Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-17504

An error related to EKU(Extended key usage) in Kafka versions beyond 3.3.1

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 3.3.2
    • 3.3.1
    • documentation
    • non-prod

    Description

      I have a multi node Kafka cluster in kraft mode where the brokers need to communicate with each other and with clients using SSL. However, the SSL certificates we have only include the serverAuth Extended Key Usage (EKU) and do not include clientAuth. This is causing issues while deploying kafka cluster with version 3.3.2. 

      Error - 

      Fatal error during broker startup. Prepare to shutdown (kafka.server.BrokerServer) org.apache.kafka.common.config.ConfigException: Invalid value javax.net.ssl.SSLHandshakeException: Extended key usage does not permit use for TLS client authentication for configuration A client SSLEngine created with the provided settings can't connect to a server SSLEngine created with those settings.

      Details: Current Certificate : EKU: Only serverAuth (No clientAuth)

      Kafka Configuration:
      {{}}

      CFG_LISTENERS=SSL://:9093,CONTROLLER://:9094 
CFG_LISTENER_SECURITY_PROTOCOL_MAP=CONTROLLER:SSL,SSL:SSL

      Other SSL settings like keystore and truststore are properly configured.

      I can set up the Kafka cluster without any error using the same certificate and configurations but with the Kafka version 3.3.1.

      The corporate CA we are using issues certificates with serverAuth EKU.

      According to the Kafka documentation(https://kafka.apache.org/33/documentation.html#security_ssl_production), an SSL handshake will fail if the Extended Key Usage (EKU) field in the certificate is not configured correctly.

      Ref. text -

      Extended Key Usage : Certificates may contain an extension field that controls the purpose for which the certificate can be used. If this field is empty, there are no restricitions on the usage, but if any usage is specified in here, valid SSL implementations have to enforce these usages. Relevant usages for Kafka are: Client authentication Server authentication Kafka brokers need both these usages to be allowed, as for intra-cluster communication every broker will behave as both the client and the server towards other brokers. It is not uncommon for corporate CAs to have a signing profile for webservers and use this for Kafka as well, which will only contain the serverAuth usage value and cause the SSL handshake to fail.

       

      I've reviewed the release notes but found no details explaining changes related to EKU handling in versions >= 3.3.2.

      Attachments

        Activity

          People

            Unassigned Unassigned
            tpatil Tushar Patil
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: