You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Jesus Cea <jc...@jcea.es> on 2023/11/09 02:37:39 UTC
How to get a X509 broker certificate with "openssl s_client"?
I am trying to remotely access to the brokers certificates (for audit
purposes, expiration alarms, etc) using this command:
"""
openssl s_client -showcerts -connect localhost:9092
"""
The connection is correctly established, but something is wrong. The TLS
session is has some errors at the beginning, but it success at the end:
"""
[jcea@Kafka ~]$ openssl s_client -showcerts -connect localhost:9092
CONNECTED(00000004)
1:error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad
record mac:ssl/record/ssl3_record.c:676:
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1696 bytes and written 300 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
"""
I tried too writing a tiny TLS client in Python, same result, raising
this exception: "ssl.SSLError: [SSL:
DECRYPTION_FAILED_OR_BAD_RECORD_MAC] decryption failed or bad record mac
(_ssl.c:992)".
I guess there is some kind of preamble before TLS negotiation.
Is that documented somewhere?. How can I check remotely the brokers'
certificates?
Thanks.
--
Jesús Cea Avión _/_/ _/_/_/ _/_/_/
jcea@jcea.es - https://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/
Twitter: @jcea _/_/ _/_/ _/_/_/_/_/
jabber / xmpp:jcea@jabber.org _/_/ _/_/ _/_/ _/_/ _/_/
"Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
"My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
Re: How to get a X509 broker certificate with "openssl s_client"?
Posted by Jesus Cea <jc...@jcea.es>.
On 9/11/23 3:37, Jesus Cea wrote:
> I am trying to remotely access to the brokers certificates (for audit
> purposes, expiration alarms, etc) using this command:
>
> """
> openssl s_client -showcerts -connect localhost:9092
> """
>
> The connection is correctly established, but something is wrong. The TLS
> session is has some errors at the beginning, but it success at the end:
This is actually a bug in OpenJDK 17 under SmartOS. More details:
<https://smartos.topicbox.com/groups/smartos-discuss/Tfa6a653f74458e7f/critical-serious-issue-with-openjdk-17-and-tls>.
--
Jesús Cea Avión _/_/ _/_/_/ _/_/_/
jcea@jcea.es - https://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/
Twitter: @jcea _/_/ _/_/ _/_/_/_/_/
jabber / xmpp:jcea@jabber.org _/_/ _/_/ _/_/ _/_/ _/_/
"Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
"My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz