You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@kafka.apache.org by Jesus Cea <jc...@jcea.es> on 2023/11/09 02:37:39 UTC

How to get a X509 broker certificate with "openssl s_client"?

I am trying to remotely access to the brokers certificates (for audit 
purposes, expiration alarms, etc) using this command:

"""
openssl s_client -showcerts -connect localhost:9092
"""

The connection is correctly established, but something is wrong. The TLS 
session is has some errors at the beginning, but it success at the end:

"""
[jcea@Kafka ~]$ openssl s_client -showcerts -connect localhost:9092
CONNECTED(00000004)
1:error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad 
record mac:ssl/record/ssl3_record.c:676:
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1696 bytes and written 300 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
"""

I tried too writing a tiny TLS client in Python, same result, raising 
this exception: "ssl.SSLError: [SSL: 
DECRYPTION_FAILED_OR_BAD_RECORD_MAC] decryption failed or bad record mac 
(_ssl.c:992)".

I guess there is some kind of preamble before TLS negotiation.

Is that documented somewhere?. How can I check remotely the brokers' 
certificates?

Thanks.

-- 
Jesús Cea Avión                         _/_/      _/_/_/        _/_/_/
jcea@jcea.es - https://www.jcea.es/    _/_/    _/_/  _/_/    _/_/  _/_/
Twitter: @jcea                        _/_/    _/_/          _/_/_/_/_/
jabber / xmpp:jcea@jabber.org  _/_/  _/_/    _/_/          _/_/  _/_/
"Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz

Re: How to get a X509 broker certificate with "openssl s_client"?

Posted by Jesus Cea <jc...@jcea.es>.

On 9/11/23 3:37, Jesus Cea wrote:
> I am trying to remotely access to the brokers certificates (for audit 
> purposes, expiration alarms, etc) using this command:
> 
> """
> openssl s_client -showcerts -connect localhost:9092
> """
> 
> The connection is correctly established, but something is wrong. The TLS 
> session is has some errors at the beginning, but it success at the end:

This is actually a bug in OpenJDK 17 under SmartOS. More details: 
<https://smartos.topicbox.com/groups/smartos-discuss/Tfa6a653f74458e7f/critical-serious-issue-with-openjdk-17-and-tls>.

-- 
Jesús Cea Avión                         _/_/      _/_/_/        _/_/_/
jcea@jcea.es - https://www.jcea.es/    _/_/    _/_/  _/_/    _/_/  _/_/
Twitter: @jcea                        _/_/    _/_/          _/_/_/_/_/
jabber / xmpp:jcea@jabber.org  _/_/  _/_/    _/_/          _/_/  _/_/
"Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz