Kafka SSL


The process below has been tested with version Kafka 2.5

$ bin/kafka-server-start.sh --version

[2020-06-21 18:51:57,858] INFO Registered kafka:type=kafka.Log4jController MBean (kafka.utils.Log4jControllerRegistration$)

2.5.0 (Commit:66563e712b0b9f84)


BROKER CERT

================================================================================

# Fill in all details except common name. Type "." in common name which sets it to blank.

# Reuse the ca-cert and ca-key to sign all brokers and clients keystores

openssl req -new -x509 -keyout ca-key -out ca-cert -days 366

keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert


export HOSTNAME=$(hostname)

keytool -keystore server.keystore.jks -alias $HOSTNAME -validity 366 -keyalg RSA -genkey -deststoretype pkcs12 -storepass test1234


# Generate certificate sign request file

keytool -keystore server.keystore.jks -alias $HOSTNAME -certreq -file cert-file


# Create signed cert

openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 366 -CAcreateserial -passin pass:test1234


keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert

keytool -keystore server.keystore.jks -alias $HOSTNAME -import -file cert-signed


# View certificates inside the keystore

keytool -list -v -keystore server.keystore.jks



CREATE CLIENT CERT

================================================================================

mkdir client1 && cd client1

export CLIENTNAME=$(hostname)

echo $CLIENTNAME

keytool -keystore client.keystore.jks -alias $CLIENTNAME -validity 366 -keyalg RSA -genkey -deststoretype pkcs12 -storepass test1234

keytool -list -v -keystore client.keystore.jks

keytool -keystore client.truststore.jks -alias CARoot -import -file ../ca-cert

keytool -keystore client.keystore.jks -alias CARoot -import -file ../ca-cert

keytool -keystore client.keystore.jks -alias $CLIENTNAME -certreq -file cert-file

openssl x509 -req -CA ../ca-cert -CAkey ../ca-key -in cert-file -out cert-signed -days 366 -CAcreateserial -passin pass:test1234

keytool -keystore client.keystore.jks -alias $CLIENTNAME -import -file cert-signed

keytool -list -v -keystore client.keystore.jks



#### output of above list command ####

Enter keystore password:

Keystore type: jks

Keystore provider: SUN


Your keystore contains 2 entries


Alias name: en01.local

Creation date: 21 Jun, 2020

Entry type: PrivateKeyEntry

Certificate chain length: 2

Certificate[1]:

Owner: CN=abul basar, OU=tech, O=einext, L=bang, ST=ka, C=IN

Issuer: EMAILADDRESS=test@test.com, OU=tech, O=einext, L=Bang, ST=KA, C=IN

Serial number: e75e32f73246fd8c

Valid from: Sun Jun 21 17:28:04 IST 2020 until: Tue Jun 22 17:28:04 IST 2021

Certificate fingerprints:

MD5: CE:53:79:7B:B1:22:1C:DA:CC:B8:CA:C4:DF:87:8D:26

SHA1: 15:33:FD:56:21:A7:EC:40:B6:C6:03:3F:7E:23:68:15:E1:19:CF:62

SHA256: CF:BD:6B:53:2B:53:F2:2F:72:52:A0:0F:2C:A3:D9:FB:6F:2E:31:D1:12:F1:2F:88:EE:BC:C0:D1:05:25:2C:DA

Signature algorithm name: SHA1withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 1

Certificate[2]:

Owner: EMAILADDRESS=test@test.com, OU=tech, O=einext, L=Bang, ST=KA, C=IN

Issuer: EMAILADDRESS=test@test.com, OU=tech, O=einext, L=Bang, ST=KA, C=IN

Serial number: f8a4a53af011dda3

Valid from: Sun Jun 21 17:26:48 IST 2020 until: Tue Jun 22 17:26:48 IST 2021

Certificate fingerprints:

