[jira] [Commented] (KAFKA-3647) Unable to set a ssl provider

Tue, 03 May 2016 05:08:32 -0700 

    [ 
https://issues.apache.org/jira/browse/KAFKA-3647?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15268594#comment-15268594
 ] 

Johan Abbors commented on KAFKA-3647:
-------------------------------------

I'm also having problems using Kafka with SSL from Go. I first thought is was 
an issue in the Go library but turns out it might be an JVM issue. Installing 
the JCE did not help either. 

Enabled cipher suites (in Java):
  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  TLS_RSA_WITH_AES_256_CBC_SHA
  TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
  TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  TLS_RSA_WITH_AES_128_CBC_SHA
  TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
  TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  SSL_RSA_WITH_3DES_EDE_CBC_SHA
  TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
  TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
  SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  TLS_EMPTY_RENEGOTIATION_INFO_SCSV

The above list is the output from this program 
http://stackoverflow.com/questions/20000020/enabled-ciphers-on-ubuntu-openjdk-7 
has common cipher suites with those in Go, but the sslscan yeilds a different 
list. What's the catch here?

My platform: Ubuntu 14.04, OpenJDK7/Oracle8

For more reference see Go issue: 
https://github.com/Shopify/sarama/issues/643#issuecomment-212403218

> Unable to set a ssl provider
> ----------------------------
>
>                 Key: KAFKA-3647
>                 URL: https://issues.apache.org/jira/browse/KAFKA-3647
>             Project: Kafka
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.9.0.1
>         Environment: Centos, OracleJRE 8, Vagrant
>            Reporter: Elvar
>
> When defining a ssl provider Kafka does not start because the provider was 
> not found.
> {code}
> [2016-05-02 13:48:48,252] FATAL [Kafka Server 11], Fatal error during 
> KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
> org.apache.kafka.common.KafkaException: 
> org.apache.kafka.common.KafkaException: 
> java.security.NoSuchProviderException: no such provider: sun.security.ec.SunEC
>         at 
> org.apache.kafka.common.network.SslChannelBuilder.configure(SslChannelBuilder.java:44)
> {code}
> To test
> {code}
> /bin/kafka-server-start /etc/kafka/server.properties --override 
> ssl.provider=sun.security.ec.SunEC
> {code}
> This is stopping us from talking to Kafka with SSL from Go programs because 
> no common cipher suites are available.
> Using sslscan this is available from Kafka
> {code}
>  Supported Server Cipher(s):
>    Accepted  TLSv1  256 bits  DHE-DSS-AES256-SHA
>    Accepted  TLSv1  128 bits  DHE-DSS-AES128-SHA
>    Accepted  TLSv1  128 bits  EDH-DSS-DES-CBC3-SHA
>    Accepted  TLS11  256 bits  DHE-DSS-AES256-SHA
>    Accepted  TLS11  128 bits  DHE-DSS-AES128-SHA
>    Accepted  TLS11  128 bits  EDH-DSS-DES-CBC3-SHA
>    Accepted  TLS12  256 bits  DHE-DSS-AES256-GCM-SHA384
>    Accepted  TLS12  256 bits  DHE-DSS-AES256-SHA256
>    Accepted  TLS12  256 bits  DHE-DSS-AES256-SHA
>    Accepted  TLS12  128 bits  DHE-DSS-AES128-GCM-SHA256
>    Accepted  TLS12  128 bits  DHE-DSS-AES128-SHA256
>    Accepted  TLS12  128 bits  DHE-DSS-AES128-SHA
>    Accepted  TLS12  128 bits  EDH-DSS-DES-CBC3-SHA
>  Preferred Server Cipher(s):
>    SSLv2  0 bits    (NONE)
>    TLSv1  256 bits  DHE-DSS-AES256-SHA
>    TLS11  256 bits  DHE-DSS-AES256-SHA
>    TLS12  256 bits  DHE-DSS-AES256-GCM-SHA384
> {code}
> From the Golang documentation these are avilable there
> {code}
>         TLS_RSA_WITH_RC4_128_SHA                uint16 = 0x0005
>         TLS_RSA_WITH_3DES_EDE_CBC_SHA           uint16 = 0x000a
>         TLS_RSA_WITH_AES_128_CBC_SHA            uint16 = 0x002f
>         TLS_RSA_WITH_AES_256_CBC_SHA            uint16 = 0x0035
>         TLS_RSA_WITH_AES_128_GCM_SHA256         uint16 = 0x009c
>         TLS_RSA_WITH_AES_256_GCM_SHA384         uint16 = 0x009d
>         TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        uint16 = 0xc007
>         TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    uint16 = 0xc009
>         TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    uint16 = 0xc00a
>         TLS_ECDHE_RSA_WITH_RC4_128_SHA          uint16 = 0xc011
>         TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     uint16 = 0xc012
>         TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      uint16 = 0xc013
>         TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      uint16 = 0xc014
>         TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   uint16 = 0xc02f
>         TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
>         TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   uint16 = 0xc030
>         TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to