MG>Ismael...any reason not to use openssl to generate the key and the cert
simultaneously?openssl req -nodes -newkey rsa:2048 -keyout
kafka.server.keystore.jks -out
ca.certhttps://www.networking4all.com/en/support/ssl+certificates/manuals/apache/apache+http+server/generate+csr/
MG>Thanks
MG>Martin
> From: mickmahoney1...@gmail.com
> Date: Tue, 7 Jun 2016 13:07:50 +0100
> Subject: Re: Problem with Kafka TLS configuration "no cipher suites in common"
> To: users@kafka.apache.org
>
> Perfect - thanks Ismael.
>
> Changed
> keytool -keystore kafka.server.keystore.jks -alias localhost -validity
> 365 -genkey
> to
> keytool -keystore kafka.server.keystore.jks -alias localhost -validity
> 365 -genkey -keyalg RSA
>
> work a treat :)
>
> Thanks again,
>
> Mick
>
> On Tue, Jun 7, 2016 at 12:51 PM, Ismael Juma <ism...@juma.me.uk> wrote:
>
> > Sorry, the link should have been (it's public, anyone can access):
> >
> >
> > https://issues.apache.org/jira/browse/KAFKA-3647?focusedCommentId=15270520&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15270520
> >
> > Ismael
> >
> > On Tue, Jun 7, 2016 at 12:43 PM, Mick Mahoney <mickmahoney1...@gmail.com>
> > wrote:
> >
> > > Hi Ismael,
> > >
> > > Thanks for the reply - i don't have permissions to see that link - is
> > there
> > > any chance you can expand on it in the thread please ?
> > >
> > > Thanks,
> > > Mick
> > >
> > > On Tue, Jun 7, 2016 at 12:39 PM, Ismael Juma <ism...@juma.me.uk> wrote:
> > >
> > > > Hi Mick,
> > > >
> > > > This can happen if you are using a DSS key, but the client only
> > supports
> > > > RSA-based ciphers, see the following for more details:
> > > >
> > > >
> > > >
> > >
> > https://issues.apache.org/jira/secure/EditComment!default.jspa?id=12964371&commentId=15270520
> > > >
> > > > Ismael
> > > >
> > > > On Tue, Jun 7, 2016 at 10:24 AM, Mick Mahoney <
> > mickmahoney1...@gmail.com
> > > >
> > > > wrote:
> > > >
> > > > > Trying to configure Topbeat client --> Kafka connection to use TLS.
> > > > >
> > > > > Both of these are on the same server but other clients will be on
> > > > different
> > > > > servers.
> > > > >
> > > > > I have switched kafka debug on using the JVM '-Djavax.net.debug=ssl'
> > > > switch
> > > > > and full debug is below.
> > > > >
> > > > > Amongst the debug is the ciper suites error:
> > > > >
> > > > > TLS errors "fatal error: 40: no cipher suites in common".
> > > > >
> > > > > I'm unsure if this is a real error or a red herring ? And if its real
> > > > what
> > > > > to do to resolve the issue ?
> > > > >
> > > > > Really really appreciate it if anyone can look at the output and
> > > > > configuration and either spot something wrong or recommend how I can
> > > > debug
> > > > > this further.
> > > > >
> > > > > Many Thanks,
> > > > >
> > > > > Mick
> > > > >
> > > > >
> > > > >
> > > > > kafka errors when client connects
> > > > > ----------------------------------
> > > > >
> > > > > Using SSLEngineImpl.
> > > > > Ignoring unavailable cipher suite:
> > TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
> > > > > Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
> > > > > Ignoring unavailable cipher suite:
> > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
> > > > > Ignoring unavailable cipher suite:
> > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
> > > > > Ignoring unavailable cipher suite:
> > > > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
> > > > > Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
> > > > > Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
> > > > > Ignoring unavailable cipher suite:
> > > TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
> > > > > Ignoring unavailable cipher suite:
> > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
> > > > > Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
> > > > > Ignoring unavailable cipher suite:
> > > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> > > > > Ignoring unavailable cipher suite:
> > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> > > > > Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
> > > > > Ignoring unavailable cipher suite:
> > TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
> > > > > Ignoring unavailable cipher suite:
> > > > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> > > > > Ignoring unavailable cipher suite:
> > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> > > > > Ignoring unavailable cipher suite:
> > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
> > > > > Ignoring unavailable cipher suite:
> > TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
> > > > > Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
> > > > > Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
> > > > > Ignoring unavailable cipher suite:
> > > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> > > > > Allow unsafe renegotiation: false
> > > > > Allow legacy hello messages: true
> > > > > Is initial handshake: true
> > > > > Is secure renegotiation: false
> > > > > Ignoring unsupported cipher suite:
> > > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
> > > > > for TLSv1
> > > > > Ignoring unsupported cipher suite:
> > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> > > > > for TLSv1
> > > > > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
> > for
> > > > > TLSv1
> > > > > Ignoring unsupported cipher suite:
> > > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
> > > > > for TLSv1
> > > > > Ignoring unsupported cipher suite:
> > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
> > > > for
> > > > > TLSv1
> > > > > Ignoring unsupported cipher suite:
> > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> > > > for
> > > > > TLSv1
> > > > > Ignoring unsupported cipher suite:
> > TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
> > > > for
> > > > > TLSv1
> > > > > Ignoring unsupported cipher suite:
> > > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
> > > > > for TLSv1.1
> > > > > Ignoring unsupported cipher suite:
> > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> > > > > for TLSv1.1
> > > > > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
> > for
> > > > > TLSv1.1
> > > > > Ignoring unsupported cipher suite:
> > > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
> > > > > for TLSv1.1
> > > > > Ignoring unsupported cipher suite:
> > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
> > > > for
> > > > > TLSv1.1
> > > > > Ignoring unsupported cipher suite:
> > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> > > > for
> > > > > TLSv1.1
> > > > > Ignoring unsupported cipher suite:
> > TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
> > > > for
> > > > > TLSv1.1
> > > > > kafka-network-thread-0-SSL-3, READ: TLSv1 Handshake, length = 150
> > > > > *** ClientHello, TLSv1
> > > > > RandomCookie: GMT: 1465224258 bytes = { 243, 102, 129, 42, 130, 52,
> > > 105,
> > > > > 250, 96, 55, 251, 141, 5, 67, 244, 184, 13, 159, 131, 197, 185, 15,
> > > 168,
> > > > > 172, 250, 153, 170, 161 }
> > > > > Session ID: {}
> > > > > Cipher Suites: [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
> > > > > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
> > TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
> > > > > TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
> > > TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
> > > > > TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
> > > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
> > > > > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
> > > > > TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
> > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
> > > > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
> > TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
> > > > > TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
> > TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
> > > > > TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_SEED_CBC_SHA,
> > > > > TLS_DHE_DSS_WITH_SEED_CBC_SHA, TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
> > > > > TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
> > > SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
> > > > > SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
> > > > > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
> > > TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
> > > > > TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
> > > > > TLS_RSA_WITH_SEED_CBC_SHA, TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
> > > > > SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_IDEA_CBC_SHA,
> > > > > TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
> > > > > TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
> > > > > SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5,
> > > > > TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
> > > > > Compression Methods: { 0 }
> > > > > Extension ec_point_formats, formats: [uncompressed,
> > > > > ansiX962_compressed_prime, ansiX962_compressed_char2]
> > > > > Extension elliptic_curves, curve names: {secp521r1, secp384r1,
> > > secp256r1}
> > > > > Unsupported extension type_35, data:
> > > > > Unsupported extension type_15, data: 01
> > > > > ***
> > > > > %% Initialized: [Session-12, SSL_NULL_WITH_NULL_NULL]
> > > > > kafka-network-thread-0-SSL-3, fatal error: 40: no cipher suites in
> > > common
> > > > > javax.net.ssl.SSLHandshakeException: no cipher suites in common
> > > > > %% Invalidated: [Session-12, SSL_NULL_WITH_NULL_NULL]
> > > > > kafka-network-thread-0-SSL-3, SEND TLSv1 ALERT: fatal, description =
> > > > > handshake_failure
> > > > > kafka-network-thread-0-SSL-3, WRITE: TLSv1 Alert, length = 2
> > > > > kafka-network-thread-0-SSL-3, fatal: engine already closed.
> > Rethrowing
> > > > > javax.net.ssl.SSLHandshakeException: no cipher suites in common
> > > > > kafka-network-thread-0-SSL-3, called closeOutbound()
> > > > > kafka-network-thread-0-SSL-3, closeOutboundInternal()
> > > > > kafka-network-thread-0-SSL-3, called closeInbound()
> > > > > kafka-network-thread-0-SSL-3, fatal: engine already closed.
> > Rethrowing
> > > > > javax.net.ssl.SSLException: Inbound closed before receiving peer's
> > > > > close_notify: possible truncation attack?
