Hi Ismael, Thanks for the reply - i don't have permissions to see that link - is there any chance you can expand on it in the thread please ?
Thanks, Mick On Tue, Jun 7, 2016 at 12:39 PM, Ismael Juma <ism...@juma.me.uk> wrote: > Hi Mick, > > This can happen if you are using a DSS key, but the client only supports > RSA-based ciphers, see the following for more details: > > > https://issues.apache.org/jira/secure/EditComment!default.jspa?id=12964371&commentId=15270520 > > Ismael > > On Tue, Jun 7, 2016 at 10:24 AM, Mick Mahoney <mickmahoney1...@gmail.com> > wrote: > > > Trying to configure Topbeat client --> Kafka connection to use TLS. > > > > Both of these are on the same server but other clients will be on > different > > servers. > > > > I have switched kafka debug on using the JVM '-Djavax.net.debug=ssl' > switch > > and full debug is below. > > > > Amongst the debug is the ciper suites error: > > > > TLS errors "fatal error: 40: no cipher suites in common". > > > > I'm unsure if this is a real error or a red herring ? And if its real > what > > to do to resolve the issue ? > > > > Really really appreciate it if anyone can look at the output and > > configuration and either spot something wrong or recommend how I can > debug > > this further. > > > > Many Thanks, > > > > Mick > > > > > > > > kafka errors when client connects > > ---------------------------------- > > > > Using SSLEngineImpl. > > Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 > > Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA > > Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 > > Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA > > Ignoring unavailable cipher suite: > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 > > Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 > > Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA > > Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 > > Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 > > Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384 > > Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 > > Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > > Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA > > Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 > > Ignoring unavailable cipher suite: > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 > > Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 > > Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA > > Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 > > Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA > > Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA > > Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > > Allow unsafe renegotiation: false > > Allow legacy hello messages: true > > Is initial handshake: true > > Is secure renegotiation: false > > Ignoring unsupported cipher suite: > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 > > for TLSv1 > > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > > for TLSv1 > > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for > > TLSv1 > > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 > > for TLSv1 > > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 > for > > TLSv1 > > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 > for > > TLSv1 > > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 > for > > TLSv1 > > Ignoring unsupported cipher suite: > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 > > for TLSv1.1 > > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > > for TLSv1.1 > > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for > > TLSv1.1 > > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 > > for TLSv1.1 > > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 > for > > TLSv1.1 > > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 > for > > TLSv1.1 > > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 > for > > TLSv1.1 > > kafka-network-thread-0-SSL-3, READ: TLSv1 Handshake, length = 150 > > *** ClientHello, TLSv1 > > RandomCookie: GMT: 1465224258 bytes = { 243, 102, 129, 42, 130, 52, 105, > > 250, 96, 55, 251, 141, 5, 67, 244, 184, 13, 159, 131, 197, 185, 15, 168, > > 172, 250, 153, 170, 161 } > > Session ID: {} > > Cipher Suites: [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, > > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, > > TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, > > TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, > > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, > > TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, > > TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, > > TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_SEED_CBC_SHA, > > TLS_DHE_DSS_WITH_SEED_CBC_SHA, TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, > > TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, > > SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, > > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, > > TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, > > TLS_RSA_WITH_SEED_CBC_SHA, TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, > > SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_IDEA_CBC_SHA, > > TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, > > TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, > > SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, > > TLS_EMPTY_RENEGOTIATION_INFO_SCSV] > > Compression