From 8ca558920347733ddf7a924463c93620e976a3f3 Mon Sep 17 00:00:00 2001 From: Sriharsha Chintalapani Date: Tue, 28 Apr 2015 00:29:53 -0700 Subject: [PATCH 01/19] KAFKA-1690. new java producer needs ssl support as a client. --- checkstyle/checkstyle.xml | 1 - checkstyle/import-control.xml | 14 +- .../java/org/apache/kafka/clients/ClientUtils.java | 14 + .../apache/kafka/clients/CommonClientConfigs.java | 2 + .../kafka/clients/consumer/ConsumerConfig.java | 11 +- .../kafka/clients/consumer/KafkaConsumer.java | 5 +- .../kafka/clients/producer/KafkaProducer.java | 5 +- .../kafka/clients/producer/ProducerConfig.java | 8 +- .../apache/kafka/common/config/SecurityConfig.java | 113 ++++++ .../apache/kafka/common/network/Authenticator.java | 60 +++ .../org/apache/kafka/common/network/Channel.java | 133 +++++++ .../kafka/common/network/DefaultAuthenticator.java | 46 +++ .../common/network/PlainTextTransportLayer.java | 148 +++++++ .../apache/kafka/common/network/SSLFactory.java | 188 +++++++++ .../kafka/common/network/SSLTransportLayer.java | 430 +++++++++++++++++++++ .../apache/kafka/common/network/Selectable.java | 1 + .../org/apache/kafka/common/network/Selector.java | 129 +++++-- .../kafka/common/network/TransportLayer.java | 86 +++++ .../kafka/common/protocol/SecurityProtocol.java | 2 + .../java/org/apache/kafka/common/utils/Utils.java | 11 + .../apache/kafka/common/network/EchoServer.java | 108 ++++++ .../kafka/common/network/SSLSelectorTest.java | 97 +++++ .../apache/kafka/common/network/SelectorTest.java | 79 +--- .../org/apache/kafka/common/utils/UtilsTest.java | 2 + .../java/org/apache/kafka/test/TestSSLUtils.java | 208 ++++++++++ 25 files changed, 1780 insertions(+), 121 deletions(-) create mode 100644 clients/src/main/java/org/apache/kafka/common/config/SecurityConfig.java create mode 100644 clients/src/main/java/org/apache/kafka/common/network/Authenticator.java create mode 100644 clients/src/main/java/org/apache/kafka/common/network/Channel.java create mode 100644 clients/src/main/java/org/apache/kafka/common/network/DefaultAuthenticator.java create mode 100644 clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java create mode 100644 clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java create mode 100644 clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java create mode 100644 clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java create mode 100644 clients/src/test/java/org/apache/kafka/common/network/EchoServer.java create mode 100644 clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java create mode 100644 clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java diff --git a/checkstyle/checkstyle.xml b/checkstyle/checkstyle.xml index a215ff3..5fbf562 100644 --- a/checkstyle/checkstyle.xml +++ b/checkstyle/checkstyle.xml @@ -33,7 +33,6 @@ - diff --git a/checkstyle/import-control.xml b/checkstyle/import-control.xml index f2e6cec..e649189 100644 --- a/checkstyle/import-control.xml +++ b/checkstyle/import-control.xml @@ -26,6 +26,9 @@ + + + @@ -33,14 +36,18 @@ - + + + + + @@ -51,6 +58,9 @@ + + + @@ -73,6 +83,7 @@ + @@ -80,6 +91,7 @@ + diff --git a/clients/src/main/java/org/apache/kafka/clients/ClientUtils.java b/clients/src/main/java/org/apache/kafka/clients/ClientUtils.java index 0d68bf1..54a554f 100644 --- a/clients/src/main/java/org/apache/kafka/clients/ClientUtils.java +++ b/clients/src/main/java/org/apache/kafka/clients/ClientUtils.java @@ -13,17 +13,22 @@ package org.apache.kafka.clients; import java.io.Closeable; +import java.io.IOException; import java.net.InetSocketAddress; import java.util.ArrayList; import java.util.List; +import java.util.Properties; import java.util.concurrent.atomic.AtomicReference; import org.apache.kafka.common.config.ConfigException; +import org.apache.kafka.common.config.SecurityConfig; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import static org.apache.kafka.common.utils.Utils.getHost; import static org.apache.kafka.common.utils.Utils.getPort; +import static org.apache.kafka.common.utils.Utils.loadProps; + public class ClientUtils { private static final Logger log = LoggerFactory.getLogger(ClientUtils.class); @@ -61,4 +66,13 @@ public class ClientUtils { } } } + + public static SecurityConfig parseSecurityConfig(String securityConfigFile) throws IOException { + Properties securityProps = new Properties(); + if (securityConfigFile == null || securityConfigFile == "") { + return new SecurityConfig(securityProps); + } + securityProps = loadProps(securityConfigFile); + return new SecurityConfig(securityProps); + } } \ No newline at end of file diff --git a/clients/src/main/java/org/apache/kafka/clients/CommonClientConfigs.java b/clients/src/main/java/org/apache/kafka/clients/CommonClientConfigs.java index cf32e4e..0b23875 100644 --- a/clients/src/main/java/org/apache/kafka/clients/CommonClientConfigs.java +++ b/clients/src/main/java/org/apache/kafka/clients/CommonClientConfigs.java @@ -55,4 +55,6 @@ public class CommonClientConfigs { public static final String METRIC_REPORTER_CLASSES_CONFIG = "metric.reporters"; public static final String METRIC_REPORTER_CLASSES_DOC = "A list of classes to use as metrics reporters. Implementing the MetricReporter interface allows plugging in classes that will be notified of new metric creation. The JmxReporter is always included to register JMX statistics."; + public static final String SECURITY_CONFIG_FILE_CONFIG = "security.config.file"; + public static final String SECURITY_CONFIG_FILE_DOC = "Kafka client security related config file."; } \ No newline at end of file diff --git a/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java b/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java index bdff518..190fe63 100644 --- a/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java +++ b/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java @@ -156,6 +156,10 @@ public class ConsumerConfig extends AbstractConfig { public static final String VALUE_DESERIALIZER_CLASS_CONFIG = "value.deserializer"; private static final String VALUE_DESERIALIZER_CLASS_DOC = "Deserializer class for value that implements the Deserializer interface."; + /** security.config.file */ + public static final String SECURITY_CONFIG_FILE_CONFIG = CommonClientConfigs.SECURITY_CONFIG_FILE_CONFIG; + private static final String SECURITY_CONFIG_FILE_DOC = CommonClientConfigs.SECURITY_CONFIG_FILE_DOC; + static { CONFIG = new ConfigDef().define(BOOTSTRAP_SERVERS_CONFIG, @@ -277,7 +281,12 @@ public class ConsumerConfig extends AbstractConfig { .define(VALUE_DESERIALIZER_CLASS_CONFIG, Type.CLASS, Importance.HIGH, - VALUE_DESERIALIZER_CLASS_DOC); + VALUE_DESERIALIZER_CLASS_DOC) + .define(SECURITY_CONFIG_FILE_CONFIG, + Type.STRING, + "", + Importance.MEDIUM, + SECURITY_CONFIG_FILE_DOC); } public static Map addDeserializerToConfig(Map configs, diff --git a/clients/src/main/java/org/apache/kafka/clients/consumer/KafkaConsumer.java b/clients/src/main/java/org/apache/kafka/clients/consumer/KafkaConsumer.java index d301be4..032fd4b 100644 --- a/clients/src/main/java/org/apache/kafka/clients/consumer/KafkaConsumer.java +++ b/clients/src/main/java/org/apache/kafka/clients/consumer/KafkaConsumer.java @@ -37,6 +37,7 @@ import org.apache.kafka.common.KafkaException; import org.apache.kafka.common.Metric; import org.apache.kafka.common.PartitionInfo; import org.apache.kafka.common.TopicPartition; +import org.apache.kafka.common.config.SecurityConfig; import org.apache.kafka.common.metrics.JmxReporter; import org.apache.kafka.common.metrics.MetricConfig; import org.apache.kafka.common.MetricName; @@ -361,6 +362,7 @@ public class KafkaConsumer implements Consumer { private final boolean autoCommit; private final long autoCommitIntervalMs; private final ConsumerRebalanceCallback rebalanceCallback; + private final SecurityConfig securityConfig; private long lastCommitAttemptMs; private boolean closed = false; @@ -472,7 +474,8 @@ public class KafkaConsumer implements Consumer { String metricGrpPrefix = "consumer"; Map metricsTags = new LinkedHashMap(); metricsTags.put("client-id", clientId); - this.client = new NetworkClient(new Selector(metrics, time, metricGrpPrefix, metricsTags), + this.securityConfig = ClientUtils.parseSecurityConfig(config.getString(ConsumerConfig.SECURITY_CONFIG_FILE_CONFIG)); + this.client = new NetworkClient(new Selector(metrics, time, metricGrpPrefix, metricsTags, securityConfig), this.metadata, clientId, 100, // a fixed large enough value will suffice diff --git a/clients/src/main/java/org/apache/kafka/clients/producer/KafkaProducer.java b/clients/src/main/java/org/apache/kafka/clients/producer/KafkaProducer.java index 8e336a3..2c21dee 100644 --- a/clients/src/main/java/org/apache/kafka/clients/producer/KafkaProducer.java +++ b/clients/src/main/java/org/apache/kafka/clients/producer/KafkaProducer.java @@ -32,6 +32,7 @@ import org.apache.kafka.common.Metric; import org.apache.kafka.common.PartitionInfo; import org.apache.kafka.common.TopicPartition; import org.apache.kafka.common.config.ConfigException; +import org.apache.kafka.common.config.SecurityConfig; import org.apache.kafka.common.errors.ApiException; import org.apache.kafka.common.errors.InterruptException; import org.apache.kafka.common.errors.RecordTooLargeException; @@ -138,6 +139,7 @@ public class KafkaProducer implements Producer { private final Serializer keySerializer; private final Serializer valueSerializer; private final ProducerConfig producerConfig; + private final SecurityConfig securityConfig; /** * A producer is instantiated by providing a set of key-value pairs as