AliwareMQ / aliware-kafka-demos

提供各种客户端接入阿里云 消息队列 Kafka 的demo工程(Provide a demo project for various clients to access Alibaba Cloud message queue Kafka)
https://www.aliyun.com/product/kafka
409 stars 215 forks source link

Cpp VPC-SSL demo 一直报SSL错误 #70

Open ButcherOfBlaviken opened 2 years ago

ButcherOfBlaviken commented 2 years ago

使用的就是ca-cert.pem,跟运行程序放在同一目录。 %3|1649398843.295|FAIL|rdkafka#producer-1| [thrd:sasl_ssl://alikafka-pre-cn-7mz2lwrke00l-3.alikafka.aliyuncs.com]: sasl_ssl://alikafka-pre-cn-7mz2lwrke00l-3.alikafka.aliyuncs.com:9093/bootstrap: SSL handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed: broker certificate could not be verified, verify that ssl.ca.location is correctly configured or root CA certificates are installed (install ca-certificates package) (after 102ms in state CONNECT) %3|1649398844.323|FAIL|rdkafka#producer-1| [thrd:sasl_ssl://alikafka-pre-cn-7mz2lwrke00l-2.alikafka.aliyuncs.com]: sasl_ssl://alikafka-pre-cn-7mz2lwrke00l-2.alikafka.aliyuncs.com:9093/bootstrap: SSL handshake failed: error:1416F086:SSL

ln-ln commented 2 years ago

I have this problem too, did you solve it?

John-LiuJ commented 2 years ago

使用的就是ca-cert.pem,跟运行程序放在同一目录。 %3|1649398843.295|FAIL|rdkafka#producer-1| [thrd:sasl_ssl://alikafka-pre-cn-7mz2lwrke00l-3.alikafka.aliyuncs.com]: sasl_ssl://alikafka-pre-cn-7mz2lwrke00l-3.alikafka.aliyuncs.com:9093/bootstrap: SSL handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed: broker certificate could not be verified, verify that ssl.ca.location is correctly configured or root CA certificates are installed (install ca-certificates package) (after 102ms in state CONNECT) %3|1649398844.323|FAIL|rdkafka#producer-1| [thrd:sasl_ssl://alikafka-pre-cn-7mz2lwrke00l-2.alikafka.aliyuncs.com]: sasl_ssl://alikafka-pre-cn-7mz2lwrke00l-2.alikafka.aliyuncs.com:9093/bootstrap: SSL handshake failed: error:1416F086:SSL

请尝试重新下载demo进行测试。我目前测试是OK的 image

ButcherOfBlaviken commented 2 years ago

I have this problem too, did you solve it?

我用openssl的s_client命令测试了SSL,用demo里的证书去连我的kafka broker,发现SSL握手失败的原因是因为我的openssl编译的时候默认的TLS安全等级是2(不算特别高),但是这个证书里面的密钥长度仅1024,加密算法是sha1(早已满足不了今日的安全需求),这个1024bit密钥+sha1算法是不满足openssl TLS安全等级2的要求的,所以会握手失败,如果你一定要用阿里的证书的话,得把运行环境得openssl重新编译一遍,选最低的TLS安全等级(https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html ), 不过说实话选这么低等级的安全等级SSL就变得很鸡肋了