MD5: 1A:63:5C:76:70:C4:18:32:96:EE:01:F5:E9:A4:6E:46

SHA1: 90:6F:55:65:DF:E6:DE:CB:32:77:A3:F2:1F:F5:37:D7:B6:0F:23:F6

SHA256: 14:E0:BF:B7:88:2B:87:EA:AC:AB:F7:49:BD:23:84:76:9D:CB:8A:08:2B:A2:41:9E:2A:EE:E2:77:BA:40:4D:25

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 1



*******************************************

*******************************************



Alias name: caroot

Creation date: 21 Jun, 2020

Entry type: trustedCertEntry


Owner: EMAILADDRESS=test@test.com, OU=tech, O=einext, L=Bang, ST=KA, C=IN

Issuer: EMAILADDRESS=test@test.com, OU=tech, O=einext, L=Bang, ST=KA, C=IN

Serial number: f8a4a53af011dda3

Valid from: Sun Jun 21 17:26:48 IST 2020 until: Tue Jun 22 17:26:48 IST 2021

Certificate fingerprints:

MD5: 1A:63:5C:76:70:C4:18:32:96:EE:01:F5:E9:A4:6E:46

SHA1: 90:6F:55:65:DF:E6:DE:CB:32:77:A3:F2:1F:F5:37:D7:B6:0F:23:F6

SHA256: 14:E0:BF:B7:88:2B:87:EA:AC:AB:F7:49:BD:23:84:76:9D:CB:8A:08:2B:A2:41:9E:2A:EE:E2:77:BA:40:4D:25

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 1



*******************************************

*******************************************





Broker config: config/server.properties

===============================================================================

# Todo: Replace EN01.local with the actual hostname.

listeners=SSL://EN01.local:9092

advertised.listeners=SSL://EN01.local:9092


ssl.client.auth=required

# Todo: Set the file location

ssl.keystore.location=/Users/abasar/Downloads/kafka-ssl/server.keystore.jks

ssl.keystore.password=test1234

ssl.key.password=test1234

ssl.truststore.location=/Users/abasar/Downloads/kafka-ssl/server.truststore.jks

ssl.truststore.password=test1234


ssl.keystore.type=JKS

ssl.truststore.type=JKS

ssl.secure.random.implementation=SHA1PRNG

ssl.endpoint.identification.algorithm=


# listener.security.protocol.map=SSL:SSL

# Enable internode communication over SSL

security.inter.broker.protocol=SSL


# inter.broker.listener.name=SSL



TEST BROKER WITH SSL ENABLED

After you start the broker, test SSL config.

$ openssl s_client -debug -connect $HOSTNAME:9092 -tls1_2

CONNECTED(00000005)

write to 0x7f9daf504a50 [0x7f9db0814803] (196 bytes => 196 (0xC4))

0000 - 16 03 01 00 bf 01 00 00-bb 03 03 3b 1d 02 ec ee ...........;....

0010 - b0 96 25 8c bf fc 67 05-2b f2 63 0c c6 24 22 95 ..%...g.+.c..$".

0020 - 30 41 0e 28 8f 02 77 a8-a5 ca e8 00 00 5c c0 30 0A.(..w......\.0

0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 9f 00 6b 00 39 .,.(.$.......k.9

0040 - cc a9 cc a8 cc aa ff 85-00 c4 00 88 00 81 00 9d ................

0050 - 00 3d 00 35 00 c0 00 84-c0 2f c0 2b c0 27 c0 23 .=.5...../.+.'.#

0060 - c0 13 c0 09 00 9e 00 67-00 33 00 be 00 45 00 9c .......g.3...E..

0070 - 00 3c 00 2f 00 ba 00 41-c0 11 c0 07 00 05 00 04 .<./...A........

0080 - c0 12 c0 08 00 16 00 0a-00 ff 01 00 00 36 00 0b .............6..

0090 - 00 02 01 00 00 0a 00 08-00 06 00 1d 00 17 00 18 ................

00a0 - 00 23 00 00 00 0d 00 1c-00 1a 06 01 06 03 ef ef .#..............

00b0 - 05 01 05 03 04 01 04 03-ee ee ed ed 03 01 03 03 ................

00c0 - 02 01 02 03 ....

read from 0x7f9daf504a50 [0x7f9db0810603] (5 bytes => 5 (0x5))

0000 - 16 03 03 08 d3 .....

read from 0x7f9daf504a50 [0x7f9db0810608] (2259 bytes => 2259 (0x8D3))

0000 - 02 00 00 4d 03 03 5e ef-5b 46 1a 28 83 24 03 00 ...M..^.[F.(.$..

