Make sure that the date and time on the server is correct (The wrong time
will cause the SSL certificate connection to fail).

בתאריך יום ה׳, 24 ביוני 2021, 19:18, מאת Anjali Sharma ‏<
sharma.anjali.2...@gmail.com>:

> openssl s_client -connect 10.54.65.99:28105
> socket: Bad file descriptor
> connect:errno=9
>
> This is the output we are getting
>
>
> On Thu, Jun 24, 2021 at 6:04 PM Shilin Wu <s...@confluent.io.invalid>
> wrote:
>
> > I think your port may not even be enabled with SSL.
> >
> > do this
> > "openssl s_client -connect <host>:<port>"
> > and show the result ?
> >
> >
> >
> > [image: Confluent] <https://www.confluent.io>
> > Wu Shilin
> > Solution Architect
> > +6581007012
> > Follow us: [image: Blog]
> > <
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > >[image:
> > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > <https://youtube.com/confluent>
> > [image: Kafka Summit] <https://www.kafka-summit.org/>
> >
> >
> > On Thu, Jun 24, 2021 at 8:32 PM Anjali Sharma <
> > sharma.anjali.2...@gmail.com>
> > wrote:
> >
> > > This is the error we are getting
> > >
> > >
> > >   [2021-06-22 10:59:45,049] ERROR [Consumer clientId=consumer-1,
> > > groupId=test-consumer-group] Connection to node -1 failed
> authentication
> > > due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
> > > [2021-06-22 10:59:45,051] ERROR Authentication failed: terminating
> > consumer
> > > process (kafka.tools.ConsoleConsumer$)
> > > org.apache.kafka.common.errors.SslAuthenticationException: SSL
> handshake
> > > failed
> > > Caused by: javax.net.ssl.SSLException: Unsupported record version
> > > Unknown-211.79
> > >
> > >
> > > On Thu, Jun 24, 2021, 17:59 Shilin Wu <s...@confluent.io.invalid>
> wrote:
> > >
> > > > You need to make sure the following one by one... Or you can post the
> > > > message of error here so we can see exact error.
> > > >
> > > >
> > > > > > > > > 1. Client trust store need to trust the server cert's
> issuer
> > > cert
> > > > > > (AKA
> > > > > > > > the
> > > > > > > > > CA cert)
> > > > > > > > > 2. The client must have a keystore that can be trusted by
> > > > server's
> > > > > > > trust
> > > > > > > > > store.
> > > > > > > > > 3. The server needs to be accessed either via FQDN, or one
> of
> > > the
> > > > > SAN
> > > > > > > > > address. If you are doing self sign, you can add many DNS
> > alias
> > > > and
> > > > > > > even
> > > > > > > > ip
> > > > > > > > > addresses to the server's cert.
> > > > > > > > > 4. Make sure the server cert has extended key usage of
> > > > serverAuth,
> > > > > > > client
> > > > > > > > > cert has extended key usage of clientAuth. Actually you can
> > > have
> > > > > > both -
> > > > > > > > if
> > > > > > > > > you are generating yourself.
> > > >
> > > > [image: Confluent] <https://www.confluent.io>
> > > > Wu Shilin
> > > > Solution Architect
> > > > +6581007012
> > > > Follow us: [image: Blog]
> > > > <
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > >[image:
> > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > <https://youtube.com/confluent>
> > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > >
> > > >
> > > > On Thu, Jun 24, 2021 at 8:26 PM Anjali Sharma <
> > > > sharma.anjali.2...@gmail.com>
> > > > wrote:
> > > >
> > > > > Thanks for this but we are trying to do this on command line but
> > > getting
> > > > > this bad certificate error
> > > > >
> > > > > On Thu, Jun 24, 2021, 17:52 Shilin Wu <s...@confluent.io.invalid>
> > > wrote:
> > > > >
> > > > > > you may do openssl s_client -connect kafkahost:port to dump the
> > cert.
> > > > > >
> > > > > > See if the cert makes sense.
> > > > > >
> > > > > > To test if your SSL works, you may try use this java program to
> > test
> > > if
> > > > > you
> > > > > > have SSL trust issue - if it connects ok, the cert trust is
> mostly
> > to
> > > > be
> > > > > > okay. (remember to change your host name in code, and jks path in
> > > > command
> > > > > > line options.
