我正在尝试通过XMPP协议建立TLS安全(带有客户端身份验证)连接。我使用标准端口而不是专用SSL端口,显然已弃用。 startTLS进程永远不会完成握手。
我收到: javax.net.ssl.SSLProtocolException:违反握手邮件序列,2
调试摘录显示我的客户端收到来自服务器的意外消息。 CertificateRequest从服务器发送,但CA列表为空。
是否有很多事情可以导致这种握手violoation(2)?什么可能导致服务器不发送在其信任库中配置的可接受权限?
感谢您的任何见解。
更新:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@ PROTOTYPE: TLS client authentication XMPP connection. @@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
USER: 111111
OS: Windows 7
Java: C:\Program Files (x86)\Java\jdk1.8.0_45\jre
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Loading trusted authorities from trust store...
adding as trusted cert:
...(trimmed)
Loading credentials from key store...
***
found key for : Signing Certificate - John K. Doe
chain [0] = [
...(trimmed)
***
Initializing SSL context for TLS...
trigger seeding of SecureRandom
done seeding SecureRandom
Using SSLEngineImpl.
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@ PROTOTYPE: Built XMPP connection configuration. @@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Connection instantiated.
10:17:24 AM SENT (0): <stream:stream xmlns='jabber:client' to='steerage.org' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' xml:lang='en'>
10:17:24 AM RECV (0): <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="steerage.org" id="e7e393bd" xml:lang="en" version="1.0"><stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>EXTERNAL</mechanism></mechanisms></stream:features>
10:17:24 AM SENT (0): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'></starttls>
10:17:24 AM RECV (0): <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1433793908 bytes = { 4, 180, 17, 97, 147, 6, 68, 124, 234, 40, 155, 145, 132, 27, 164, 29, 175, 239, 139, 23, 14, 133, 162, 215, 44, 220, 241, 2 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [type=host_name (0), value=steerage.org]
***
Smack Packet Reader (0), WRITE: TLSv1.2 Handshake, length = 239
Smack Packet Reader (0), READ: TLSv1.2 Handshake, length = 3708
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1433793908 bytes = { 238, 60, 108, 5, 104, 190, 219, 147, 215, 187, 195, 89, 114, 224, 165, 213, 141, 48, 112, 176, 129, 42, 78, 190, 196, 119, 143, 101 }
Session ID: {85, 118, 245, 116, 90, 98, 141, 24, 47, 246, 162, 187, 92, 255, 11, 153, 45, 237, 178, 52, 9, 196, 116, 50, 61, 190, 48, 63, 26, 70, 155, 58}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
** TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=steerage....(trimmed)
***
Found trusted certificate:
[
[
Version: V3
Subject: CN=TKT Root CA 2, ...(trimmed)
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
public x coord: 16285061615265061295479758192758299168932729034919494399422438099012833644130
public y coord: 91712186275093768179410924600166089746856150468196826634149937267800342978949
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Cert Authorities:
<Empty>
*** ServerHelloDone
matching alias: john.k.doe.1258700011
matching alias: Card Authentication Certificate
matching alias: Authentication Certificate - John K. Doe
matching alias: Encryption Certificate - John K. Doe (Archived) - 12/4/2013
matching alias: doe_john_k@some.com
matching alias: Signing Certificate - John K. Doe
matching alias: Encryption Certificate - John K. Doe
org.jivesoftware.smack.SmackException$NoResponseException: No response received within reply timeout. Timeout was 5000ms (~5s). Used filter: No filter used or filter was 'null'.