0010 - 8b 9e ec 97 b7 5f 65 0a-f5 22 b6 22 ea e7 fc 78 ....._e.."."...x

0020 - fc 5b 7a 11 3a 75 20 5e-ef 5b 46 42 06 66 d0 bb .[z.:u ^.[FB.f..

0030 - d6 44 a7 a1 87 62 69 b2-4a ce c3 bf 35 7a 99 2d .D...bi.J...5z.-

0040 - 72 0f d8 71 16 77 ce c0-30 00 00 05 ff 01 00 01 r..q.w..0.......

0050 - 00 0b 00 06 9c 00 06 99-00 03 45 30 82 03 41 30 ..........E0..A0

0060 - 82 02 29 02 09 00 e7 5e-32 f7 32 46 fd 8c 30 0d ..)....^2.2F..0.

0070 - 06 09 2a 86 48 86 f7 0d-01 01 05 05 00 30 67 31 ..*.H........0g1

0080 - 0b 30 09 06 03 55 04 06-13 02 49 4e 31 0b 30 09 .0...U....IN1.0.

0090 - 06 03 55 04 08 0c 02 4b-41 31 0d 30 0b 06 03 55 ..U....KA1.0...U

00a0 - 04 07 0c 04 42 61 6e 67-31 0f 30 0d 06 03 55 04 ....Bang1.0...U.

00b0 - 0a 0c 06 65 69 6e 65 78-74 31 0d 30 0b 06 03 55 ...einext1.0...U

00c0 - 04 0b 0c 04 74 65 63 68-31 1c 30 1a 06 09 2a 86 ....tech1.0...*.

00d0 - 48 86 f7 0d 01 09 01 16-0d 74 65 73 74 40 74 65 H........test@te

00e0 - 73 74 2e 63 6f 6d 30 1e-17 0d 32 30 30 36 32 31 st.com0...200621

00f0 - 31 31 35 38 30 34 5a 17-0d 32 31 30 36 32 32 31 115804Z..2106221

0100 - 31 35 38 30 34 5a 30 5e-31 0b 30 09 06 03 55 04 15804Z0^1.0...U.

0110 - 06 13 02 49 4e 31 0b 30-09 06 03 55 04 08 13 02 ...IN1.0...U....

0120 - 6b 61 31 0d 30 0b 06 03-55 04 07 13 04 62 61 6e ka1.0...U....ban

0130 - 67 31 0f 30 0d 06 03 55-04 0a 13 06 65 69 6e 65 g1.0...U....eine

0140 - 78 74 31 0d 30 0b 06 03-55 04 0b 13 04 74 65 63 xt1.0...U....tec

0150 - 68 31 13 30 11 06 03 55-04 03 13 0a 61 62 75 6c h1.0...U....abul

0160 - 20 62 61 73 61 72 30 82-01 22 30 0d 06 09 2a 86 basar0.."0...*.

0170 - 48 86 f7 0d 01 01 01 05-00 03 82 01 0f 00 30 82 H.............0.

0180 - 01 0a 02 82 01 01 00 c5-af f2 e7 b1 e7 fb 97 f0 ................

0190 - cf 5b d7 60 dc 90 db 3b-95 53 13 93 5f c4 d6 47 .[.`...;.S.._..G

01a0 - d1 c7 f0 7f 07 a4 67 84-0f a8 76 9d ef 53 ca 40 ......g...v..S.@

01b0 - 29 51 96 e6 e3 58 d7 74-3e 83 38 36 4b 9a 50 fc )Q...X.t>.86K.P.

01c0 - 41 69 95 0c 45 7e 4a ab-5f 78 fa a4 f1 58 9f c6 Ai..E~J._x...X..

01d0 - 87 f7 c5 ad 99 c0 6f 8f-a2 8b 3a 4d 05 6e 7d 0e ......o...:M.n}.

01e0 - 66 00 d6 41 a5 bc fc 00-cb 5a a9 49 ab 40 8a b8 f..A.....Z.I.@..

01f0 - bd 60 b0 df 60 0d 24 7f-0c ee d5 a4 ac bf 2b 9e .`..`.$.......+.

0200 - df 41 46 8e d6 98 25 ee-dc 30 5f 1d 6b f2 fc f9 .AF...%..0_.k...

0210 - db cf 58 ac 04 74 84 9f-57 f7 49 c7 78 85 fe b9 ..X..t..W.I.x...