> > > > > >
> > > > > >
> > > > > > java -Djavax.net.ssl.trustStore=truststore.jks
> > > > > > -Djavax.net.ssl.trustStorePassword=changeme Test
> > > > > >
> > > > > > import java.net.*;
> > > > > >
> > > > > > import java.io.*;
> > > > > >
> > > > > > import javax.net.ssl.*;
> > > > > >
> > > > > >
> > > > > > /*
> > > > > >
> > > > > >  * This example demostrates how to use a SSLSocket as client to
> > > > > >
> > > > > >  * send a HTTP request and get response from an HTTPS server.
> > > > > >
> > > > > >  * It assumes that the client is not behind a firewall
> > > > > >
> > > > > >  */
> > > > > >
> > > > > >
> > > > > > public class Test {
> > > > > >
> > > > > >
> > > > > >     public static void main(String[] args) throws Exception {
> > > > > >
> > > > > >         try {
> > > > > >
> > > > > >             SSLSocketFactory factory =
> > > > > >
> > > > > >                 (SSLSocketFactory)SSLSocketFactory.getDefault();
> > > > > >
> > > > > >             SSLSocket socket =
> > > > > >
> > > > > >                 (SSLSocket)factory.createSocket("cp-kafka1",
> 9093);
> > > > > >
> > > > > >
> > > > > >             /*
> > > > > >
> > > > > >              * send http request
> > > > > >
> > > > > >              *
> > > > > >
> > > > > >              * Before any application data is sent or received,
> the
> > > > > >
> > > > > >              * SSL socket will do SSL handshaking first to set up
> > > > > >
> > > > > >              * the security attributes.
> > > > > >
> > > > > >              *
> > > > > >
> > > > > >              * SSL handshaking can be initiated by either
> flushing
> > > data
> > > > > >
> > > > > >              * down the pipe, or by starting the handshaking by
> > hand.
> > > > > >
> > > > > >              *
> > > > > >
> > > > > >              * Handshaking is started manually in this example
> > > because
> > > > > >
> > > > > >              * PrintWriter catches all IOExceptions (including
> > > > > >
> > > > > >              * SSLExceptions), sets an internal error flag, and
> > then
> > > > > >
> > > > > >              * returns without rethrowing the exception.
> > > > > >
> > > > > >              *
> > > > > >
> > > > > >              * Unfortunately, this means any error messages are
> > lost,
> > > > > >
> > > > > >              * which caused lots of confusion for others using
> this
> > > > > >
> > > > > >              * code.  The only way to tell there was an error is
> to
> > > > call
> > > > > >
> > > > > >              * PrintWriter.checkError().
> > > > > >
> > > > > >              */
> > > > > >
> > > > > >             socket.startHandshake();
> > > > > >
> > > > > >
> > > > > >             socket.close();
> > > > > >
> > > > > >
> > > > > >         } catch (Exception e) {
> > > > > >
> > > > > >             e.printStackTrace();
> > > > > >
> > > > > >         }
> > > > > >
> > > > > >     }
> > > > > >
> > > > > > }
> > > > > >
> > > > > > [image: Confluent] <https://www.confluent.io>
> > > > > > Wu Shilin
> > > > > > Solution Architect
> > > > > > +6581007012
> > > > > > Follow us: [image: Blog]
> > > > > > <
> > > > > >
> > > > >
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > > > >[image:
> > > > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > > > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > > > <https://youtube.com/confluent>
> > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > > > >
> > > > > >
> > > > > > On Thu, Jun 24, 2021 at 8:17 PM Anjali Sharma <
> > > > > > sharma.anjali.2...@gmail.com>
> > > > > > wrote:
> > > > > >
> > > > > > > Had added those configuration but still seeing only junk
> > > certificates
> > > > > > from
> > > > > > > client side ? Any idea how to solve?
> > > > > > >
> > > > > > >
> > > > > > > Thanks
> > > > > > > Anjali
> > > > > > >
> > > > > > > On Thu, Jun 24, 2021, 17:44 Shilin Wu
> <s...@confluent.io.invalid
> > >
> > > > > wrote:
> > > > > > >
> > > > > > > > ssl.truststore.location=/root/truststore.jks
> > > > > > > >
> > > > > > > > ssl.truststore.type=JKS
> > > > > > > >
> > > > > > > > ssl.truststore.password=changeme
> > > > > > > >
> > > > > > > > ssl.keystore.location=/root/alice.jks
> > > > > > > >
> > > > > > > > ssl.keystore.type=JKS
> > > > > > > >
> > > > > > > > ssl.keystore.password=changeme
> > > > > > > >
> > > > > > > > security.protocol=SSL
> > > > > > > >
> > > > > > > > bootstrap.server=cp-kafka1:9093
> > > > > > > >
> > > > > > > > ssl.endpoint.identification.algorithm=https
> > > > > > > >
> > > > > > > > This worked for me pretty well.