configuration. Valid configuration strings @@ -214,6 +216,7 @@ public class KafkaProducer implements Producer { this.maxRequestSize = config.getInt(ProducerConfig.MAX_REQUEST_SIZE_CONFIG); this.totalMemorySize = config.getLong(ProducerConfig.BUFFER_MEMORY_CONFIG); this.compressionType = CompressionType.forName(config.getString(ProducerConfig.COMPRESSION_TYPE_CONFIG)); + this.securityConfig = ClientUtils.parseSecurityConfig(config.getString(ProducerConfig.SECURITY_CONFIG_FILE_CONFIG)); Map metricTags = new LinkedHashMap(); metricTags.put("client-id", clientId); this.accumulator = new RecordAccumulator(config.getInt(ProducerConfig.BATCH_SIZE_CONFIG), @@ -228,7 +231,7 @@ public class KafkaProducer implements Producer { List addresses = ClientUtils.parseAndValidateAddresses(config.getList(ProducerConfig.BOOTSTRAP_SERVERS_CONFIG)); this.metadata.update(Cluster.bootstrap(addresses), time.milliseconds()); - NetworkClient client = new NetworkClient(new Selector(this.metrics, time, "producer", metricTags), + NetworkClient client = new NetworkClient(new Selector(this.metrics, time, "producer", metricTags, securityConfig), this.metadata, clientId, config.getInt(ProducerConfig.MAX_IN_FLIGHT_REQUESTS_PER_CONNECTION), diff --git a/clients/src/main/java/org/apache/kafka/clients/producer/ProducerConfig.java b/clients/src/main/java/org/apache/kafka/clients/producer/ProducerConfig.java index 187d000..83506e7 100644 --- a/clients/src/main/java/org/apache/kafka/clients/producer/ProducerConfig.java +++ b/clients/src/main/java/org/apache/kafka/clients/producer/ProducerConfig.java @@ -169,6 +169,11 @@ public class ProducerConfig extends AbstractConfig { public static final String VALUE_SERIALIZER_CLASS_CONFIG = "value.serializer"; private static final String VALUE_SERIALIZER_CLASS_DOC = "Serializer class for value that implements the Serializer interface."; + /** security.config.file */ + public static final String SECURITY_CONFIG_FILE_CONFIG = CommonClientConfigs.SECURITY_CONFIG_FILE_CONFIG; + private static final String SECURITY_CONFIG_FILE_DOC = CommonClientConfigs.SECURITY_CONFIG_FILE_DOC; + + static { CONFIG = new ConfigDef().define(BOOTSTRAP_SERVERS_CONFIG, Type.LIST, Importance.HIGH, CommonClientConfigs.BOOSTRAP_SERVERS_DOC) .define(BUFFER_MEMORY_CONFIG, Type.LONG, 32 * 1024 * 1024L, atLeast(0L), Importance.HIGH, BUFFER_MEMORY_DOC) @@ -217,7 +222,8 @@ public class ProducerConfig extends AbstractConfig { Importance.LOW, MAX_IN_FLIGHT_REQUESTS_PER_CONNECTION_DOC) .define(KEY_SERIALIZER_CLASS_CONFIG, Type.CLASS, Importance.HIGH, KEY_SERIALIZER_CLASS_DOC) - .define(VALUE_SERIALIZER_CLASS_CONFIG, Type.CLASS, Importance.HIGH, VALUE_SERIALIZER_CLASS_DOC); + .define(VALUE_SERIALIZER_CLASS_CONFIG, Type.CLASS, Importance.HIGH, VALUE_SERIALIZER_CLASS_DOC) + .define(SECURITY_CONFIG_FILE_CONFIG, Type.STRING, "", Importance.MEDIUM, SECURITY_CONFIG_FILE_DOC); } public static Map addSerializerToConfig(Map configs, diff --git a/clients/src/main/java/org/apache/kafka/common/config/SecurityConfig.java b/clients/src/main/java/org/apache/kafka/common/config/SecurityConfig.java new file mode 100644 index 0000000..7954a7e --- /dev/null +++ b/clients/src/main/java/org/apache/kafka/common/config/SecurityConfig.java @@ -0,0 +1,113 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE + * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file + * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the + * License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on + * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the + * specific language governing permissions and limitations under the License. + */ + +package org.apache.kafka.common.config; + + +import java.util.Map; + +import org.apache.kafka.common.config.ConfigDef.Importance; +import org.apache.kafka.common.config.ConfigDef.Type; +import org.apache.kafka.common.protocol.SecurityProtocol; + + +/** + * Security Related config for clients and server. + */ + +public class SecurityConfig extends AbstractConfig { + /* + * NOTE: DO NOT CHANGE EITHER CONFIG STRINGS OR THEIR JAVA VARIABLE NAMES AS THESE ARE PART OF THE PUBLIC API AND + * CHANGE WILL BREAK USER CODE. + */ + + private static final ConfigDef CONFIG; + + public static final String SECURITY_PROTOCOL_CONFIG = "security.protocol"; + public static final String SECURITY_PROTOCOL_DOC = "Protocol used to communicate with brokers. Currently only PLAINTEXT and SSL are supported."; + + public static final String SSL_PROTOCOL_CONFIG = "ssl.protocol"; + public static final String SSL_PROTOCOL_DOC = "The TLS protocol used for broker connections if security protocol is SSL. " + + "Any version of TLS is accepted by default."; + + public static final String SSL_CIPHER_SUITES_CONFIG = "ssl.cipher.suites"; + public static final String SSL_CIPHER_SUITES_DOC = "The