Troubles with kerberos+ssl builds

[e-kolkhoz]

Description

We have a project with consumer ssl connection to one kafka cluster (Cluster A) and sasl/gssapi/kerberos producer connection to another kafka cluster (Cluster B).

1. This https://github.com/edenhill/librdkafka/wiki/Using-SSL-with-librdkafka works fine with Cluster A (SSL) pip3 install confluent-kafka==1.2.0

2. This https://github.com/edenhill/librdkafka/wiki/Using-SASL-with-librdkafka works ok with Cluster B (SASL_PLAINTEXT)

   
   apt install librdkafka-dev
   pip3 install --no-binary :all: confluent-kafka

BUT! this no-binary driver build doesn't work with SSL anymore. 
`%7|1593100516.978|BROKERFAIL|rdkafka#consumer-1| [thrd:ssl://clusterA_kafka_ip_here:9292/bootstrap]: ssl://clusterA_kafka_ip_here:9292/bootstrap: failed: err: Local: Broker transport failure: (errno: Success)
`
Then if we install vanilla driver `pip3 install confluent-kafka==1.2.0 ` this error disappears.

3. This chinese workaround (with spoofing librdkafka binary on vanilla python driver) http://fuxkdb.com/2019/03/08/%E4%BD%BFconfluent_kafka%E6%94%AF%E6%8C%81SASL_PLAINTEXT/ (may use googletranslate to read) 
works fine with SSL (!) on our sandbox kafka cluster (Cluster C), but on Cluster A we have another error

`%7|1592995306.337|FAIL|rdkafka#consumer-1| [thrd:ssl://clusterA_kafka_ip_here:9292/bootstrap]: ssl://clusterA_kafka_ip_here:9292/bootstrap: SSL handshake failed: ../ssl/record/ssl3_record.c:332: error: 1408F10B:SSL routines: ssl3_get_record:wrong version number (after 27 ms in state CONNECT) (_SSL)
`

Which versions (linux distro, confluent-kafka-python, librdkafka) should we use to establish connection with Cluster A (SSL) and produce messages to Cluster B (SASL_PLAINTEXT, sasl/gssapi/kerberos)?  

What are we doing wrong with the procedure? May be we should use another way to connect both clusters?

How to reproduce
================
on debian:bullseye-slim

apt install librdkafka-dev pip3 install --no-binary :all: confluent-kafka

in python3.6
```python
from confluent_kafka import Producer, Consumer
configs = {"bootstrap.servers": kafka_servers,
           "security.protocol": "ssl",
           "ssl.ca.location":"/etc/kafka/ssl/kafka-ca-cert",
           "ssl.certificate.location":"/etc/kafka/ssl/kafka-client.pem",
           "ssl.key.location":"/etc/kafka/ssl/kafka-client.key",
           "ssl.key.password":ssl_pass,
    }
configs['group.id'] = some_group

c = Consumer(configs)

Checklist

Please provide the following information:

• [+] confluent-kafka-python==1.2.0, librdkafka=('1.4.2', 17040127):
• [ ] Apache Kafka broker version:
• [ ] Client configuration: {...}
• [+] Operating system: debian:bullseye-slim (docker image)
• [+] Provide client logs (with 'debug': '..' as necessary)
• [ ] Provide broker log excerpts
• [+] Critical issue

[edenhill]

When using the binary wheels of confluent-kafka-python it comes with librdkafka and OpenSSL 1.0.2 included. But when you use the source packages of confluent-kafka-python it relies on the system-installed librdkafka and OpenSSL, so I would start looking there. What is the OpenSSL version installed on the system? Was librdkafka built for that OpenSSL version? Set "debug":"broker,security" to get more insight into what is happening, this will also show what OpenSSL version librdkafka is using and what version it was built for.

[e-kolkhoz]

Yes. It works!