SSL HANDSAKE FAIL

[laurafbec]

Description

I'm getting the error

1716973405.627|FAIL|producer#producer-1| [thrd:ssl://localhost:19093/bootstrap]: ssl://localhost:19093/bootstrap: SSL handshake failed: error:0A000086:SSL routines::certificate verify failed: broker certificate could not be verified, verify that ssl.ca.location is correctly configured or root CA certificates are installed (install ca-certificates package) (after 5ms in state SSL_HANDSHAKE)

when connecting through a Python client. Nevertheless, when using openssl cliente, connection seems to be established.

$ openssl s_client -connect localhost:19093 -tls1_3 -servername broker1 -cert producer.pem -key producer_key.pem -CAfile CARoot.pem

CONNECTED(00000003) depth=1 CN = ca1, OU = TEST, O = TEST, L = Leon, C = ES verify return:1 depth=0 C = ES, ST = CL, L = Leon, O = TEST, OU = TEST, CN = broker1 verify return:1

---

Certificate chain 0 s:C = ES, ST = CL, L = Leon, O = TEST, OU = TEST, CN = broker1 i:CN = ca1, OU = TEST, O = TEST, L = Leon, C = ES a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: May 28 11:59:55 2024 GMT; NotAfter: Oct 13 11:59:55 2051 GMT 1 s:CN = ca1, OU = TEST, O = TEST, L = Leon, C = ES i:CN = ca1, OU = TEST, O = TEST, L = Leon, C = ES a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: May 28 11:59:44 2024 GMT; NotAfter: Oct 13 11:59:44 2051 GMT

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIDKjCCAhICFAnnFniphkI5Bp2pEeiRbvOatkjbMA0GCSqGSIb3DQEBCwUAMEgx DDAKBgNVBAMMA2NhMTENMAsGA1UECwwEVEVTVDENMAsGA1UECgwEVEVTVDENMAsG A1UEBwwETGVvbjELMAkGA1UEBhMCRVMwIBcNMjQwNTI4MTE1OTU1WhgPMjA1MTEw MTMxMTU5NTVaMFkxCzAJBgNVBAYTAkVTMQswCQYDVQQIEwJDTDENMAsGA1UEBxME TGVvbjENMAsGA1UEChMEVEVTVDENMAsGA1UECxMEVEVTVDEQMA4GA1UEAxMHYnJv a2VyMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALMk/F4LKLsIOrkl pNH82rlXlAJ9poCzfRzFzoeB+vztOeBVZmgp/z8f8RIVOrrzBco/uw2qdC32lC6L pI61EgfajFsMliskwpIBUNJtfPCIMW0nfrpEbpOm3mggm7ZdXp9LquQ99CcQuTyV 72WiKz4UJEKeXxMbxxb0MAfcAlH7cEgOlw9ttwnwnWA1LWz06g01DvT5YytkIM9h lVkBiEJvjaQl9tA4+zzsgxa2z2+eUhSj3LSOQHULwkprddgdIFftG+W3Bh9xjp7F GA8qMieaPe1bJZMx0x3X80UPqSqEasrXv7HXbxTjCR+39ewf2xkCLnVqzHgSpAFE 3OUOQLsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAnJe0Dd0/FZD8mATqaW4n5UX6 e3EcRQYpN0zJL+4Uyg0bF7RXF1uiVYlQmm8ed/uznxNuzvl8lI3wgTXSKgV46mcU pLW4/Gk9IAjsZbvoGhIacSQWVGO93hiUsGyBOOJwyg1LHb+bGHUzq2aKXkgff+Sh BJqUzikjhlaT6AttXnPNvg8wBTScV3dC55AFn8OgfD2HhydxM2XBFfUMgLV3jV13 6R8F3Uauz9pmnKj8GQscsoTgRabv81nOieofXH6Uym+0E1UCAzNqk4EN0AaCiVEz fRQDBfqdApv7cB+gYYSLQd6Ag5Ev+WxwWAs9q1jmzy2I0xNEsPhpleckV8qCBg==