list of cipher suites enabled for SSL connections. " + + "Default value is the list of cipher suites enabled for the Java Virtual Machine."; + + public static final String SSL_ENABLED_PROTOCOLS_CONFIG = "ssl.enabled.protocols"; + public static final String SSL_ENABLED_PROTOCOLS_DOC = "The list of protocols enabled for SSL connections. " + + "Default value is the list of protocols enabled for the Java Virtual Machine."; + + + public static final String SSL_KEYSTORE_TYPE_CONFIG = "ssl.keystore.type"; + public static final String SSL_KEYSTORE_TYPE_DOC = "The file format of the key store file. " + + "Default value is the default key store format of the Java Virtual Machine."; + + public static final String SSL_KEYSTORE_LOCATION_CONFIG = "ssl.keystore.location"; + public static final String SSL_KEYSTORE_LOCATION_DOC = "The location of the key store file. " + + "This is optional for Client and can be used for two-way authentication for client."; + + public static final String SSL_KEYSTORE_PASSWORD_CONFIG = "ssl.keystore.password"; + public static final String SSL_KEYSTORE_PASSWORD_DOC = "The store password for the key store file. "; + + + public static final String SSL_KEY_PASSWORD_CONFIG = "ssl.key.password"; + public static final String SSL_KEY_PASSWORD_DOC = "The password of the private key in the key store file. " + + "This is optional for client."; + + public static final String SSL_TRUSTSTORE_TYPE_CONFIG = "ssl.truststore.type"; + public static final String SSL_TRUSTSTORE_TYPE_DOC = "The file format of the trust store file. " + + "Default value is JKS."; + + public static final String SSL_TRUSTSTORE_LOCATION_CONFIG = "ssl.truststore.location"; + public static final String SSL_TRUSTSTORE_LOCATION_DOC = "The location of the trust store file. "; + + public static final String SSL_TRUSTSTORE_PASSWORD_CONFIG = "ssl.truststore.password"; + public static final String SSL_TRUSTSTORE_PASSWORD_DOC = "The password for the trust store file. "; + + public static final String SSL_CLIENT_REQUIRE_CERT_CONFIG = "ssl.client.require.cert"; + public static final String SSL_CLIENT_REQUIRE_CERT_DOC = "This is to enforce two-way authentication between client and server." + + "Default value is false. If set to true client need to prover Keystrore releated config"; + + public static final String SSL_KEYMANAGER_ALGORITHM_CONFIG = "ssl.keymanager.algorithm"; + public static final String SSL_KEYMANAGER_ALGORITHM_DOC = "The algorithm used by key manager factory for SSL connections. " + + "Default value is the key manager factory algorithm configured for the Java Virtual Machine."; + + public static final String SSL_TRUSTMANAGER_ALGORITHM_CONFIG = "ssl.trustmanager.algorithm"; + public static final String SSL_TRUSTMANAGER_ALGORITHM_DOC = "The algorithm used by trust manager factory for SSL connections. " + + "Default value is the trust manager factory algorithm configured for the Java Virtual Machine."; + + + static { + CONFIG = new ConfigDef().define(SECURITY_PROTOCOL_CONFIG, Type.STRING, SecurityProtocol.PLAINTEXT.toString(), Importance.MEDIUM, SECURITY_PROTOCOL_DOC) + .define(SSL_PROTOCOL_CONFIG, Type.STRING, "TLS", Importance.MEDIUM, SSL_PROTOCOL_DOC) + .define(SSL_CIPHER_SUITES_CONFIG, Type.LIST, Importance.MEDIUM, SSL_CIPHER_SUITES_DOC, false) + .define(SSL_ENABLED_PROTOCOLS_CONFIG, Type.LIST, "TLSv1.2, TLSv1.1, TLSv1", Importance.MEDIUM, SSL_ENABLED_PROTOCOLS_DOC) + .define(SSL_KEYSTORE_TYPE_CONFIG, Type.STRING, Importance.MEDIUM, SSL_KEYSTORE_TYPE_DOC, false) + .define(SSL_KEYSTORE_LOCATION_CONFIG, Type.STRING, Importance.MEDIUM, SSL_KEYSTORE_LOCATION_DOC, false) + .define(SSL_KEYSTORE_PASSWORD_CONFIG, Type.STRING, Importance.MEDIUM, SSL_KEYSTORE_PASSWORD_DOC, false) + .define(SSL_KEY_PASSWORD_CONFIG, Type.STRING, Importance.MEDIUM, SSL_KEY_PASSWORD_DOC, false) + .define(SSL_TRUSTSTORE_TYPE_CONFIG, Type.STRING, Importance.MEDIUM, SSL_TRUSTSTORE_TYPE_DOC, false) + .define(SSL_TRUSTSTORE_LOCATION_CONFIG, Type.STRING, Importance.MEDIUM, SSL_TRUSTSTORE_LOCATION_DOC, false) + .define(SSL_TRUSTSTORE_PASSWORD_CONFIG, Type.STRING, Importance.MEDIUM, SSL_TRUSTSTORE_PASSWORD_DOC, false) + .define(SSL_KEYMANAGER_ALGORITHM_CONFIG, Type.STRING, Importance.MEDIUM, SSL_KEYMANAGER_ALGORITHM_DOC, false) + .define(SSL_TRUSTMANAGER_ALGORITHM_CONFIG, Type.STRING, Importance.MEDIUM, SSL_TRUSTMANAGER_ALGORITHM_DOC, false) + .define(SSL_CLIENT_REQUIRE_CERT_CONFIG, Type.BOOLEAN, false, Importance.MEDIUM, SSL_CLIENT_REQUIRE_CERT_DOC); + } + + public SecurityConfig(Map props) { + super(CONFIG, props); + } + + +} diff --git a/clients/src/main/java/org/apache/kafka/common/network/Authenticator.java b/clients/src/main/java/org/apache/kafka/common/network/Authenticator.java new file mode 100644 index 0000000..ee8516f --- /dev/null +++ b/clients/src/main/java/org/apache/kafka/common/network/Authenticator.java @@ -0,0 +1,60 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.kafka.common.network; + +/* + * Authentication for Channel + */ + +import java.io.IOException; +import com.sun.security.auth.UserPrincipal; + + +public interface Authenticator { + + /** + * Closes this channel + * + * @throws IOException if any I/O error occurs + */ + void close() throws IOException; + + /** + * + * @throws IOException + */ + void init() throws IOException; + + /** + * Returns UserPrincipal after authentication is established + */ + UserPrincipal userPrincipal(); + + + /** + * Does authentication and returns SelectionKey.OP if further communication needed + */ + int authenticate(boolean read, boolean write) throws IOException; + + /** + * returns true if authentication is complete otherwise returns false; + */ + + boolean isComplete(); + +} diff --git a/clients/src/main/java/org/apache/kafka/common/network/Channel.java b/clients/src/main/java/org/apache/kafka/common/network/Channel.java new file mode 100644 index 0000000..3526ba3 --- /dev/null +++ b/clients/src/main/java/org/apache/kafka/common/network/Channel.java @@ -0,0 +1,133 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.kafka.common.network; + + +import java.io.IOException; +import java.io.DataInputStream; +import java.io.DataOutputStream; + +import java.nio.ByteBuffer; +import java.nio.channels.ScatteringByteChannel; +import java.nio.channels.GatheringByteChannel; +import java.nio.channels.SocketChannel; + +import com.sun.security.auth.UserPrincipal; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * + */ + +public class Channel implements ScatteringByteChannel, GatheringByteChannel { + private static final Logger log = LoggerFactory.getLogger(Channel.class); + private TransportLayer transportLayer; + private Authenticator authenticator; + + + public Channel(TransportLayer transportLayer, Authenticator authenticator) throws IOException { + this.transportLayer = transportLayer; + this.authenticator = authenticator; + this.authenticator.init(); + } + + public void close() throws IOException { + transportLayer.close(); + authenticator.close(); + } + + /** + * returns user principal for the session + * Incase of PLAINTEXT and No Authentication returns ANONYMOUS as the userPrincipal + * If SSL used without any SASL Authentication returns SSLSession.peerPrincipal + */ + public UserPrincipal userPrincipal() { + return authenticator.userPrincipal(); + } + + public int connect(boolean read, boolean write) throws IOException { + if (transportLayer.isReady() && authenticator.isComplete()) + return 0; + int status = 0; + if (!transportLayer.isReady()) + status = transportLayer.handshake(read, write); + if (status == 0 && !authenticator.isComplete()) + status = authenticator.authenticate(read, write); + return status; + } + + + public boolean isOpen() { + return transportLayer.isOpen(); + } + + public SocketChannel socketChannel() { + return transportLayer.socketChannel(); + } + + /** + * Writes a sequence of bytes to this channel from the given buffer. + */ + @Override + public int write(ByteBuffer src) throws IOException { + return transportLayer.write(src); + } + + @Override + public long write(ByteBuffer[] srcs) throws IOException { + return transportLayer.write(srcs); + } + + @Override + public long write(ByteBuffer[] srcs, int offset, int length) throws IOException { + return transportLayer.write(srcs, offset, length); + } + + @Override + public int read(ByteBuffer dst) throws IOException { + return transportLayer.read(dst); + } + + @Override + public long read(ByteBuffer[] dsts) throws IOException { + return transportLayer.read(dsts); + } + + @Override + public long read(ByteBuffer[] dsts, int offset, int length) throws IOException { + return transportLayer.read(dsts, offset, length); + } + + public boolean finishConnect() throws IOException { + return transportLayer.finishConnect(); + } + + public boolean isReady() { + return transportLayer.isReady() && authenticator.isComplete(); + } + + public DataInputStream getInputStream() throws IOException { + return transportLayer.inStream(); + } + + public DataOutputStream getOutputStream() throws IOException { + return transportLayer.outStream(); + } +} diff --git a/clients/src/main/java/org/apache/kafka/common/network/DefaultAuthenticator.java b/clients/src/main/java/org/apache/kafka/common/network/DefaultAuthenticator.java new file mode 100644 index 0000000..c1ec794 --- /dev/null +++ b/clients/src/main/java/org/apache/kafka/common/network/DefaultAuthenticator.java @@ -0,0 +1,46 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.kafka.common.network; + +import com.sun.security.auth.UserPrincipal; +import java.io.IOException; + +public class DefaultAuthenticator implements Authenticator { + + TransportLayer transportLayer; + + public DefaultAuthenticator(TransportLayer transportLayer) { + this.transportLayer = transportLayer; + } + + public void init() {} + + public int authenticate(boolean read, boolean write) throws IOException { + return 0; + } + + public UserPrincipal userPrincipal() { + return new UserPrincipal(transportLayer.getPeerPrincipal().toString()); + } + + public void close() throws IOException {} + + public boolean isComplete() { + return true; + } +} diff --git a/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java new file mode 100644 index 0000000..11cd80c --- /dev/null +++ b/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java @@ -0,0 +1,148 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.kafka.common.network; + +/* + * Transport layer for PLAINTEXT communication + */ + +import java.io.IOException; +import java.nio.ByteBuffer; +import java.nio.channels.SocketChannel; + +import java.io.DataInputStream; +import java.io.DataOutputStream; + +import java.security.Principal; +import com.sun.security.auth.UserPrincipal; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class PlainTextTransportLayer implements TransportLayer { + private static final Logger log = LoggerFactory.getLogger(PlainTextTransportLayer.class); + SocketChannel socketChannel = null; + DataInputStream inStream = null; + DataOutputStream outStream = null; + + public PlainTextTransportLayer(SocketChannel socketChannel) throws IOException { + this.socketChannel = socketChannel; + + } + + + /** + * Closes this channel + * + * @throws IOException If and I/O error occurs + */ + public void close() throws IOException { + socketChannel.socket().close(); + socketChannel.close(); + } + + /** + * Flushes the buffer to the network, non blocking + * @param buf ByteBuffer + * @return boolean true if the buffer has been emptied out, false otherwise + * @throws IOException + */ + public boolean flush(ByteBuffer buf) throws IOException { + int remaining = buf.remaining(); + if (remaining > 0) { + int written = socketChannel.write(buf); + return written >= remaining; + } + return true; + } + + /** + * Tells wheter or not this channel is open. + */ + public boolean isOpen() { + return socketChannel.isOpen(); + } + + /** + * Writes a sequence of bytes to this channel from the given buffer. + */ + public int write(ByteBuffer src) throws IOException { + return socketChannel.write(src); + } + + public long write(ByteBuffer[] srcs) throws IOException { + return socketChannel.write(srcs); + } + + public long write(ByteBuffer[] srcs, int offset, int length) throws IOException { + return socketChannel.write(srcs, offset, length); + } + + public int read(ByteBuffer dst) throws IOException { + return socketChannel.read(dst); + } + + public long read(ByteBuffer[] dsts) throws IOException { + return socketChannel.read(dsts); + } + + public long read(ByteBuffer[] dsts, int offset, int length) throws IOException { + return socketChannel.read(dsts, offset, length); + } + + public boolean isReady() { + return true; + } + + public SocketChannel socketChannel() { + return socketChannel; + } + + public boolean finishConnect() throws IOException { + return socketChannel.finishConnect(); + } + + /** + * Performs SSL handshake hence is a no-op for the non-secure + * implementation + * @param read Unused in non-secure implementation + * @param write Unused in non-secure implementation + * @return Always return 0 + * @throws IOException + */ + public int handshake(boolean read, boolean write) throws IOException { + return 0; + } + + public DataInputStream inStream() throws IOException { + if (inStream == null) + this.inStream = new DataInputStream(socketChannel.socket().getInputStream()); + return inStream; + } + + public DataOutputStream outStream() throws IOException { + if (outStream == null) + this.outStream = new DataOutputStream(socketChannel.socket().getOutputStream()); + return outStream; + } + + public Principal getPeerPrincipal() { + return new UserPrincipal("ANONYMOUS"); + } + +} diff --git a/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java b/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java new file mode 100644 index 0000000..9cf9051 --- /dev/null +++ b/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java @@ -0,0 +1,188 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.kafka.common.network; + +import java.io.FileInputStream; +import java.io.IOException; +import java.security.GeneralSecurityException; +import java.security.KeyStore; + +import javax.net.ssl.