> > > > > > > >
> > > > > > > > Of course you need to generate those certs from open ssl.
> > > > > > > >
> > > > > > > > The trust store only contains the CA cert, the key store
> > contains
> > > > the
> > > > > > > > keypair for alice (the user here).
> > > > > > > >
> > > > > > > >
> > > > > > > > [image: Confluent] <https://www.confluent.io>
> > > > > > > > Wu Shilin
> > > > > > > > Solution Architect
> > > > > > > > +6581007012
> > > > > > > > Follow us: [image: Blog]
> > > > > > > > <
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > > > > > >[image:
> > > > > > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > > > > > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > > > > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > > > > > <https://youtube.com/confluent>
> > > > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > > > > > >
> > > > > > > >
> > > > > > > > On Thu, Jun 24, 2021 at 11:38 AM Anjali Sharma <
> > > > > > > > sharma.anjali.2...@gmail.com>
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > Thanks for this info can you please share what all needs to
> > be
> > > > > > present
> > > > > > > on
> > > > > > > > > the client side for mtls as in what all configuration are
> > > needed
> > > > > that
> > > > > > > > side?
> > > > > > > > >
> > > > > > > > > Thanks
> > > > > > > > >
> > > > > > > > > On Thu, Jun 24, 2021, 07:51 Shilin Wu
> > > <s...@confluent.io.invalid
> > > > >
> > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > A few things to check:
> > > > > > > > > >
> > > > > > > > > > 1. Client trust store need to trust the server cert's
> > issuer
> > > > cert
> > > > > > > (AKA
> > > > > > > > > the
> > > > > > > > > > CA cert)
> > > > > > > > > > 2. The client must have a keystore that can be trusted by
> > > > > server's
> > > > > > > > trust
> > > > > > > > > > store.
> > > > > > > > > > 3. The server needs to be accessed either via FQDN, or
> one
> > of
> > > > the
> > > > > > SAN
> > > > > > > > > > address. If you are doing self sign, you can add many DNS
> > > alias
> > > > > and
> > > > > > > > even
> > > > > > > > > ip
> > > > > > > > > > addresses to the server's cert.
> > > > > > > > > > 4. Make sure the server cert has extended key usage of
> > > > > serverAuth,
> > > > > > > > client
> > > > > > > > > > cert has extended key usage of clientAuth. Actually you
> can
> > > > have
> > > > > > > both -
> > > > > > > > > if
> > > > > > > > > > you are generating yourself.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > [image: Confluent] <https://www.confluent.io>
> > > > > > > > > > Wu Shilin
> > > > > > > > > > Solution Architect
> > > > > > > > > > +6581007012
> > > > > > > > > > Follow us: [image: Blog]
> > > > > > > > > > <
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > > > > > > > >[image:
> > > > > > > > > > Twitter] <https://twitter.com/ConfluentInc>[image:
> > LinkedIn]
> > > > > > > > > > <https://www.linkedin.com/company/confluent/>[image:
> > Slack]
> > > > > > > > > > <https://slackpass.io/confluentcommunity>[image:
> YouTube]
> > > > > > > > > > <https://youtube.com/confluent>
> > > > > > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Thu, Jun 24, 2021 at 12:37 AM Anjali Sharma <
> > > > > > > > > > sharma.anjali.2...@gmail.com>
> > > > > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > Hi All,
> > > > > > > > > > >
> > > > > > > > > > > While trying for mtls ssl.client.aut=required, From
> > Client
> > > > side
> > > > > > we
> > > > > > > > are
> > > > > > > > > > > seeing some junk certificates which we have not
> imported
> > on
> > > > the
> > > > > > > > client
> > > > > > > > > > > side?
> > > > > > > > > > >
> > > > > > > > > > > Please help with this?
> > > > > > > > > > >
> > > > > > > > > > > Thanks & Regards
> > > > > > > > > > >
> > > > > > > > > > > Anjali
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>

Reply via email to