Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client failed to SSL handshake with brokers with SslCaPem. #2299

Open
2 tasks
tq20202020 opened this issue Aug 29, 2024 · 1 comment
Open
2 tasks

Client failed to SSL handshake with brokers with SslCaPem. #2299

tq20202020 opened this issue Aug 29, 2024 · 1 comment

Comments

@tq20202020
Copy link

Description

Client failed to SSL handshake with brokers when SslCaPem is set to [intermediate CA] or [root CA] or [intermediate CA + root CA].
See [How to reproduce] for config used.

This behaves differently when using the "location" set of config (SslKeyLocation/SslCertificateLocation/SslCaLocation)
Difference in these aspects:

  1. Not setting SslCaLocation, this works, I guess it looks up the root CA in my local cert store. Not working with the "pem" set of config.
  2. Setting SslCaLocation to root CA pem file, this also works. Not working when setting SslCaPem to same cert.
  3. Setting SslCaLocation to intermediate CA pem, this does not work unless EnableSslCertificateVerification is disabled. For "pem" set of config this does not work regardless of EnableSslCertificateVerification.
  4. Setting SslCaLocation to pem that contains both intermedate and root CA, this works. Not working with SslCaPem.

I'm using 2.5.2 release, I believe there is something wrong with evaluation trust chain when using the Pem string settings.
Same pem string configs also works well with Java Kafka Client.

Another issue I noticed when testing things is that 2.5.2 client seems to fail the SSL handshake with kafka 2.50 brokers with working pem string configs for 1.8.2 client.

How to reproduce

AdminClientConfig adminClientConfig = new AdminClientConfig
{
BootstrapServers = "xxxx",
SecurityProtocol = SecurityProtocol.Ssl,
SslKeyPem = "xxxx",
SslCertificatePem = "xxxx",
SslCaPem = "xxxxx",
SslKeyPassword = "xxxx",
}

Getting error:
0A000416:SSL routines::sslv3 alert certificate unknown: SSL alert number 46

CA certs used are Entrust L1K and root cert is Entrust G2.

OS: Windows 11.

Logs:
log.txt

Checklist

Please provide the following information:

  • A complete (i.e. we can run it), minimal program demonstrating the problem. No need to supply a project file.
  • [ x] Confluent.Kafka nuget version.
  • [ x] Apache Kafka version.
  • [ x] Client configuration.
  • [ x] Operating system.
  • [ x] Provide logs (with "debug" : "..." as necessary in configuration).
  • Provide broker log excerpts.
  • [ x] Critical issue.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tq20202020 and others