Methods: { 0 } > > Extension ec_point_formats, formats: [uncompressed, > > ansiX962_compressed_prime, ansiX962_compressed_char2] > > Extension elliptic_curves, curve names: {secp521r1, secp384r1, secp256r1} > > Unsupported extension type_35, data: > > Unsupported extension type_15, data: 01 > > *** > > %% Initialized: [Session-12, SSL_NULL_WITH_NULL_NULL] > > kafka-network-thread-0-SSL-3, fatal error: 40: no cipher suites in common > > javax.net.ssl.SSLHandshakeException: no cipher suites in common > > %% Invalidated: [Session-12, SSL_NULL_WITH_NULL_NULL] > > kafka-network-thread-0-SSL-3, SEND TLSv1 ALERT: fatal, description = > > handshake_failure > > kafka-network-thread-0-SSL-3, WRITE: TLSv1 Alert, length = 2 > > kafka-network-thread-0-SSL-3, fatal: engine already closed. Rethrowing > > javax.net.ssl.SSLHandshakeException: no cipher suites in common > > kafka-network-thread-0-SSL-3, called closeOutbound() > > kafka-network-thread-0-SSL-3, closeOutboundInternal() > > kafka-network-thread-0-SSL-3, called closeInbound() > > kafka-network-thread-0-SSL-3, fatal: engine already closed. Rethrowing > > javax.net.ssl.SSLException: Inbound closed before receiving peer's > > close_notify: possible truncation attack? > > kafka-network-thread-0-SSL-3, called closeOutbound() > > kafka-network-thread-0-SSL-3, closeOutboundInternal() > > > > > > > > SSL cert generation > > -------------------- > > (from http://docs.confluent.io/2.0.0/kafka/ssl.html) > > > > #!/bin/bash > > keytool -keystore kafka.server.keystore.jks -alias localhost -validity > 365 > > -genkey > > openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 > > keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file > > ca-cert > > keytool -keystore kafka.client.truststore.jks -alias CARoot -import -file > > ca-cert > > keytool -keystore kafka.server.keystore.jks -alias localhost -certreq > -file > > cert-file > > openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out > cert-signed > > -days 365 -CAcreateserial -passin pass:test1234 > > keytool -keystore kafka.server.keystore.jks -alias CARoot -import -file > > ca-cert > > keytool -keystore kafka.server.keystore.jks -alias localhost -import > -file > > cert-signed > > > > > > > > kafka server.properties > > ----------------------- > > > > listeners=PLAINTEXT://kafkaserver:9092,SSL://kafkaserver:9093 > > > > security.protocol=SSL > > > > ssl.truststore.location=/root/certs2/kafka.client.truststore.jks > > ssl.truststore.password=test1234 > > ssl.enabled.protocols = TLSv1.2,TLSv1.1,TLSv1 > > ssl.truststore.type=JKS > > ssl.client.auth=none > > > > > > openssl test > > ------------- > > > > > > >> openssl s_client -debug -connect kafkaserver:9093 -tls1 > > > > CONNECTED(00000003) > > write to 0x10a92b0 [0x11b7183] (155 bytes => 155 (0x9B)) > > 0000 - 16 03 01 00 96 01 00 00-92 03 01 57 56 8a 57 97 ...........WV.W. > > 0010 - e9 7c 0a 33 b7 f3 c7 2c-1d 09 2e a7 c7 ac df ef .|.3...,........ > > 0020 - 15 ed e4 f4 49 74 c7 9b-b8 c8 ee 00 00 4c c0 14 ....It.......L.. > > 0030 - c0 0a 00 39 00 38 00 88-00 87 c0 0f c0 05 00 35 ...9.8.........5 > > 0040 - 00 84 c0 13 c0 09 00 33-00 32 c0 12 c0 08 00 9a .......3.2...... > > 0050 - 00 99 00 45 00 44 00 16-00 13 c0 0e c0 04 c0 0d ...E.D.......... > > 0060 - c0 03 00 2f 00 96 00 41-00 0a 00 07 c0 11 c0 07 .../...A........ > > 0070 - c0 0c c0 02 00 05 00 04-00 ff 01 00 00 1d 00 0b ................ > > 0080 - 00 04 03 00 01 02 00 0a-00 08 00 06 00 19 00 18 ................ > > 0090 - 00 17 00 23 00 00 00 0f-00 01 01 ...#....... > > read from 0x10a92b0 [0x11b2c33] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF)) > > write:errno=104 > > --- > > no peer certificate available > > --- > > No client certificate CA names sent > > --- > > SSL handshake has read 0 bytes and written 0 bytes > > --- > > New, (NONE), Cipher is (NONE) > > Secure Renegotiation IS NOT supported > > Compression: NONE > > Expansion: NONE > > SSL-Session: > > Protocol : TLSv1 > > Cipher : 0000 > > Session-ID: > > Session-ID-ctx: > > Master-Key: > > Key-Arg : None > > Krb5 Principal: None > > PSK identity: None > > PSK identity hint: None > > Start Time: 1465289303 > > Timeout : 7200 (sec) > > Verify return code: 0 (ok) > > --- > > > > > > Client Configuration > > -------------------- > > > > cp /root/certs2/ca-cert /etc/pki/ca-trust/source/anchors/ca-cert.pem > > update-ca-trust > > > > > > topbeat.yml > > ----------- > > > > kafka: > > > > # Array of hosts to connect to. > > hosts: ["kafkaserver:9093"] > > topic: "elktopbeat" > > client_id: "elk" > > > > tls: > > # List of root certificates for HTTPS server verifications > > #certificate_authorities: ["/etc/pki/root/ca.pem"] > > certificate_authorities: ["/etc/pki/tls/certs/ca-bundle.crt"] > > > > # Certificate for TLS client authentication > > #certificate: "/etc/pki/client/cert.pem" > > > > # Client Certificate Key > > #certificate_key: "/etc/pki/client/cert.key" > > >
