You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2019/05/17 18:39:00 UTC
[jira] [Commented] (KAFKA-8381) SSL factory for inter-broker
listener is broken
[ https://issues.apache.org/jira/browse/KAFKA-8381?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16842381#comment-16842381 ]
ASF GitHub Bot commented on KAFKA-8381:
---------------------------------------
rajinisivaram commented on pull request #6757: KAFKA-8381; Disable hostname validation when verifying inter-broker SSL
URL: https://github.com/apache/kafka/pull/6757
- Make endpoint validation configurable on SslEngineBuilder when creating an engine
- Disable endpoint validation for engines created for inter-broker SSL validation since it is unsafe to use `localhost`
- Use empty hostname in validation engine to ensure tests fail if validation is re-enabled by mistake
- Add tests to verify inter-broker SSL validation
### Committer Checklist (excluded from commit message)
- [ ] Verify design and implementation
- [ ] Verify test coverage and CI build status
- [ ] Verify documentation (including upgrade notes)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
> SSL factory for inter-broker listener is broken
> -----------------------------------------------
>
> Key: KAFKA-8381
> URL: https://issues.apache.org/jira/browse/KAFKA-8381
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 2.3.0
> Reporter: Rajini Sivaram
> Assignee: Rajini Sivaram
> Priority: Blocker
> Fix For: 2.3.0
>
>
> From a system test failure:
> {code}
> [2019-05-17 15:48:12,453] ERROR [KafkaServer id=1] Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
> org.apache.kafka.common.KafkaException: org.apache.kafka.common.config.ConfigException: Invalid value javax.net.ssl.SSLHandshakeException: General SSLEngine problem for configuration A client SSLEngine created with the provided settings can't connect to a server SSLEngine created with those settings.
> at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:162)
> at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:146)
> at org.apache.kafka.common.network.ChannelBuilders.serverChannelBuilder(ChannelBuilders.java:85)
> at kafka.network.Processor.<init>(SocketServer.scala:747)
> at kafka.network.SocketServer.newProcessor(SocketServer.scala:388)
> at kafka.network.SocketServer.$anonfun$addDataPlaneProcessors$1(SocketServer.scala:282)
> at scala.collection.immutable.Range.foreach$mVc$sp(Range.scala:158)
> at kafka.network.SocketServer.addDataPlaneProcessors(SocketServer.scala:281)
> at kafka.network.SocketServer.$anonfun$createDataPlaneAcceptorsAndProcessors$1(SocketServer.scala:244)
> at kafka.network.SocketServer.$anonfun$createDataPlaneAcceptorsAndProcessors$1$adapted(SocketServer.scala:241)
> at scala.collection.mutable.ResizableArray.foreach(ResizableArray.scala:62)
> at scala.collection.mutable.ResizableArray.foreach$(ResizableArray.scala:55)
> at scala.collection.mutable.ArrayBuffer.foreach(ArrayBuffer.scala:49)
> at kafka.network.SocketServer.createDataPlaneAcceptorsAndProcessors(SocketServer.scala:241)
> at kafka.network.SocketServer.startup(SocketServer.scala:120)
> at kafka.server.KafkaServer.startup(KafkaServer.scala:293)
> {code}
> Looks like the changes under https://github.com/apache/kafka/commit/0494cd329f3aaed94b3b46de0abe495f80faaedd added validation for inter-broker SSL factory with hostname verification enabled and `localhost` as the hostname. As a result, integration tests pass, but system tests fail.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)