0220 - 9a d3 8a d7 aa 1e 09 85-ac 27 da e1 96 29 1c f8 .........'...)..

0230 - 18 e2 eb 74 b3 51 21 23-48 79 af 76 9f d5 1d 04 ...t.Q!#Hy.v....

0240 - 80 7b ac 00 57 b0 fb 55-e9 c1 fb ef f1 4d 47 41 .{..W..U.....MGA

0250 - 32 b1 75 0b 22 86 60 61-1b 4a f0 65 75 73 9a b2 2.u.".`a.J.eus..

0260 - 3c d7 e0 bd e5 05 2c e5-07 ef 71 92 07 d3 3c a1 <.....,...q...<.

0270 - 58 c3 4d da ec 4c 75 91-54 f4 5a a8 f9 4b e5 8f X.M..Lu.T.Z..K..

0280 - 00 53 17 ec 30 c7 83 02-03 01 00 01 30 0d 06 09 .S..0.......0...

0290 - 2a 86 48 86 f7 0d 01 01-05 05 00 03 82 01 01 00 *.H.............

02a0 - bf 97 50 3e 57 b1 7b 24-3e 97 61 e0 71 e2 d7 e7 ..P>W.{$>.a.q...

02b0 - bf 60 2a 5e 79 98 f2 2e-dd 05 ff f7 1c 00 ee 1a .`*^y...........

02c0 - 15 c1 35 c7 c8 c8 eb 28-ff ee c2 90 3f 96 1a 3b ..5....(....?..;

02d0 - 48 cb d4 14 c6 af b9 bf-de ae 2d cc 97 2e 02 4d H.........-....M

02e0 - 5f 1d 9e 14 a5 ff 04 24-4a 91 2e a4 e7 c4 05 04 _......$J.......

02f0 - 0f 87 02 d6 25 04 67 1f-aa 1a 4f 8e 84 0a da bd ....%.g...O.....

0300 - d3 c7 a8 9f 6c aa 89 fd-86 48 4d d9 7e 91 d3 59 ....l....HM.~..Y

0310 - bf d1 4d b8 dc 57 fd 3b-32 b8 dc e7 ac 5e 2f e9 ..M..W.;2....^/.

0320 - 61 40 17 3c 14 7d 1f 00-6c 52 25 b9 b4 dc 22 59 a@.<.}..lR%..."Y

0330 - c5 a2 0b 6e 97 81 6d 35-5a cc 87 0c 0a 01 49 29 ...n..m5Z.....I)

0340 - 69 fe 48 e8 ac 75 60 05-6f 2c db 72 3e 5b e9 8e i.H..u`.o,.r>[..

0350 - 5f fb 35 6b 22 77 2a e9-02 eb 94 f6 70 a7 c4 35 _.5k"w*.....p..5

0360 - 61 ca a7 d4 8d 8e 76 c2-e4 14 f8 ce d5 e8 35 94 a.....v.......5.

0370 - 71 66 21 5e b0 2d 5d 89-7d 77 9f 0a 37 0b c6 b2 qf!^.-].}w..7...

0380 - e7 14 e8 ea f8 d9 a6 6f-e2 c1 4b 9c 1f 75 69 b8 .......o..K..ui.

0390 - d7 65 82 23 f0 92 41 5d-4f fb ae c6 34 f5 50 55 .e.#..A]O...4.PU

03a0 - 00 03 4e 30 82 03 4a 30-82 02 32 02 09 00 f8 a4 ..N0..J0..2.....

03b0 - a5 3a f0 11 dd a3 30 0d-06 09 2a 86 48 86 f7 0d .:....0...*.H...

03c0 - 01 01 0b 05 00 30 67 31-0b 30 09 06 03 55 04 06 .....0g1.0...U..

03d0 - 13 02 49 4e 31 0b 30 09-06 03 55 04 08 0c 02 4b ..IN1.0...U....K

03e0 - 41 31 0d 30 0b 06 03 55-04 07 0c 04 42 61 6e 67 A1.0...U....Bang

03f0 - 31 0f 30 0d 06 03 55 04-0a 0c 06 65 69 6e 65 78 1.0...U....einex

0400 - 74 31 0d 30 0b 06 03 55-04 0b 0c 04 74 65 63 68 t1.0...U....tech

0410 - 31 1c 30 1a 06 09 2a 86-48 86 f7 0d 01 09 01 16 1.0...*.H.......