at org.jivesoftware.smack.SmackException$NoResponseException.newWith(SmackException.java:106)
at org.jivesoftware.smack.SmackException$NoResponseException.newWith(SmackException.java:85)
at org.jivesoftware.smack.SynchronizationPoint.checkForResponse(SynchronizationPoint.java:192)
at org.jivesoftware.smack.SynchronizationPoint.checkIfSuccessOrWait(SynchronizationPoint.java:114)
at org.jivesoftware.smack.SynchronizationPoint.checkIfSuccessOrWaitOrThrow(SynchronizationPoint.java:97)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.connectInternal(XMPPTCPConnection.java:837)
at org.jivesoftware.smack.AbstractXMPPConnection.connect(AbstractXMPPConnection.java:360)
at pke4chat.TestProtoType.main(TestProtoType.java:87)
10:17:29 AM SENT (0): <presence id='c06He-3' type='unavailable'><c xmlns='http://jabber.org/protocol/caps' hash='sha-1' node='http://www.igniterealtime.org/projects/smack' ver='NfJ3flI83zSdUDzCEICtbypursw='/></presence>
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=John K. Doe, ...(trimmed)
***
*** ECDHClientKeyExchange
ECDH Public value: { 4, 183, 254, 13, 26, 104, 205, 105, 32, 193, 10, 62, 33, 82, 142, 4, 183, 231, 178, 204, 126, 170, 178, 111, 33, 155, 241, 187, 146, 182, 254, 138, 117, 145, 170, 80, 32, 176, 179, 113, 157, 193, 210, 75, 2, 195, 132, 111, 210, 183, 73, 98, 15, 201, 170, 127, 36, 15, 233, 126, 38, 225, 193, 6, 71 }
Smack Packet Reader (0), WRITE: TLSv1.2 Handshake, length = 5387
SESSION KEYGEN:
PreMaster Secret:
0000: D3 5B D2 C9 4A AD 9A E6 F4 DE 3C 3C 0B D5 A2 C2 .[..J.....<<....
0010: CA A3 BA BE 2A 50 BA 27 3F 1E D1 34 94 CD 84 A4 ....*P.'?..4....
CONNECTION KEYGEN:
Client Nonce:
0000: 55 76 F5 74 04 B4 11 61 93 06 44 7C EA 28 9B 91 Uv.t...a..D..(..
0010: 84 1B A4 1D AF EF 8B 17 0E 85 A2 D7 2C DC F1 02 ............,...
Server Nonce:
0000: 55 76 F5 74 EE 3C 6C 05 68 BE DB 93 D7 BB C3 59 Uv.t.<l.h......Y
0010: 72 E0 A5 D5 8D 30 70 B0 81 2A 4E BE C4 77 8F 65 r....0p..*N..w.e
Master Secret:
0000: 61 9B 54 1F AB B0 F6 B1 D4 3C F9 79 0E D8 E1 AD a.T......<.y....
0010: 29 3C E1 55 8D EF 2E 8D 13 3B 94 BB 32 5F C8 7F )<.U.....;..2_..
0020: 13 A8 48 B6 C5 0F 50 A4 B5 41 82 C6 A3 F0 41 95 ..H...P..A....A.
Client MAC write Secret:
0000: 42 1B F0 67 9E 1D 81 44 3A 76 8D D1 AD 4D 48 A4 B..g...D:v...MH.
0010: B6 27 70 12 08 FB CF 5D 39 7F 51 05 6D 08 61 F7 .'p....]9.Q.m.a.
Server MAC write Secret:
0000: DD 40 97 24 B0 96 00 A6 CD 49 02 7A 60 75 32 A2 .@.$.....I.z`u2.
0010: 80 41 FD 38 48 06 67 A7 51 E4 44 8E 72 AB 75 C4 .A.8H.g.Q.D.r.u.
Client write key:
0000: DE 5A B7 2D 9D 0F 2F C3 C9 82 D9 EA 88 0D 14 A3 .Z.-../.........
Server write key:
0000: A1 66 08 7C AB 23 56 B9 8F 09 2B 78 67 19 1F BF .f...#V...+xg...
... no IV derived for this protocol
Jun 09, 2015 10:17:34 AM org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketWriter shutdown
WARNING: shutdownDone was not marked as successful by the writer thread
org.jivesoftware.smack.SmackException$NoResponseException: No response received within reply timeout. Timeout was 5000ms (~5s). Used filter: No filter used or filter was 'null'.
