0

I know there are n numbers of pages if i look for "ssl3_read_bytes:sslv3 alert handshake failure" error but i am still not clear why this error comes and what do we need to fix this error. Any good documentation will help

I upgraded by kafka connect to use latest image from confluent and seeing this error now Note we are intentionally using insecure connection and it was working with the earlier image with curl without any issues.

[root@kafkaconnect-0 appuser]# curl -X GET https://kafkaconnect-0.kc.default.svc.cluster.local:443/connectors  -v
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 10.24.2.86...
* TCP_NODELAY set
* Connected to kafkaconnect-0.kc.default.svc.cluster.local (10.24.2.86) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS alert, [no content] (0):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
[root@kafkaconnect-0 appuser]# 

[root@kafkaconnect-0 tmp]# curl --version
curl 7.61.1 (x86_64-redhat-linux-gnu) libcurl/7.61.1 OpenSSL/1.1.1g zlib/1.2.11 brotli/1.0.6 libidn2/2.2.0 libpsl/0.20.2 (+libidn2/2.2.0) libssh/0.9.4/openssl/zlib nghttp2/1.33.0
Release-Date: 2018-09-05
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz brotli TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL Metalink 
[root@kafkaconnect-0 tmp]#
SunilS
  • 2,030
  • 5
  • 34
  • 62
  • I think your problem is related to certificate verification. did you add the certificate of kafka in this file "CAfile: /etc/pki/tls/certs/ca-bundle.crt"? Anyway, a fast test to see if this approach is correct, you could use curl with the flag --insecure to see if any connection is performed and the ssl handshake is performed. – JTejedor Mar 10 '21 at 09:32
  • @JTejedor It fails with insecure also .. same error – SunilS Mar 11 '21 at 08:23
  • Do you get more error details if you use `openssl s_client -connect https://kafkaconnect-0.kc.default.svc.cluster.local:443`? Can you please add them to the question – rfkortekaas Mar 11 '21 at 12:47
  • Based on [this file extracted for the full example using the last kafka image](https://github.com/confluentinc/cp-demo/blob/45c144430f497cc0a41797eac5971643c156e9ac/scripts/security/certs-create-per-user.sh), it seems that you need to authenticate the client as well using the CA certificate for both parts (CURL client and Kafka). So kafka as server declines the connection because the CURL client certificate is not valid... Another guess... – JTejedor Mar 11 '21 at 16:42

0 Answers0