0420 - 0d 74 65 73 74 40 74 65-73 74 2e 63 6f 6d 30 1e .test@test.com0.

0430 - 17 0d 32 30 30 36 32 31-31 31 35 36 34 38 5a 17 ..200621115648Z.

0440 - 0d 32 31 30 36 32 32 31-31 35 36 34 38 5a 30 67 .210622115648Z0g

0450 - 31 0b 30 09 06 03 55 04-06 13 02 49 4e 31 0b 30 1.0...U....IN1.0

0460 - 09 06 03 55 04 08 0c 02-4b 41 31 0d 30 0b 06 03 ...U....KA1.0...

0470 - 55 04 07 0c 04 42 61 6e-67 31 0f 30 0d 06 03 55 U....Bang1.0...U

0480 - 04 0a 0c 06 65 69 6e 65-78 74 31 0d 30 0b 06 03 ....einext1.0...

0490 - 55 04 0b 0c 04 74 65 63-68 31 1c 30 1a 06 09 2a U....tech1.0...*

04a0 - 86 48 86 f7 0d 01 09 01-16 0d 74 65 73 74 40 74 .H........test@t

04b0 - 65 73 74 2e 63 6f 6d 30-82 01 22 30 0d 06 09 2a est.com0.."0...*

04c0 - 86 48 86 f7 0d 01 01 01-05 00 03 82 01 0f 00 30 .H.............0

04d0 - 82 01 0a 02 82 01 01 00-c9 e1 12 30 4c 19 3d a4 ...........0L.=.

04e0 - c8 16 9c 85 6f 18 af 44-20 63 ff 2b d8 bc 18 96 ....o..D c.+....

04f0 - d9 7a 01 92 72 56 94 7e-68 5c 31 9a b0 82 d1 e0 .z..rV.~h\1.....

0500 - 6a 0f 16 b7 50 02 71 9c-7b 9e 4b e9 b9 3d 5c ef j...P.q.{.K..=\.

0510 - 08 83 31 3a 69 5b ca 9f-fc 91 ab 84 a9 a7 07 fd ..1:i[..........

0520 - 9a 21 16 38 0a 0a 7a 80-b2 78 e8 2b 4c d4 1c 44 .!.8..z..x.+L..D

0530 - e9 e1 77 7c 37 32 86 e3-b8 d5 e4 57 42 09 f0 39 ..w|72.....WB..9

0540 - e0 8a 8c 44 94 62 a5 72-cb a2 c3 d5 77 41 f3 95 ...D.b.r....wA..

0550 - 3e 8e 71 a5 18 55 b3 3a-8d 75 9a 20 34 04 95 33 >.q..U.:.u. 4..3

0560 - 6f a8 a2 99 24 bb 78 03-36 f2 23 9f ac 9b 5b 8b o...$.x.6.#...[.

0570 - f8 7a 36 e8 ac 6e 32 95-93 90 c3 68 ef 6c d4 eb .z6..n2....h.l..

0580 - 34 1f 19 d3 97 b0 05 f3-a4 05 9c 89 04 7f a4 d1 4...............

0590 - 23 ca a5 a8 ab 6e b6 3b-ca 3f 41 9c 0a 12 9c d8 #....n.;.?A.....

05a0 - 85 dc cb 31 05 1b 14 ed-5e f2 3d 5c 7c 1f a0 fa ...1....^.=\|...

05b0 - e5 78 02 29 e3 d2 c5 6c-99 e9 48 d9 a1 b6 2f 0c .x.)...l..H.../.

05c0 - cc 75 a1 3a ad 71 d4 de-e4 7f 50 09 7d 50 f6 4e .u.:.q....P.}P.N

05d0 - 10 2d 76 02 e4 02 1c 8f-02 03 01 00 01 30 0d 06 .-v..........0..

05e0 - 09 2a 86 48 86 f7 0d 01-01 0b 05 00 03 82 01 01 .*.H............

