Trying to configure Topbeat client --> Kafka connection to use TLS.
Both of these are on the same server but other clients will be on different
servers.
I have switched kafka debug on using the JVM '-Djavax.net.debug=ssl' switch
and full debug is below.
Amongst the debug is the ciper suites error:
TLS errors "fatal error: 40: no cipher suites in common".
I'm unsure if this is a real error or a red herring ? And if its real what
to do to resolve the issue ?
Really really appreciate it if anyone can look at the output and
configuration and either spot something wrong or recommend how I can debug
this further.
Many Thanks,
Mick
kafka errors when client connects
----------------------------------
Using SSLEngineImpl.
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for
TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for
TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for
TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for
TLSv1.1
kafka-network-thread-0-SSL-3, READ: TLSv1 Handshake, length = 150
*** ClientHello, TLSv1
RandomCookie: GMT: 1465224258 bytes = { 243, 102, 129, 42, 130, 52, 105,
250, 96, 55, 251, 141, 5, 67, 244, 184, 13, 159, 131, 197, 185, 15, 168,
172, 250, 153, 170, 161 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_SEED_CBC_SHA,
TLS_DHE_DSS_WITH_SEED_CBC_SHA, TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_SEED_CBC_SHA, TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_IDEA_CBC_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension ec_point_formats, formats: [uncompressed,
ansiX962_compressed_prime, ansiX962_compressed_char2]
Extension elliptic_curves, curve names: {secp521r1, secp384r1, secp256r1}
Unsupported extension type_35, data:
Unsupported extension type_15, data: 01
***
%% Initialized: [Session-12, SSL_NULL_WITH_NULL_NULL]
kafka-network-thread-0-SSL-3, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-12, SSL_NULL_WITH_NULL_NULL]
kafka-network-thread-0-SSL-3, SEND TLSv1 ALERT: fatal, description =
handshake_failure
kafka-network-thread-0-SSL-3, WRITE: TLSv1 Alert, length = 2
kafka-network-thread-0-SSL-3, fatal: engine already closed. Rethrowing
javax.net.ssl.SSLHandshakeException: no cipher suites in common
kafka-network-thread-0-SSL-3, called closeOutbound()
kafka-network-thread-0-SSL-3, closeOutboundInternal()
kafka-network-thread-0-SSL-3, called closeInbound()
kafka-network-thread-0-SSL-3, fatal: engine already closed. Rethrowing
javax.net.ssl.SSLException: Inbound closed before receiving peer's
close_notify: possible truncation attack?
kafka-network-thread-0-SSL-3, called closeOutbound()
kafka-network-thread-0-SSL-3, closeOutboundInternal()
SSL cert generation
--------------------
(from http://docs.confluent.io/2.0.0/kafka/ssl.html)
#!/bin/bash
keytool -keystore kafka.server.keystore.jks -alias localhost -validity 365
-genkey
openssl req -new -x509 -keyout ca-key -out ca-cert -days 365
keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file
ca-cert
keytool -keystore kafka.client.truststore.jks -alias CARoot -import -file
ca-cert
keytool -keystore kafka.server.keystore.jks -alias localhost -certreq -file
cert-file
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed
-days 365 -CAcreateserial -passin pass:test1234
keytool -keystore kafka.server.keystore.jks -alias CARoot -import -file
ca-cert
keytool -keystore kafka.server.keystore.jks -alias localhost -import -file
cert-signed
kafka server.properties
-----------------------
listeners=PLAINTEXT://kafkaserver:9092,SSL://kafkaserver:9093
security.protocol=SSL
ssl.truststore.location=/root/certs2/kafka.client.truststore.jks
ssl.truststore.password=test1234
ssl.enabled.protocols = TLSv1.2,TLSv1.1,TLSv1
ssl.truststore.type=JKS
ssl.client.auth=none
openssl test
-------------
>> openssl s_client -debug -connect kafkaserver:9093 -tls1
CONNECTED(00000003)
write to 0x10a92b0 [0x11b7183] (155 bytes => 155 (0x9B))
0000 - 16 03 01 00 96 01 00 00-92 03 01 57 56 8a 57 97 ...........WV.W.
0010 - e9 7c 0a 33 b7 f3 c7 2c-1d 09 2e a7 c7 ac df ef .|.3...,........
0020 - 15 ed e4 f4 49 74 c7 9b-b8 c8 ee 00 00 4c c0 14 ....It.......L..
0030 - c0 0a 00 39 00 38 00 88-00 87 c0 0f c0 05 00 35 ...9.8.........5
0040 - 00 84 c0 13 c0 09 00 33-00 32 c0 12 c0 08 00 9a .......3.2......
0050 - 00 99 00 45 00 44 00 16-00 13 c0 0e c0 04 c0 0d ...E.D..........
0060 - c0 03 00 2f 00 96 00 41-00 0a 00 07 c0 11 c0 07 .../...A........
0070 - c0 0c c0 02 00 05 00 04-00 ff 01 00 00 1d 00 0b ................
0080 - 00 04 03 00 01 02 00 0a-00 08 00 06 00 19 00 18 ................
0090 - 00 17 00 23 00 00 00 0f-00 01 01 ...#.......
read from 0x10a92b0 [0x11b2c33] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1465289303
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Client Configuration
--------------------
cp /root/certs2/ca-cert /etc/pki/ca-trust/source/anchors/ca-cert.pem
update-ca-trust
topbeat.yml
-----------
kafka:
# Array of hosts to connect to.
hosts: ["kafkaserver:9093"]
topic: "elktopbeat"
client_id: "elk"
tls:
# List of root certificates for HTTPS server verifications
#certificate_authorities: ["/etc/pki/root/ca.pem"]
certificate_authorities: ["/etc/pki/tls/certs/ca-bundle.crt"]
# Certificate for TLS client authentication
#certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#certificate_key: "/etc/pki/client/cert.key"
