You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by "Elvar (JIRA)" <ji...@apache.org> on 2016/05/04 12:01:13 UTC
[jira] [Commented] (KAFKA-3647) Unable to set a ssl provider / only
DSS ciphers available
[ https://issues.apache.org/jira/browse/KAFKA-3647?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15270520#comment-15270520 ]
Elvar commented on KAFKA-3647:
------------------------------
Found the problem with the ciphers, when you create the keystore you must use -keyalg RSA so it generates a 2048bit key. If not the key that will be created will only work with DSS.
Now using sslscan it looks like this
{code}
Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits ECDHE-RSA-DES-CBC3-SHA
Accepted TLSv1 128 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits DES-CBC3-SHA
Accepted TLS11 256 bits ECDHE-RSA-AES256-SHA
Accepted TLS11 256 bits DHE-RSA-AES256-SHA
Accepted TLS11 256 bits AES256-SHA
Accepted TLS11 128 bits ECDHE-RSA-AES128-SHA
Accepted TLS11 128 bits DHE-RSA-AES128-SHA
Accepted TLS11 128 bits ECDHE-RSA-DES-CBC3-SHA
Accepted TLS11 128 bits EDH-RSA-DES-CBC3-SHA
Accepted TLS11 128 bits AES128-SHA
Accepted TLS11 128 bits DES-CBC3-SHA
Accepted TLS12 256 bits ECDHE-RSA-AES256-GCM-SHA384
Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA384
Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA
Accepted TLS12 256 bits DHE-RSA-AES256-GCM-SHA384
Accepted TLS12 256 bits DHE-RSA-AES256-SHA256
Accepted TLS12 256 bits DHE-RSA-AES256-SHA
Accepted TLS12 256 bits AES256-GCM-SHA384
Accepted TLS12 256 bits AES256-SHA256
Accepted TLS12 256 bits AES256-SHA
Accepted TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256
Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA256
Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA
Accepted TLS12 128 bits DHE-RSA-AES128-GCM-SHA256
Accepted TLS12 128 bits DHE-RSA-AES128-SHA256
Accepted TLS12 128 bits DHE-RSA-AES128-SHA
Accepted TLS12 128 bits ECDHE-RSA-DES-CBC3-SHA
Accepted TLS12 128 bits EDH-RSA-DES-CBC3-SHA
Accepted TLS12 128 bits AES128-GCM-SHA256
Accepted TLS12 128 bits AES128-SHA256
Accepted TLS12 128 bits AES128-SHA
Accepted TLS12 128 bits DES-CBC3-SHA
{code}
Maybe it is not an issue anymore that the ssl.provider setting does not work
> Unable to set a ssl provider / only DSS ciphers available
> ---------------------------------------------------------
>
> Key: KAFKA-3647
> URL: https://issues.apache.org/jira/browse/KAFKA-3647
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 0.9.0.1
> Environment: Centos, OracleJRE 8, Vagrant
> Reporter: Elvar
>
> When defining a ssl provider Kafka does not start because the provider was not found.
> {code}
> [2016-05-02 13:48:48,252] FATAL [Kafka Server 11], Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
> org.apache.kafka.common.KafkaException: org.apache.kafka.common.KafkaException: java.security.NoSuchProviderException: no such provider: sun.security.ec.SunEC
> at org.apache.kafka.common.network.SslChannelBuilder.configure(SslChannelBuilder.java:44)
> {code}
> To test
> {code}
> /bin/kafka-server-start /etc/kafka/server.properties --override ssl.provider=sun.security.ec.SunEC
> {code}
> This is stopping us from talking to Kafka with SSL from Go programs because no common cipher suites are available.
> Using sslscan this is available from Kafka
> {code}
> Supported Server Cipher(s):
> Accepted TLSv1 256 bits DHE-DSS-AES256-SHA
> Accepted TLSv1 128 bits DHE-DSS-AES128-SHA
> Accepted TLSv1 128 bits EDH-DSS-DES-CBC3-SHA
> Accepted TLS11 256 bits DHE-DSS-AES256-SHA
> Accepted TLS11 128 bits DHE-DSS-AES128-SHA
> Accepted TLS11 128 bits EDH-DSS-DES-CBC3-SHA
> Accepted TLS12 256 bits DHE-DSS-AES256-GCM-SHA384
> Accepted TLS12 256 bits DHE-DSS-AES256-SHA256
> Accepted TLS12 256 bits DHE-DSS-AES256-SHA
> Accepted TLS12 128 bits DHE-DSS-AES128-GCM-SHA256
> Accepted TLS12 128 bits DHE-DSS-AES128-SHA256
> Accepted TLS12 128 bits DHE-DSS-AES128-SHA
> Accepted TLS12 128 bits EDH-DSS-DES-CBC3-SHA
> Preferred Server Cipher(s):
> SSLv2 0 bits (NONE)
> TLSv1 256 bits DHE-DSS-AES256-SHA
> TLS11 256 bits DHE-DSS-AES256-SHA
> TLS12 256 bits DHE-DSS-AES256-GCM-SHA384
> {code}
> From the Golang documentation these are avilable there
> {code}
> TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005
> TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a
> TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f
> TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035
> TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c
> TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d
> TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a
> TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011
> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)