0

We use this configuration for connection to kafka topic:

mp.messaging.incoming.ddd.connector=smallrye-kafka
mp.messaging.incoming.ddd.topic=trx
mp.messaging.incoming.ddd.bootstrap.servers=xxx:9095
mp.messaging.incoming.ddd.value.deserializer=org.apache.kafka.common.serialization.StringDeserializer      
mp.messaging.incoming.ddd.security.protocol=SASL_SSL
mp.messaging.incoming.ddd.ssl.truststore.location=/truststore.jks
mp.messaging.incoming.ddd.ssl.truststore.password=${KAFKA_PASS}
mp.messaging.incoming.ddd.ssl.enabled.protocols=TLSv1.2
mp.messaging.incoming.ddd.ssl.truststore.type=JKS
mp.messaging.incoming.ddd.ssl.endpoint.identification.algorithm=
mp.messaging.incoming.ddd.sasl.mechanism=SCRAM-SHA-512
mp.messaging.incoming.ddd.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username....

it works perfectly fine in 1.x Quarkus versions. But not in quarkus 2.x.

So running quarkus in debug mode consumers are configured differently.

Quarkus 1.x log

 ... ...
 ssl.cipher.suites = null
    ssl.enabled.protocols = [TLSv1.2]
    ssl.endpoint.identification.algorithm =
    ssl.key.password = null
    ssl.keymanager.algorithm = SunX509
    ssl.keystore.location = null
    ssl.keystore.password = null
    ssl.keystore.type = JKS
    ssl.protocol = TLSv1.2
    ssl.provider = null
    ssl.secure.random.implementation = null
    ssl.trustmanager.algorithm = PKIX
   ... ...

Quarkus 2.x log:

   ... ...
    ssl.cipher.suites = null
    ssl.enabled.protocols = [TLSv1.2, TLSv1.3]
    ssl.endpoint.identification.algorithm = https
    ssl.engine.factory.class = null
    ssl.key.password = null
    ssl.keymanager.algorithm = SunX509
    ssl.keystore.certificate.chain = null
    ssl.keystore.key = null
    ssl.keystore.location = null
    ssl.keystore.password = null
    ssl.keystore.type = JKS
    ssl.protocol = TLSv1.3
    ssl.provider = null
    ssl.secure.random.implementation = null
    ssl.trustmanager.algorithm = PKIX
   ... ...

The exact error I get is this: Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching xxx found.

It is known that the hostname verification can be bypassed with the ssl.endpoint.identification.algorithm parameter to empty value, but quarkus 2 ignore the configuration.

How can I override ssl.endpoint.identification.algorithm parameter in quarkus 2.x?

Marcus911
  • 3
  • 1
Alexis
  • 21
  • 3

1 Answers1

2

I fixed the problem by inserting a dummy variable with the default at least one space:

mp.messaging.incoming.ddd.ssl.endpoint.identification.algorithm=${MY_VAR: }

This post was very helpful: Provide empty string to Quarkus as the default value for an environment variable

Alexis
  • 21
  • 3