You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Ville Valtonen (Jira)" <ji...@apache.org> on 2021/12/01 15:45:00 UTC
[jira] [Comment Edited] (KAFKA-12703) Unencrypted PEM files can't be loaded
[ https://issues.apache.org/jira/browse/KAFKA-12703?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17451134#comment-17451134 ]
Ville Valtonen edited comment on KAFKA-12703 at 12/1/21, 3:44 PM:
------------------------------------------------------------------
What's the status on this issue? Any active development going on?
I can confirm, that it's possible to configure a client with unencrypted key through the newly added configuration options 'ssl.keystore.key', 'ssl.keystore.certificate.chain' and 'ssl.truststore.certificates" in [KIP-651|https://cwiki.apache.org/confluence/display/KAFKA/KIP-651+-+Support+PEM+format+for+SSL+certificates+and+private+key], because 'ssl.key.password' is not enforced by validation then. But if you add the same key and certificates through 'ssl.keystore.location' and 'ssl.truststore.location' while the types are set to 'PEM', the configuration validation enforces to add 'ssl.key.password'. By adding a value, e.g. even an empty string, for 'ssl.key.password', the default SSL engine proceeds to try to decrypt the key and eventually throwing an exception. By encrypting the same key with PKCS8 and providing a password, everything works.
Either the requirement for 'ssl.key.password' while using PEM-files should be removed, add a mechanism to recognize whether the key is encrypted or not or consolidate the behavior between the mechanisms of adding the key, i.e requiring an encrypted key always. In the current form the feature and its documentation is hard to interpret.
was (Author: JIRAUSER280982):
What's the status on this issue? Any active development going on?
I can confirm, that it's possible to configure a client with unencrypted key through the newly added configuration options 'ssl.keystore.key', 'ssl.keystore.certificate.chain' and 'ssl.truststore.certificates" in [KIP-651|https://cwiki.apache.org/confluence/display/KAFKA/KIP-651+-+Support+PEM+format+for+SSL+certificates+and+private+key], because 'ssl.key.password' is not enforced by validation then. But if you add the same key and certificates through 'ssl.keystore.location' and 'ssl.truststore.location' while the types are set to 'PEM', the configuration validation enforces to add 'ssl.key.password'. By adding a value, e.g. even an empty string, for 'ssl.key.password', the default SSL engine proceeds to try to decrypt the key and eventually throwing an exception. By encrypting the same key with PKCS8 and providing a password, everything works.
Either the requirement for 'ssl.key.password' while using PEM-files should be removed or consolidate the behavior between the mechanisms of adding the key, i.e requiring an encrypted key always. In the current form the feature and its documentation is hard to interpret.
> Unencrypted PEM files can't be loaded
> -------------------------------------
>
> Key: KAFKA-12703
> URL: https://issues.apache.org/jira/browse/KAFKA-12703
> Project: Kafka
> Issue Type: Bug
> Components: clients
> Affects Versions: 2.8.0
> Reporter: Brian Bascoy
> Priority: Major
>
> Unencrypted PEM files seem to be internally [supported in the codebase|https://github.com/apache/kafka/blob/a46beb9d29781e0709baf596601122f770a5fa31/clients/src/main/java/org/apache/kafka/common/security/ssl/DefaultSslEngineFactory.java#L509] but setting an ssl.key.password is currently enforced by createKeystore (on DefaultSslEngineFactory). I was unable to find a reason for this, so I wonder if this limitation could simply be removed:
> [https://github.com/pera/kafka/commit/8df2feab5fc6955cf8c89a7d132f05d8f562e16b]
>
> Thanks
--
This message was sent by Atlassian Jira
(v8.20.1#820001)