05f0 - 00 ba 8d 50 d6 b2 61 3d-0b 94 e1 8f ab d4 d0 33 ...P..a=.......3

0600 - 7e 07 e6 9f 80 a7 89 1b-73 39 b9 99 df 61 34 70 ~.......s9...a4p

0610 - eb 34 1c 9d 61 da 09 e6-81 e3 c4 29 93 f2 48 27 .4..a......)..H'

0620 - db 70 1c 75 ce 40 c8 d9-a7 69 4f d6 da a1 49 f6 .p.u.@...iO...I.

0630 - a3 1c ca a3 47 99 88 03-a9 ed 94 42 46 c1 61 df ....G......BF.a.

0640 - 8a 9a 37 df e2 82 fc d9-a2 48 24 37 7d ee 0e 66 ..7......H$7}..f

0650 - 60 91 8e 1c 62 6b 27 b6-a0 38 11 f7 39 b9 52 6b `...bk'..8..9.Rk

0660 - 63 66 15 e3 d3 5b 2f 7a-c6 86 16 8f eb 85 e6 61 cf...[/z.......a

0670 - c4 1c 65 e0 f6 5d e0 d8-4d 94 18 ca 00 65 eb 26 ..e..]..M....e.&

0680 - 4c 49 64 3b 50 77 2c 5f-1c 43 a4 1a b7 62 2f 95 LId;Pw,_.C...b/.

0690 - ec ad 72 86 48 9f b3 d7-e5 48 bb 1d 8d 17 de 4b ..r.H....H.....K

06a0 - 9e 06 39 e5 f1 3b 7e 30-fc 74 3f 7b 20 96 b9 df ..9..;~0.t?{ ...

06b0 - 8f 6d ca 78 36 56 2b cd-24 29 1b 8c a3 a0 4e b3 .m.x6V+.$)....N.

06c0 - df 2f 39 d3 32 ea 62 d4-8f 0f 56 3a a7 7a e4 a5 ./9.2.b...V:.z..

06d0 - cf d0 26 24 38 52 20 ca-9c c5 05 1b 6a 10 b7 49 ..&$8R .....j..I

06e0 - c8 5c 3b da 6b 66 fa a9-0a 41 42 2a b8 a8 fe 84 .\;.kf...AB*....

06f0 - a4 0c 00 01 49 03 00 17-41 04 44 f5 ca 34 81 4f ....I...A.D..4.O

0700 - 35 d1 ba 0d b2 38 fa 32-65 b9 36 02 94 84 a0 99 5....8.2e.6.....

0710 - d5 b0 de 80 ea 10 70 01-50 ad e8 ac 55 5b 46 3b ......p.P...U[F;

0720 - 68 e2 06 44 9d 47 ab d4-42 bf 55 24 86 ac fa bb h..D.G..B.U$....

0730 - 64 c3 0a 05 a3 6e f2 a8-a1 3a 06 01 01 00 09 82 d....n...:......

0740 - 85 34 53 66 56 9c 67 c4-89 a7 36 8e 7c ef 10 aa .4SfV.g...6.|...

0750 - c0 fd 5e 5e c1 57 ca 8d-20 2e fc 71 9e d4 70 ce ..^^.W.. ..q..p.

0760 - 94 3b 68 ca ba 22 49 d9-23 b0 3e 91 77 ef cf ea .;h.."I.#.>.w...

0770 - b0 79 5a 3f 0e 23 2e e8-e0 d7 47 62 da 91 24 81 .yZ?.#....Gb..$.

0780 - 41 bb 3d 74 f1 ce 93 c2-28 dc bc 9e 19 1b 1e dc A.=t....(.......

0790 - 30 77 ad a2 99 55 df 6b-ae d7 ee 25 54 6c ab 65 0w...U.k...%Tl.e

07a0 - 11 4a 95 72 20 0a cf 4a-f2 23 c2 ca b5 ee fd 87 .J.r ..J.#......

07b0 - 5e a7 3e 9f 50 41 e2 41-a9 79 ee 43 ca 96 27 ec ^.>.PA.A.y.C..'.

07c0 - f0 bd 3c 01 40 53 5b d9-46 49 94 4e 95 0d d0 29 ..<.@S[.FI.N...)

07d0 - 4c d7 a2 42 7b d2 5f 8a-20 de 19 7d 6b 10 7b da L..B{._. ..}k.{.

07e0 - 9c 16 90 67 f0 cd 89 1b-ac 73 5c 29 f0 d9 2c 77 ...g.....s\)..,w

07f0 - e0 08 1c db f8 6d 3a 0c-1f da 1b d5 64 81 6f b3 .....m:.....d.o.

0800 - 6c 0b b7 ae 63 dc c8 b1-9a 48 e0 66 d3 db 5b 2f l...c....H.f..[/

0810 - d1 ba 93 9a 4f 73 54 88-68 23 87 89 12 e9 50 8a ....OsT.h#....P.

0820 - d7 63 ad a7 d9 74 e3 84-6a ca df c4 19 de 16 c3 .c...t..j.......

0830 - 40 66 ad 69 e7 c7 ee 40-da 5b f9 25 df 4b 0d 00 @f.i...@.[.%.K..

0840 - 00 8d 03 01 02 40 00 1a-06 03 06 01 05 03 05 01 .....@..........

0850 - 04 03 04 01 04 02 03 03-03 01 03 02 02 03 02 01 ................

0860 - 02 02 00 6b 00 69 30 67-31 0b 30 09 06 03 55 04 ...k.i0g1.0...U.

0870 - 06 13 02 49 4e 31 0b 30-09 06 03 55 04 08 0c 02 ...IN1.0...U....

0880 - 4b 41 31 0d 30 0b 06 03-55 04 07 0c 04 42 61 6e KA1.0...U....Ban

0890 - 67 31 0f 30 0d 06 03 55-04 0a 0c 06 65 69 6e 65 g1.0...U....eine

08a0 - 78 74 31 0d 30 0b 06 03-55 04 0b 0c 04 74 65 63 xt1.0...U....tec

08b0 - 68 31 1c 30 1a 06 09 2a-86 48 86 f7 0d 01 09 01 h1.0...*.H......

08c0 - 16 0d 74 65 73 74 40 74-65 73 74 2e 63 6f 6d 0e ..test@test.com.

08d3 - <SPACES/NULS>

depth=1 C = IN, ST = KA, L = Bang, O = einext, OU = tech, emailAddress = test@test.com

verify error:num=19:self signed certificate in certificate chain

verify return:0

write to 0x7f9daf504a50 [0x7f9db0819a00] (12 bytes => 12 (0xC))

0000 - 16 03 03 00 07 0b 00 00-03 .........

000c - <SPACES/NULS>

write to 0x7f9daf504a50 [0x7f9db0819a00] (75 bytes => 75 (0x4B))

0000 - 16 03 03 00 46 10 00 00-42 41 04 38 db db be a3 ....F...BA.8....

0010 - 7c c8 2c a5 8f b3 6e 61-65 a2 b6 f0 30 72 70 b8 |.,...nae...0rp.

0020 - 4a 45 24 b3 70 04 f2 77-16 44 67 57 e8 e2 a9 44 JE$.p..w.DgW...D

0030 - 9d 46 b8 38 26 08 0c 03-a1 93 0b 58 54 cd 04 a5 .F.8&......XT...

0040 - 99 37 23 cb 50 57 54 f2-b6 83 8e .7#.PWT....

write to 0x7f9daf504a50 [0x7f9db0819a00] (6 bytes => -1 (0xFFFFFFFFFFFFFFFF))

write:errno=32

---

Certificate chain

0 s:/C=IN/ST=ka/L=bang/O=einext/OU=tech/CN=abul basar

i:/C=IN/ST=KA/L=Bang/O=einext/OU=tech/emailAddress=test@test.com

1 s:/C=IN/ST=KA/L=Bang/O=einext/OU=tech/emailAddress=test@test.com

i:/C=IN/ST=KA/L=Bang/O=einext/OU=tech/emailAddress=test@test.com

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIDQTCCAikCCQDnXjL3Mkb9jDANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJJ

TjELMAkGA1UECAwCS0ExDTALBgNVBAcMBEJhbmcxDzANBgNVBAoMBmVpbmV4dDEN

MAsGA1UECwwEdGVjaDEcMBoGCSqGSIb3DQEJARYNdGVzdEB0ZXN0LmNvbTAeFw0y

MDA2MjExMTU4MDRaFw0yMTA2MjIxMTU4MDRaMF4xCzAJBgNVBAYTAklOMQswCQYD

VQQIEwJrYTENMAsGA1UEBxMEYmFuZzEPMA0GA1UEChMGZWluZXh0MQ0wCwYDVQQL

EwR0ZWNoMRMwEQYDVQQDEwphYnVsIGJhc2FyMIIBIjANBgkqhkiG9w0BAQEFAAOC

AQ8AMIIBCgKCAQEAxa/y57Hn+5fwz1vXYNyQ2zuVUxOTX8TWR9HH8H8HpGeED6h2

ne9TykApUZbm41jXdD6DODZLmlD8QWmVDEV+SqtfePqk8Vifxof3xa2ZwG+Poos6

TQVufQ5mANZBpbz8AMtaqUmrQIq4vWCw32ANJH8M7tWkrL8rnt9BRo7WmCXu3DBf

HWvy/Pnbz1isBHSEn1f3Scd4hf65mtOK16oeCYWsJ9rhlikc+Bji63SzUSEjSHmv

dp/VHQSAe6wAV7D7VenB++/xTUdBMrF1CyKGYGEbSvBldXOasjzX4L3lBSzlB+9x

kgfTPKFYw03a7Ex1kVT0Wqj5S+WPAFMX7DDHgwIDAQABMA0GCSqGSIb3DQEBBQUA

A4IBAQC/l1A+V7F7JD6XYeBx4tfnv2AqXnmY8i7dBf/3HADuGhXBNcfIyOso/+7C

kD+WGjtIy9QUxq+5v96uLcyXLgJNXx2eFKX/BCRKkS6k58QFBA+HAtYlBGcfqhpP

joQK2r3Tx6ifbKqJ/YZITdl+kdNZv9FNuNxX/TsyuNznrF4v6WFAFzwUfR8AbFIl

ubTcIlnFogtul4FtNVrMhwwKAUkpaf5I6Kx1YAVvLNtyPlvpjl/7NWsidyrpAuuU

9nCnxDVhyqfUjY52wuQU+M7V6DWUcWYhXrAtXYl9d58KNwvGsucU6Or42aZv4sFL

nB91abjXZYIj8JJBXU/7rsY09VBV

-----END CERTIFICATE-----

subject=/C=IN/ST=ka/L=bang/O=einext/OU=tech/CN=abul basar

issuer=/C=IN/ST=KA/L=Bang/O=einext/OU=tech/emailAddress=test@test.com

---

Acceptable client certificate CA names

/C=IN/ST=KA/L=Bang/O=einext/OU=tech/emailAddress=test@test.com

Server Temp Key: ECDH, P-256, 256 bits

---

SSL handshake has read 2264 bytes and written 93 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol : TLSv1.2

Cipher : ECDHE-RSA-AES256-GCM-SHA384

Session-ID: 5EEF5B46420666D0BBD644A7A1876269B24ACEC3BF357A992D720FD8711677CE

Session-ID-ctx:

Master-Key: ADF818B8EBAE737F77158FCE6E9211851ACE70FCEC3901F6D0AA6D44F1F7C97BC6E8B1C616957D45B9B40250838CD50F

Start Time: 1592744774

Timeout : 7200 (sec)

Verify return code: 19 (self signed certificate in certificate chain)

---



----------------------------------------------------------------------------

CLIENT CONFIG

=============================================================================

security.protocol=SSL

ssl.enabled.protocols=TLSv1.2

ssl.protocol=TLSv1.2


ssl.truststore.type=JKS

ssl.truststore.location=/Users/abasar/Downloads/kafka-ssl/client1/client.truststore.jks

ssl.truststore.password=test1234


ssl.keystore.type=JKS

ssl.keystore.location=/Users/abasar/Downloads/kafka-ssl/client1/client.keystore.jks

ssl.keystore.password=test1234

ssl.key.password=test1234


ssl.endpoint.identification.algorithm=


Update config/producer.properties with the above lines and start producer

bin/kafka-console-producer.sh \

--bootstrap-server $(hostname):9092 \

--topic demo \

--producer.config \

config/producer.properties



Similarly update config/consumer.properties, and start the consumer.

bin/kafka-console-consumer.sh \

--bootstrap-server $(hostname):9092 \

--topic demo \

--consumer.config \

config/consumer.properties



Test that tcpdump does not show the simple text values anymore of the communication between the broker and clients.

sudo tcpdump -XX -i any -nn port 9092 and host $(hostname)