at org.jivesoftware.smack.SmackException$NoResponseException.newWith(SmackException.java:106)
at org.jivesoftware.smack.SmackException$NoResponseException.newWith(SmackException.java:85)
at org.jivesoftware.smack.SynchronizationPoint.checkForResponse(SynchronizationPoint.java:192)
at org.jivesoftware.smack.SynchronizationPoint.checkIfSuccessOrWait(SynchronizationPoint.java:114)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketWriter.shutdown(XMPPTCPConnection.java:1265)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.shutdown(XMPPTCPConnection.java:494)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.shutdown(XMPPTCPConnection.java:476)
at org.jivesoftware.smack.AbstractXMPPConnection.disconnect(AbstractXMPPConnection.java:666)
at org.jivesoftware.smack.AbstractXMPPConnection.disconnect(AbstractXMPPConnection.java:646)
at pke4chat.TestProtoType.main(TestProtoType.java:105)
main, called close()
main, called closeInternal(true)
*** CertificateVerify
Signature Algorithm SHA512withRSA
Smack Packet Reader (0), WRITE: TLSv1.2 Handshake, length = 264
Smack Packet Reader (0), WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data: { 49, 187, 92, 176, 21, 132, 60, 183, 10, 47, 235, 93 }
***
Smack Packet Reader (0), WRITE: TLSv1.2 Handshake, length = 80
main, SEND TLSv1.2 ALERT: warning, description = close_notify
main, WRITE: TLSv1.2 Alert, length = 64
main, called closeSocket(true)
Smack Packet Writer (0), handling exception: java.net.SocketException: Socket closed
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
Smack Packet Writer (0), called closeSocket()
Smack Packet Reader (0), handling exception: java.net.SocketException: Socket closed
答案 0 :(得分:2)
根据我的经验,当客户端证书过期时会发生此异常。您可以通过
验证您的JKS客户端证书keytool -list -keystore client.keystore.jks -v
并检查有效期从...到...
答案 1 :(得分:2)
我今天尝试设置Kafka时遇到了这个确切的错误。对我来说,我不小心启用了ssl客户端身份验证:ssl.client.auth =在kafka代理中是必需的。仅在客户端需要向代理进行身份验证时使用。因此,在这种情况下,与代理建立了通信,代理发送了证书,但是希望客户端证书。这是断点。
要解决,只需删除/etc/kafka/server.properties中的行:ssl.client.auth = required
(除非您当然要进行客户端身份验证,否则您必须为客户端证书配置密钥库和密码)
答案 2 :(得分:0)
我通过用服务器通过CA信任签署客户端证书解决了这个问题。选中https://kafka.apache.org/documentation/#security_ssl_ca,其中说明了操作方法。
答案 3 :(得分:0)
我认为,没有针对此错误的常规解决方案。最好的方法是重新开始并完全遵循https://kafka.apache.org/documentation/#security_ssl_ca中提到的步骤。
我有同样的错误。这是由我的错误引起的-我在注册签名的CA请求文件的最后一步中错过了别名。以下步骤对我有用。
- name: Generate keystore certificate
command: "keytool -genkey -keystore /home/vagrant/auth/kafka.client{{kafka_broker_id}}.keystore.jks -validity 365 -storepass clientpass -keypass clientpass -dname 'CN=broker{{kafka_broker_id}}' -alias client-broker{{kafka_broker_id}} -storetype pkcs12"
# getting signed version of certicate - first step
- name: Certification request certificate
command: "keytool -keystore /home/vagrant/auth/kafka.client{{kafka_broker_id}}.keystore.jks -certreq -file /home/vagrant/auth/client-cert-file-broker{{kafka_broker_id}} -alias client-broker{{kafka_broker_id}} -storepass clientpass -keypass clientpass"
# output will be signed certificate of kafka broker
- name: Generate keystore certificate
command: "openssl x509 -req -CA /home/vagrant/ssl/ca-cert -CAkey /home/vagrant/ssl/ca-key -in /home/vagrant/auth/client-cert-file-broker{{kafka_broker_id}} -out /home/vagrant/auth/client-cert-signed-{{kafka_broker_id}} -days 365 -CAcreateserial -passin pass:serversecret"
- name: Import public CA to client keystore
command: "keytool -keystore /home/vagrant/auth/kafka.client{{kafka_broker_id}}.keystore.jks -alias CARoot -import -file /home/vagrant/ssl/ca-cert -storepass clientpass -keypass clientpass -noprompt"
- name: Import signed host certificate by CA to keystore.jks
command: "keytool -keystore /home/vagrant/auth/kafka.client{{kafka_broker_id}}.keystore.jks -import -file /home/vagrant/auth/client-cert-signed-{{kafka_broker_id}} -alias client-broker{{kafka_broker_id}} -storepass clientpass -keypass clientpass -noprompt"
要使身份验证正常工作,您需要添加信任库-可以使用来自Kafka经纪人的信任库。
答案 4 :(得分:-1)
当客户端证书在扩展密钥用法中没有clientAuth时,会发生此问题。