[
https://issues.apache.org/jira/browse/KAFKA-3647?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15270401#comment-15270401
]
Elvar commented on KAFKA-3647:
------------------------------
Yes, tried with OpenJDK 1.7 and 1.8 and the Oracle JRE with and without JCE.
What is strange is that with Oracle JRE and JCE I can select ciphers in the
Kafka config that I want and it will not give an error but when I do a sslscan
on the Kafka SSL port no ciphers at all are found. Hinting that either the
ciphers are hardcoded somewhere which I find doubtful or something is wrong
with how the java keystore is created in my case resulting in only DSS ciphers
being available for use. Will look into that and report back.
> Unable to set a ssl provider
> ----------------------------
>
> Key: KAFKA-3647
> URL: https://issues.apache.org/jira/browse/KAFKA-3647
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 0.9.0.1
> Environment: Centos, OracleJRE 8, Vagrant
> Reporter: Elvar
>
> When defining a ssl provider Kafka does not start because the provider was
> not found.
> {code}
> [2016-05-02 13:48:48,252] FATAL [Kafka Server 11], Fatal error during
> KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
> org.apache.kafka.common.KafkaException:
> org.apache.kafka.common.KafkaException:
> java.security.NoSuchProviderException: no such provider: sun.security.ec.SunEC
> at
> org.apache.kafka.common.network.SslChannelBuilder.configure(SslChannelBuilder.java:44)
> {code}
> To test
> {code}
> /bin/kafka-server-start /etc/kafka/server.properties --override
> ssl.provider=sun.security.ec.SunEC
> {code}
> This is stopping us from talking to Kafka with SSL from Go programs because
> no common cipher suites are available.
> Using sslscan this is available from Kafka
> {code}
> Supported Server Cipher(s):
> Accepted TLSv1 256 bits DHE-DSS-AES256-SHA
> Accepted TLSv1 128 bits DHE-DSS-AES128-SHA
> Accepted TLSv1 128 bits EDH-DSS-DES-CBC3-SHA
> Accepted TLS11 256 bits DHE-DSS-AES256-SHA
> Accepted TLS11 128 bits DHE-DSS-AES128-SHA
> Accepted TLS11 128 bits EDH-DSS-DES-CBC3-SHA
> Accepted TLS12 256 bits DHE-DSS-AES256-GCM-SHA384
> Accepted TLS12 256 bits DHE-DSS-AES256-SHA256
> Accepted TLS12 256 bits DHE-DSS-AES256-SHA
> Accepted TLS12 128 bits DHE-DSS-AES128-GCM-SHA256
> Accepted TLS12 128 bits DHE-DSS-AES128-SHA256
> Accepted TLS12 128 bits DHE-DSS-AES128-SHA
> Accepted TLS12 128 bits EDH-DSS-DES-CBC3-SHA
> Preferred Server Cipher(s):
> SSLv2 0 bits (NONE)
> TLSv1 256 bits DHE-DSS-AES256-SHA
> TLS11 256 bits DHE-DSS-AES256-SHA
> TLS12 256 bits DHE-DSS-AES256-GCM-SHA384
> {code}
> From the Golang documentation these are avilable there
> {code}
> TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005
> TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a
> TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f
> TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035
> TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c
> TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d
> TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a
> TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011
> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
