当我尝试使用kafka-console-producer.sh发送消息时出现错误:
client-ssl.properties:
security.protocol=SSL
ssl.truststore.location=client.truststore.jks
ssl.truststore.password=klux$Ipzx*
ssl.enabled.protocols=TLSv1.2
kafka server.properties:
ssl.keystore.location=***/server.keystore.jks
ssl.keystore.password=***
ssl.key.password=***
ssl.truststore.location=***/server.truststore.jks
ssl.truststore.password=***
ssl.enabled.protocols=TLSv1.2
ssl.client.auth=required
security.inter.broker.protocol=SSL
命令:openssl s_client -debug -CAfile ca-cert -connect localhost:9093 -tls1_2
给出正确的响应:
...
Acceptable client certificate CA names
/C=FR/ST=France/L=Nantes/O=sower.org/OU=sower.org/CN=sower.org
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
SSL handshake has read 4774 bytes and written 345 bytes
Verification: OK
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 5B47BD62E62ACA3B6DD47B2DBEDCAECF3C9A2D5AAAE91CA1F241B512EFB9D241
Session-ID-ctx:
Master-Key: 686C1953C502FA917E96B7667CCB7A852B87887B35B962D183F7CA3B773087D545E5ADF370048196261FF5B073E9BCB8
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1531428194
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
命令开始:
/opt/bitnami/kafka/bin/kafka-console-producer.sh --broker-list localhost:9093 --topic search-criterias-changes --producer.config client-ssl.properties
adding as trusted cert:
Subject: CN=sower.org, OU=sower.org, O=sower.org, L=Nantes, ST=France, C=FR
Issuer: CN=sower.org, OU=sower.org, O=sower.org, L=Nantes, ST=France, C=FR
Algorithm: RSA; Serial number: 0xc157b5b635b05d82
Valid from Thu Jul 12 20:23:34 UTC 2018 until Fri Jul 12 20:23:34 UTC 2019
trigger seeding of SecureRandom
done seeding SecureRandom
错误:
kafka-producer-network-thread | console-producer, READ: TLSv1.2 Handshake, length = 2382
kafka-producer-network-thread | console-producer, fatal error: 80: problem unwrapping net record
javax.net.ssl.SSLProtocolException: Handshake message sequence violation, 2
%% Invalidated: [Session-2, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
kafka-producer-network-thread | console-producer, SEND TLSv1.2 ALERT: fatal, description = internal_error
Padded plaintext before ENCRYPTION: len = 80
0000: DB 00 BF 06 DF FD 08 2C 9E 45 BF AE DC A7 23 2C .......,.E....#,
0010: 02 50 15 37 29 22 0E A0 B9 5D B9 0A DA 3E 9C 1F .P.7)"...]...>..
0020: CF 28 89 48 9C C6 88 D3 5B DF E8 21 98 6C FF 12 .(.H....[..!.l..
0030: B8 AC A8 E4 C8 F1 0D F3 70 1E B6 E5 76 08 76 74 ........p...v.vt
0040: 6E B6 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D n...............
kafka-producer-network-thread | console-producer, WRITE: TLSv1.2 Alert, length = 80
kafka-producer-network-thread | console-producer, called closeOutbound()
kafka-producer-network-thread | console-producer, closeOutboundInternal()
kafka-producer-network-thread | console-producer, called closeInbound()
kafka-producer-network-thread | console-producer, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
kafka-producer-network-thread | console-producer, called closeOutbound()
kafka-producer-network-thread | console-producer, closeOutboundInternal()
[2018-07-12 20:49:23,336] WARN Failed to send SSL Close message (org.apache.kafka.common.network.SslTransportLayer)
java.io.IOException: Broken pipe
at sun.nio.ch.FileDispatcherImpl.write0(Native Method)
at sun.nio.ch.SocketDispatcher.write(SocketDispatcher.java:47)
at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.java:93)
at sun.nio.ch.IOUtil.write(IOUtil.java:65)
at sun.nio.ch.SocketChannelImpl.write(SocketChannelImpl.java:471)
at org.apache.kafka.common.network.SslTransportLayer.flush(SslTransportLayer.java:209)
at org.apache.kafka.common.network.SslTransportLayer.close(SslTransportLayer.java:159)
at org.apache.kafka.common.utils.Utils.closeAll(Utils.java:718)
at org.apache.kafka.common.network.KafkaChannel.close(KafkaChannel.java:61)
at org.apache.kafka.common.network.Selector.doClose(Selector.java:746)
at org.apache.kafka.common.network.Selector.close(Selector.java:734)
at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:532)
at org.apache.kafka.common.network.Selector.poll(Selector.java:424)
at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:460)
at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:239)
at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:163)
at java.lang.Thread.run(Thread.java:748)
[2018-07-12 20:49:23,337] ERROR [Producer clientId=console-producer] Connection to node -1 failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
他怎么了?我完全被封锁了,我需要帮助!!!
非常感谢
答案 0 :(得分:0)
我遇到了这个问题。原来我没有连接到正确的端口。您应该设置听众。就您而言,我认为它看起来像这样。
listeners=SSL://:9093