
>
Re: Mtls not working
Posted by Anjali Sharma <sh...@gmail.com>.
Thanks for this info can you please share what all needs to be present on
the client side for mtls as in what all configuration are needed that side?
Thanks
On Thu, Jun 24, 2021, 07:51 Shilin Wu <sh...@confluent.io.invalid> wrote:
> A few things to check:
>
> 1. Client trust store need to trust the server cert's issuer cert (AKA the
> CA cert)
> 2. The client must have a keystore that can be trusted by server's trust
> store.
> 3. The server needs to be accessed either via FQDN, or one of the SAN
> address. If you are doing self sign, you can add many DNS alias and even ip
> addresses to the server's cert.
> 4. Make sure the server cert has extended key usage of serverAuth, client
> cert has extended key usage of clientAuth. Actually you can have both - if
> you are generating yourself.
>
>
>
> [image: Confluent] <https://www.confluent.io>
> Wu Shilin
> Solution Architect
> +6581007012
> Follow us: [image: Blog]
> <
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> >[image:
> Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> <https://www.linkedin.com/company/confluent/>[image: Slack]
> <https://slackpass.io/confluentcommunity>[image: YouTube]
> <https://youtube.com/confluent>
> [image: Kafka Summit] <https://www.kafka-summit.org/>
>
>
> On Thu, Jun 24, 2021 at 12:37 AM Anjali Sharma <
> sharma.anjali.2699@gmail.com>
> wrote:
>
> > Hi All,
> >
> > While trying for mtls ssl.client.aut=required, From Client side we are
> > seeing some junk certificates which we have not imported on the client
> > side?
> >
> > Please help with this?
> >
> > Thanks & Regards
> >
> > Anjali
> >
>
Re: Mtls not working
Posted by Shilin Wu <sh...@confluent.io.INVALID>.
A few things to check:
1. Client trust store need to trust the server cert's issuer cert (AKA the
CA cert)
2. The client must have a keystore that can be trusted by server's trust
store.
3. The server needs to be accessed either via FQDN, or one of the SAN
address. If you are doing self sign, you can add many DNS alias and even ip
addresses to the server's cert.
4. Make sure the server cert has extended key usage of serverAuth, client
cert has extended key usage of clientAuth. Actually you can have both - if
you are generating yourself.
[image: Confluent] <https://www.confluent.io>
Wu Shilin
Solution Architect
+6581007012
Follow us: [image: Blog]
<https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog>[image:
Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
<https://www.linkedin.com/company/confluent/>[image: Slack]
<https://slackpass.io/confluentcommunity>[image: YouTube]
<https://youtube.com/confluent>
[image: Kafka Summit] <https://www.kafka-summit.org/>
On Thu, Jun 24, 2021 at 12:37 AM Anjali Sharma <sh...@gmail.com>
wrote:
> Hi All,
>
> While trying for mtls ssl.client.aut=required, From Client side we are
> seeing some junk certificates which we have not imported on the client
> side?
>
> Please help with this?
>
> Thanks & Regards
>
> Anjali
>
Fwd: Mtls not working
Posted by Anjali Sharma <sh...@gmail.com>.
Hi All,
While trying for mtls ssl.client.aut=required, From Client side we are
seeing some junk certificates which we have not imported on the client side?
Please help with this?
Thanks & Regards
Anjali