> > > > > kafka-network-thread-0-SSL-3, called closeOutbound()
> > > > > kafka-network-thread-0-SSL-3, closeOutboundInternal()
> > > > >
> > > > >
> > > > >
> > > > > SSL cert generation
> > > > > --------------------
> > > > > (from http://docs.confluent.io/2.0.0/kafka/ssl.html)
> > > > >
> > > > > #!/bin/bash
> > > > > keytool -keystore kafka.server.keystore.jks -alias localhost
> > -validity
> > > > 365
> > > > > -genkey
> > > > > openssl req -new -x509 -keyout ca-key -out ca-cert -days 365
> > > > > keytool -keystore kafka.server.truststore.jks -alias CARoot -import
> > > -file
> > > > > ca-cert
> > > > > keytool -keystore kafka.client.truststore.jks -alias CARoot -import
> > > -file
> > > > > ca-cert
> > > > > keytool -keystore kafka.server.keystore.jks -alias localhost -certreq
> > > > -file
> > > > > cert-file
> > > > > openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out
> > > > cert-signed
> > > > > -days 365 -CAcreateserial -passin pass:test1234
> > > > > keytool -keystore kafka.server.keystore.jks -alias CARoot -import
> > -file
> > > > > ca-cert
> > > > > keytool -keystore kafka.server.keystore.jks -alias localhost -import
> > > > -file
> > > > > cert-signed
> > > > >
> > > > >
> > > > >
> > > > > kafka server.properties
> > > > > -----------------------
> > > > >
> > > > > listeners=PLAINTEXT://kafkaserver:9092,SSL://kafkaserver:9093
> > > > >
> > > > > security.protocol=SSL
> > > > >
> > > > > ssl.truststore.location=/root/certs2/kafka.client.truststore.jks
> > > > > ssl.truststore.password=test1234
> > > > > ssl.enabled.protocols = TLSv1.2,TLSv1.1,TLSv1
> > > > > ssl.truststore.type=JKS
> > > > > ssl.client.auth=none
> > > > >
> > > > >
> > > > > openssl test
> > > > > -------------
> > > > >
> > > > >
> > > > > >> openssl s_client -debug -connect kafkaserver:9093 -tls1
> > > > >
> > > > > CONNECTED(00000003)
> > > > > write to 0x10a92b0 [0x11b7183] (155 bytes => 155 (0x9B))
> > > > > 0000 - 16 03 01 00 96 01 00 00-92 03 01 57 56 8a 57 97
> > > ...........WV.W.
> > > > > 0010 - e9 7c 0a 33 b7 f3 c7 2c-1d 09 2e a7 c7 ac df ef
> > > .|.3...,........
> > > > > 0020 - 15 ed e4 f4 49 74 c7 9b-b8 c8 ee 00 00 4c c0 14
> > > ....It.......L..
> > > > > 0030 - c0 0a 00 39 00 38 00 88-00 87 c0 0f c0 05 00 35
> > > ...9.8.........5
> > > > > 0040 - 00 84 c0 13 c0 09 00 33-00 32 c0 12 c0 08 00 9a
> > > .......3.2......
> > > > > 0050 - 00 99 00 45 00 44 00 16-00 13 c0 0e c0 04 c0 0d
> > > ...E.D..........
> > > > > 0060 - c0 03 00 2f 00 96 00 41-00 0a 00 07 c0 11 c0 07
> > > .../...A........
> > > > > 0070 - c0 0c c0 02 00 05 00 04-00 ff 01 00 00 1d 00 0b
> > > ................
> > > > > 0080 - 00 04 03 00 01 02 00 0a-00 08 00 06 00 19 00 18
> > > ................
> > > > > 0090 - 00 17 00 23 00 00 00 0f-00 01 01 ...#.......
> > > > > read from 0x10a92b0 [0x11b2c33] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
> > > > > write:errno=104
> > > > > ---
> > > > > no peer certificate available
> > > > > ---
> > > > > No client certificate CA names sent
> > > > > ---
> > > > > SSL handshake has read 0 bytes and written 0 bytes
> > > > > ---
> > > > > New, (NONE), Cipher is (NONE)
> > > > > Secure Renegotiation IS NOT supported
> > > > > Compression: NONE
> > > > > Expansion: NONE
> > > > > SSL-Session:
> > > > > Protocol : TLSv1
> > > > > Cipher : 0000
> > > > > Session-ID:
> > > > > Session-ID-ctx:
> > > > > Master-Key:
> > > > > Key-Arg : None
> > > > > Krb5 Principal: None
> > > > > PSK identity: None
> > > > > PSK identity hint: None
> > > > > Start Time: 1465289303
> > > > > Timeout : 7200 (sec)
> > > > > Verify return code: 0 (ok)
> > > > > ---
> > > > >
> > > > >
> > > > > Client Configuration
> > > > > --------------------
> > > > >
> > > > > cp /root/certs2/ca-cert /etc/pki/ca-trust/source/anchors/ca-cert.pem
> > > > > update-ca-trust
> > > > >
> > > > >
> > > > > topbeat.yml
> > > > > -----------
> > > > >
> > > > > kafka:
> > > > >
> > > > > # Array of hosts to connect to.
> > > > > hosts: ["kafkaserver:9093"]
> > > > > topic: "elktopbeat"
> > > > > client_id: "elk"
> > > > >
> > > > > tls:
> > > > > # List of root certificates for HTTPS server verifications
> > > > > #certificate_authorities: ["/etc/pki/root/ca.pem"]
> > > > > certificate_authorities: ["/etc/pki/tls/certs/ca-bundle.crt"]
> > > > >
> > > > > # Certificate for TLS client authentication
> > > > > #certificate: "/etc/pki/client/cert.pem"
> > > > >
> > > > > # Client Certificate Key
> > > > > #certificate_key: "/etc/pki/client/cert.key"
> > > > >
> > > >
> > >
> >
