kafka中的SSL错误:入站在收到对等方的close_notify之前已关闭

时间:2018-07-12 20:59:59

标签: ssl apache-kafka sslexception

当我尝试使用kafka-console-producer.sh发送消息时出现错误:

client-ssl.properties:

security.protocol=SSL
ssl.truststore.location=client.truststore.jks
ssl.truststore.password=klux$Ipzx*
ssl.enabled.protocols=TLSv1.2

kafka server.properties:

ssl.keystore.location=***/server.keystore.jks
ssl.keystore.password=***
ssl.key.password=***
ssl.truststore.location=***/server.truststore.jks
ssl.truststore.password=***
ssl.enabled.protocols=TLSv1.2
ssl.client.auth=required
security.inter.broker.protocol=SSL

命令:openssl s_client -debug -CAfile ca-cert -connect localhost:9093 -tls1_2给出正确的响应:

...
Acceptable client certificate CA names
/C=FR/ST=France/L=Nantes/O=sower.org/OU=sower.org/CN=sower.org
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 4774 bytes and written 345 bytes
Verification: OK

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 5B47BD62E62ACA3B6DD47B2DBEDCAECF3C9A2D5AAAE91CA1F241B512EFB9D241
    Session-ID-ctx:
    Master-Key: 686C1953C502FA917E96B7667CCB7A852B87887B35B962D183F7CA3B773087D545E5ADF370048196261FF5B073E9BCB8
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1531428194
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes

命令开始:

/opt/bitnami/kafka/bin/kafka-console-producer.sh --broker-list localhost:9093 --topic search-criterias-changes --producer.config client-ssl.properties

adding as trusted cert:
  Subject: CN=sower.org, OU=sower.org, O=sower.org, L=Nantes, ST=France, C=FR
  Issuer:  CN=sower.org, OU=sower.org, O=sower.org, L=Nantes, ST=France, C=FR
  Algorithm: RSA; Serial number: 0xc157b5b635b05d82
  Valid from Thu Jul 12 20:23:34 UTC 2018 until Fri Jul 12 20:23:34 UTC 2019

trigger seeding of SecureRandom
done seeding SecureRandom

错误:

kafka-producer-network-thread | console-producer, READ: TLSv1.2 Handshake, length = 2382
kafka-producer-network-thread | console-producer, fatal error: 80: problem unwrapping net record
javax.net.ssl.SSLProtocolException: Handshake message sequence violation, 2
%% Invalidated:  [Session-2, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
kafka-producer-network-thread | console-producer, SEND TLSv1.2 ALERT:  fatal, description = internal_error
Padded plaintext before ENCRYPTION:  len = 80
0000: DB 00 BF 06 DF FD 08 2C   9E 45 BF AE DC A7 23 2C  .......,.E....#,
0010: 02 50 15 37 29 22 0E A0   B9 5D B9 0A DA 3E 9C 1F  .P.7)"...]...>..
0020: CF 28 89 48 9C C6 88 D3   5B DF E8 21 98 6C FF 12  .(.H....[..!.l..
0030: B8 AC A8 E4 C8 F1 0D F3   70 1E B6 E5 76 08 76 74  ........p...v.vt
0040: 6E B6 0D 0D 0D 0D 0D 0D   0D 0D 0D 0D 0D 0D 0D 0D  n...............
kafka-producer-network-thread | console-producer, WRITE: TLSv1.2 Alert, length = 80
kafka-producer-network-thread | console-producer, called closeOutbound()
kafka-producer-network-thread | console-producer, closeOutboundInternal()
kafka-producer-network-thread | console-producer, called closeInbound()
kafka-producer-network-thread | console-producer, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
kafka-producer-network-thread | console-producer, called closeOutbound()
kafka-producer-network-thread | console-producer, closeOutboundInternal()
[2018-07-12 20:49:23,336] WARN Failed to send SSL Close message  (org.apache.kafka.common.network.SslTransportLayer)
java.io.IOException: Broken pipe
        at sun.nio.ch.FileDispatcherImpl.write0(Native Method)
        at sun.nio.ch.SocketDispatcher.write(SocketDispatcher.java:47)
        at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.java:93)
        at sun.nio.ch.IOUtil.write(IOUtil.java:65)
        at sun.nio.ch.SocketChannelImpl.write(SocketChannelImpl.java:471)
        at org.apache.kafka.common.network.SslTransportLayer.flush(SslTransportLayer.java:209)
        at org.apache.kafka.common.network.SslTransportLayer.close(SslTransportLayer.java:159)
        at org.apache.kafka.common.utils.Utils.closeAll(Utils.java:718)
        at org.apache.kafka.common.network.KafkaChannel.close(KafkaChannel.java:61)
        at org.apache.kafka.common.network.Selector.doClose(Selector.java:746)
        at org.apache.kafka.common.network.Selector.close(Selector.java:734)
        at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:532)
        at org.apache.kafka.common.network.Selector.poll(Selector.java:424)
        at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:460)
        at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:239)
        at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:163)
        at java.lang.Thread.run(Thread.java:748)
[2018-07-12 20:49:23,337] ERROR [Producer clientId=console-producer] Connection to node -1 failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)

他怎么了?我完全被封锁了,我需要帮助!!!

非常感谢

1 个答案:

答案 0 :(得分:0)

我遇到了这个问题。原来我没有连接到正确的端口。您应该设置听众。就您而言,我认为它看起来像这样。

listeners=SSL://:9093