You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by "Elvar (JIRA)" <ji...@apache.org> on 2016/05/02 19:58:12 UTC

[jira] [Created] (KAFKA-3647) Unable to set a ssl provider

Elvar created KAFKA-3647:
----------------------------

             Summary: Unable to set a ssl provider
                 Key: KAFKA-3647
                 URL: https://issues.apache.org/jira/browse/KAFKA-3647
             Project: Kafka
          Issue Type: Bug
          Components: security
    Affects Versions: 0.9.0.1
         Environment: Centos, OracleJRE 8, Vagrant
            Reporter: Elvar


When defining a ssl provider Kafka does not start because the provider was not found.

{code}
[2016-05-02 13:48:48,252] FATAL [Kafka Server 11], Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.apache.kafka.common.KafkaException: org.apache.kafka.common.KafkaException: java.security.NoSuchProviderException: no such provider: sun.security.ec.SunEC
        at org.apache.kafka.common.network.SslChannelBuilder.configure(SslChannelBuilder.java:44)
{code}

To test
{code}
/bin/kafka-server-start /etc/kafka/server.properties --override ssl.provider=sun.security.ec.SunEC
{code}

This is stopping us from talking to Kafka with SSL from Go programs because no common cipher suites are available.

Using sslscan this is available from Kafka

{code}
 Supported Server Cipher(s):
   Accepted  TLSv1  256 bits  DHE-DSS-AES256-SHA
   Accepted  TLSv1  128 bits  DHE-DSS-AES128-SHA
   Accepted  TLSv1  128 bits  EDH-DSS-DES-CBC3-SHA
   Accepted  TLS11  256 bits  DHE-DSS-AES256-SHA
   Accepted  TLS11  128 bits  DHE-DSS-AES128-SHA
   Accepted  TLS11  128 bits  EDH-DSS-DES-CBC3-SHA
   Accepted  TLS12  256 bits  DHE-DSS-AES256-GCM-SHA384
   Accepted  TLS12  256 bits  DHE-DSS-AES256-SHA256
   Accepted  TLS12  256 bits  DHE-DSS-AES256-SHA
   Accepted  TLS12  128 bits  DHE-DSS-AES128-GCM-SHA256
   Accepted  TLS12  128 bits  DHE-DSS-AES128-SHA256
   Accepted  TLS12  128 bits  DHE-DSS-AES128-SHA
   Accepted  TLS12  128 bits  EDH-DSS-DES-CBC3-SHA

 Preferred Server Cipher(s):
   SSLv2  0 bits    (NONE)
   TLSv1  256 bits  DHE-DSS-AES256-SHA
   TLS11  256 bits  DHE-DSS-AES256-SHA
   TLS12  256 bits  DHE-DSS-AES256-GCM-SHA384
{code}

From the Golang documentation these are avilable there

{code}
        TLS_RSA_WITH_RC4_128_SHA                uint16 = 0x0005
        TLS_RSA_WITH_3DES_EDE_CBC_SHA           uint16 = 0x000a
        TLS_RSA_WITH_AES_128_CBC_SHA            uint16 = 0x002f
        TLS_RSA_WITH_AES_256_CBC_SHA            uint16 = 0x0035
        TLS_RSA_WITH_AES_128_GCM_SHA256         uint16 = 0x009c
        TLS_RSA_WITH_AES_256_GCM_SHA384         uint16 = 0x009d
        TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        uint16 = 0xc007
        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    uint16 = 0xc009
        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    uint16 = 0xc00a
        TLS_ECDHE_RSA_WITH_RC4_128_SHA          uint16 = 0xc011
        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     uint16 = 0xc012
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      uint16 = 0xc013
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      uint16 = 0xc014
        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   uint16 = 0xc02f
        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   uint16 = 0xc030
        TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)