Apache kafka 2.0.0 版本 - 连接到节点 1 的身份验证失败，原因是:SSL 握手 [英] Apache kafka 2.0.0 version - Connection to node 1 failed authentication due to: SSL handshake

问题描述

我正在使用 kafka 版本 kafka_2.12-2.0.0 并在启用 SSL 身份验证后收到以下错误.它似乎适用于以前的版本:kafka_2.12-1.1.0、2.11-0.10.2.2 等

I'm using kafka version kafka_2.12-2.0.0 and received the below error after enabling SSL authentication. It seems to be working fine with previous versions: kafka_2.12-1.1.0, 2.11-0.10.2.2 etc.

我不明白为什么它不适用于最新版本 2.11-0.2.0.0?有没有人发现我现在在 2.0.0 版本中遇到同样的问题.

I don't understand why it is not working with latest version 2.11-0.2.0.0? Has anyone observed the same issue that I'm facing right now with 2.0.0 version.

以下是我的测试环境 docker 配置文件.

Below is my test environment docker config file.

listeners=PLAINTEXT://:9092,SSl://:9093
ssl.client.auth=required
ssl.keystore.location=/path/to/server.keystore
ssl.keystore.password=<Key store password>
ssl.key.password = <private key password>
ssl.truststore.location=/path/to/truststore.keystore
ssl.truststore.password=<trust store password>
security.inter.broker.protocol=SSL

这里是错误:

[2018-10-01 09:33:38,984] ERROR [Controller id=1, targetBrokerId=1] Connection to node 1 failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)

有人可以帮我吗?

推荐答案

没有更多细节很难确定，但 2.0.0 引入了与处理 SSL 连接相关的行为变化.

Without more details it's hard to tell for sure, but 2.0.0 introduced a change of behaviour related to the handling of SSL connections.

如2.0.0 升级说明中所述，代理设置ssl.endpoint.identification.algorithm 现在设置为 https.这会强制执行主机名验证以防止中间人"攻击.

As mentioned in the 2.0.0 upgrade notes, the broker setting ssl.endpoint.identification.algorithm is now set to https. This enforces hostname verification to prevent "man-in-the-middle" attacks.

要恢复以前的行为，您需要明确地将其设置为空字符串.

To restore previous behaviour, you need to explicitely set this to an empty string.

ssl.endpoint.identification.algorithm=

这篇关于Apache kafka 2.0.0 版本 - 连接到节点 1 的身份验证失败，原因是:SSL 握手的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！