Kafka connect SSL handshake error with MSK #5797
-
Hi, I am trying to deploy Kafka Connect pointing to AWS MSK broker with TLS authentication and encryption. Below is the configuration and error message on logs. Looks like Strimzi operator is defaulting to TLSv1.3 but MSK supports only TLSv1.2. Is there a way to control the TLS version for handshake? Configurations: apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaConnect
metadata:
name: this-msk-connect
annotations:
strimzi.io/use-connector-resources: "true"
spec:
version: 2.8.0
replicas: 1
bootstrapServers: b-3.dsc-msk-nonprod.ecxi4x.c8.kafka.us-east-1.amazonaws.com:9094,b-1.dsc-msk-nonprod.ecxi4x.c8.kafka.us-east-1.amazonaws.com:9094,b-2.dsc-msk-nonprod.ecxi4x.c8.kafka.us-east-1.amazonaws.com:9094
tls:
trustedCertificates:
- secretName: msk-cluster-cluster-ca-cert
certificate: ca.crt
authentication:
type: tls
certificateAndKey:
certificate: user.crt
key: user.key
secretName: super-user
config:
group.id: msk-this-msk-connect
offset.storage.topic: this-msk-connect-offsets
config.storage.topic: this-msk-connect-configs
status.storage.topic: this-msk-connect-status
config.storage.replication.factor: -1
offset.storage.replication.factor: -1
status.storage.replication.factor: -1 Logs:
|
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 2 replies
-
Why do you think this has anything to do with TLSv1.2 / TLSv1.3? The logs suggest that both are enabled & the error IMHO does not suggest this is the issue. But if you want, you should be able to configure the TLS protocols in |
Beta Was this translation helpful? Give feedback.
-
The issue was due to DSA keys. Replaced with RSA keys and worked well. |
Beta Was this translation helpful? Give feedback.
-
We encountered a similar issue with the DSA signature scheme resulting in a server_hello error:
Switching to RSA resolved the problem. Specifically, we updated our key generation command to include the keytool -genkeypair -keyalg RSA -keysize 2048 ... This modification might be beneficial for others facing similar SSL/TLS handshake issues with MSK. |
Beta Was this translation helpful? Give feedback.
The issue was due to DSA keys. Replaced with RSA keys and worked well.