-----END CERTIFICATE-----

subject=C = ES, ST = CL, L = Leon, O = TEST, OU = TEST, CN = broker1 issuer=CN = ca1, OU = TEST, O = TEST, L = Leon, C = ES

---

Acceptable client certificate CA names CN = ca1, OU = TEST, O = TEST, L = Leon, C = ES Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA1:RSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512

Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits

---

SSL handshake has read 2395 bytes and written 2348 bytes Verification: OK

---

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)

---

---

Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 8BE0CE1FF6E53B0C9EDA5D94C7986382C2799938BB2D4C0B61B2B1834AD310D4 Session-ID-ctx: Resumption PSK: 43A7DDF6FA6F39DF4618AF38B95A0203AA11466795FFCD5A80175E8A8D5868ABE278E37122802F3FEB2DEE360CE7530F PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 86400 (seconds) TLS session ticket: 0000 - e3 07 df 2a b2 aa b6 4d-c6 f2 67 90 6a e9 3f 90 ...*...M..g.j.?. 0010 - bd 7b e1 69 bb e6 39 1b-55 6a aa 4c f8 a1 3b 07 .{.i..9.Uj.L..;.

Start Time: 1716972808
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0

read R BLOCK

How to reproduce

This is the Python client I'm using

`from confluent_kafka import Producer from random import choice from uuid import uuid4 import socket

jsonString1 = """ {"name":"Gal", "email":"Gadot84@mail.com", "salary": "8345.55"} """ jsonString2 = """ {"name":"Dwayne", "email":"Johnson52@mail.com", "salary": "7345.75"} """ jsonString3 = """ {"name":"Momoa", "email":"Jason91@mail.com", "salary": "3345.25"} """

jsonv1 = jsonString1.encode() jsonv2 = jsonString2.encode() jsonv3 = jsonString3.encode()

def delivery_report(errmsg, msg): """ Reports the Failure or Success of a message delivery. Args: errmsg (KafkaError): The Error that occurred while message producing. msg (Actual message): The message that was produced. Note: In the delivery report callback the Message.key() and Message.value() will be the binary format as encoded by any configured Serializers and not the same object that was passed to produce(). If you wish to pass the original object(s) for key and value to delivery report callback we recommend a bound callback or lambda where you pass the objects along. """
if errmsg is not None: print("Delivery failed for Message: {} : {}".format(msg.key(), errmsg)) return print('Message: {} successfully produced to Topic: {} Partition: [{}] at offset {}'.format( msg.key(), msg.topic(), msg.partition(), msg.offset()))

kafka_topic_name = "ROSMessagesTopic" conf = {'bootstrap.servers': 'localhost:19093', 'security.protocol': 'SSL', 'ssl.ca.location':'CARoot.pem', 'ssl.certificate.location':'producer.pem', 'ssl.key.location':'producer_key.pem', 'client.id': socket.gethostname() }

producer = Producer(conf) print("connecting to Kafka topic...")

producer.poll(0)

try: producer.produce(topic=kafka_topic_name, key=str(uuid4()), value=jsonv1, on_delivery=delivery_report) producer.produce(topic=kafka_topic_name, key=str(uuid4()), value=jsonv2, on_delivery=delivery_report) producer.produce(topic=kafka_topic_name, key=str(uuid4()), value=jsonv3, on_delivery=delivery_report)

producer.flush()

except Exception as ex: print("Exception happened :",ex)

print("\n Stopping Kafka Producer")`

Checklist

Please provide the following information:

• [ ] confluent-kafka-python and librdkafka version (confluent_kafka.version() and confluent_kafka.libversion()):
• [X] Apache Kafka broker version: confluentinc/cp-kafka:7.6.1
• [X] Client configuration: {...}
• [X] Operating system: Ubuntu 22.04
• [ ] Provide client logs (with 'debug': '..' as necessary)
• [ ] Provide broker log excerpts
• [ ] Critical issue

[laurafbec]

Solved with 'ssl.endpoint.identification.algorithm':'none'