*; + +import org.apache.kafka.common.KafkaException; +import org.apache.kafka.common.config.SecurityConfig; + + +public class SSLFactory { + + public enum Mode { CLIENT, SERVER }; + private String protocol; + private String provider; + private String kmfAlgorithm; + private String tmfAlgorithm; + private SecurityStore keystore = null; + private String keyPassword; + private SecurityStore truststore; + private String[] cipherSuites; + private String[] enabledProtocols; + private SSLContext sslContext; + private boolean requireClientCert; + private Mode mode; + + + public SSLFactory(Mode mode) { + this.mode = mode; + } + + + public void init(SecurityConfig securityConfig) throws IOException, GeneralSecurityException { + this.protocol = securityConfig.getString(SecurityConfig.SSL_PROTOCOL_CONFIG); + if (securityConfig.getList(SecurityConfig.SSL_CIPHER_SUITES_CONFIG) != null) + this.cipherSuites = (String[]) securityConfig.getList(SecurityConfig.SSL_CIPHER_SUITES_CONFIG).toArray(); + if (securityConfig.getList(SecurityConfig.SSL_ENABLED_PROTOCOLS_CONFIG) != null) + this.enabledProtocols = (String[]) securityConfig.getList(SecurityConfig.SSL_ENABLED_PROTOCOLS_CONFIG).toArray(); + this.requireClientCert = securityConfig.getBoolean(SecurityConfig.SSL_CLIENT_REQUIRE_CERT_CONFIG); + this.kmfAlgorithm = securityConfig.getString(SecurityConfig.SSL_KEYMANAGER_ALGORITHM_CONFIG); + this.tmfAlgorithm = securityConfig.getString(SecurityConfig.SSL_TRUSTMANAGER_ALGORITHM_CONFIG); + if ((mode == Mode.CLIENT && requireClientCert) || (mode == Mode.SERVER)) + createKeystore(securityConfig.getString(SecurityConfig.SSL_KEYSTORE_TYPE_CONFIG), + securityConfig.getString(SecurityConfig.SSL_KEYSTORE_LOCATION_CONFIG), + securityConfig.getString(SecurityConfig.SSL_KEYSTORE_PASSWORD_CONFIG), + securityConfig.getString(SecurityConfig.SSL_KEY_PASSWORD_CONFIG)); + createTruststore(securityConfig.getString(SecurityConfig.SSL_TRUSTSTORE_TYPE_CONFIG), + securityConfig.getString(SecurityConfig.SSL_TRUSTSTORE_LOCATION_CONFIG), + securityConfig.getString(SecurityConfig.SSL_TRUSTSTORE_PASSWORD_CONFIG)); + + this.sslContext = createSSLContext(); + + } + + + private SSLContext createSSLContext() throws GeneralSecurityException, IOException { + SSLContext sslContext; + if (provider != null) + sslContext = SSLContext.getInstance(protocol, provider); + else + sslContext = SSLContext.getInstance(protocol); + + KeyManager[] keyManagers = null; + if (keystore != null) { + String kmfAlgorithm = this.kmfAlgorithm != null ? this.kmfAlgorithm : KeyManagerFactory.getDefaultAlgorithm(); + KeyManagerFactory kmf = KeyManagerFactory.getInstance(kmfAlgorithm); + KeyStore ks = keystore.load(); + String keyPassword = this.keyPassword != null ? this.keyPassword : keystore.password; + kmf.init(ks, keyPassword.toCharArray()); + keyManagers = kmf.getKeyManagers(); + } + + String tmfAlgorithm = this.tmfAlgorithm != null ? this.tmfAlgorithm : TrustManagerFactory.getDefaultAlgorithm(); + TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm); + KeyStore ts = truststore == null ? null : truststore.load(); + tmf.init(ts); + + sslContext.init(keyManagers, tmf.getTrustManagers(), null); + return sslContext; + } + + public SSLEngine createSSLEngine(String peerHost, int peerPort) { + SSLEngine sslEngine = sslContext.createSSLEngine(peerHost, peerPort); + if (cipherSuites != null) sslEngine.setEnabledCipherSuites(cipherSuites); + if (mode == Mode.SERVER) { + sslEngine.setUseClientMode(false); + } else { + sslEngine.setUseClientMode(true); + sslEngine.setNeedClientAuth(requireClientCert); + } + if (enabledProtocols != null) sslEngine.setEnabledProtocols(enabledProtocols); + return sslEngine; + } + + /** + * Returns a configured SSLServerSocketFactory. + * + * @return the configured SSLSocketFactory. + * @throws GeneralSecurityException thrown if the SSLSocketFactory could not + * be initialized. + * @throws IOException thrown if and IO error occurred while loading + * the server keystore. + */ + public SSLServerSocketFactory createSSLServerSocketFactory() throws GeneralSecurityException, IOException { + if (mode != Mode.SERVER) { + throw new IllegalStateException("Factory is in CLIENT mode"); + } + return sslContext.getServerSocketFactory(); + } + + /** + * Returns if client certificates are required or not. + * + * @return if client certificates are required or not. + */ + public boolean isClientCertRequired() { + return requireClientCert; + } + + + private void createKeystore(String type, String path, String password, String keyPassword) { + if (path == null && password != null) { + throw new KafkaException("SSL key store password is not specified."); + } else if (path != null && password == null) { + throw new KafkaException("SSL key store is not specified, but key store password is specified."); + } else if (path != null && password != null) { + this.keystore = new SecurityStore(type, path, password); + this.keyPassword = keyPassword; + } + } + + private void createTruststore(String type, String path, String password) { + if (path == null && password != null) { + throw new KafkaException("SSL key store password is not specified."); + } else if (path != null && password == null) { + throw new KafkaException("SSL key store is not specified, but key store password is specified."); + } else if (path != null && password != null) { + this.truststore = new SecurityStore(type, path, password); + } + } + + + private class SecurityStore { + private final String type; + private final String path; + private final String password; + + private SecurityStore(String type, String path, String password) { + this.type = type == null ? KeyStore.getDefaultType() : type; + this.path = path; + this.password = password; + } + + private KeyStore load() throws GeneralSecurityException, IOException { + FileInputStream in = null; + try { + KeyStore ks = KeyStore.getInstance(type); + in = new FileInputStream(path); + ks.load(in, password.toCharArray()); + return ks; + } finally { + if (in != null) in.close(); + } + } + } + + public void close() { + } +} diff --git a/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java new file mode 100644 index 0000000..dc84975 --- /dev/null +++ b/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java @@ -0,0 +1,430 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.kafka.common.network; + +import java.io.IOException; +import java.nio.ByteBuffer; +import java.nio.channels.SocketChannel; +import java.nio.channels.SelectionKey; + +import java.security.Principal; +import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLEngineResult; +import javax.net.ssl.SSLEngineResult.HandshakeStatus; +import javax.net.ssl.SSLEngineResult.Status; + +import java.io.DataInputStream; +import java.io.DataOutputStream; + +import org.apache.kafka.common.utils.Utils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/* + * Transport layer for SSL communication + */ + +public class SSLTransportLayer implements TransportLayer { + private static final Logger log = LoggerFactory.getLogger(SSLTransportLayer.class); + SocketChannel socketChannel; + SSLEngine sslEngine; + HandshakeStatus handshakeStatus = null; + SSLEngineResult handshakeResult = null; + boolean handshakeComplete = false; + boolean closed = false; + boolean closing = false; + ByteBuffer netInBuffer = null; + ByteBuffer netOutBuffer = null; + ByteBuffer appReadBuffer = null; + ByteBuffer appWriteBuffer = null; + ByteBuffer emptyBuf = ByteBuffer.allocate(0); + DataInputStream inStream = null; + DataOutputStream outStream = null; + + + public SSLTransportLayer(SocketChannel socketChannel, SSLEngine sslEngine) throws IOException { + this.socketChannel = socketChannel; + this.sslEngine = sslEngine; + this.netInBuffer = ByteBuffer.allocateDirect(sslEngine.getSession().getPacketBufferSize()); + this.netOutBuffer = ByteBuffer.allocateDirect(sslEngine.getSession().getPacketBufferSize()); + this.appWriteBuffer = ByteBuffer.allocateDirect(sslEngine.getSession().getApplicationBufferSize()); + this.appReadBuffer = ByteBuffer.allocateDirect(sslEngine.getSession().getApplicationBufferSize()); + startHandshake(); + } + + public void startHandshake() throws IOException { + netOutBuffer.position(0); + netOutBuffer.limit(0); + netInBuffer.position(0); + netInBuffer.limit(0); + handshakeComplete = false; + closed = false; + closing = false; + //initiate handshake + sslEngine.beginHandshake(); + handshakeStatus = sslEngine.getHandshakeStatus(); + } + + public SocketChannel socketChannel() { + return socketChannel; + } + + public boolean finishConnect() throws IOException { + return socketChannel.finishConnect(); + } + + /** + * Flushes the buffer to the network, non blocking + * @param buf ByteBuffer + * @return boolean true if the buffer has been emptied out, false otherwise + * @throws IOException + */ + public boolean flush(ByteBuffer buf) throws IOException { + int remaining = buf.remaining(); + if (remaining > 0) { + int written = socketChannel.write(buf); + return written >= remaining; + } + return true; + } + + /** + * Performs SSL handshake, non blocking. + * The return for this operation is 0 if the handshake is complete and a positive value if it is not complete. + * In the event of a positive value coming back, re-register the selection key for the return values interestOps. + * @param read boolean - true if the underlying channel is readable + * @param write boolean - true if the underlying channel is writable + * @return int - 0 if hand shake is complete, otherwise it returns a SelectionKey interestOps value + * @throws IOException + */ + public int handshake(boolean read, boolean write) throws IOException { + if (handshakeComplete) return 0; //we have done our initial handshake + + if (!flush(netOutBuffer)) return SelectionKey.OP_WRITE; + + switch(handshakeStatus) { + case NOT_HANDSHAKING: + // SSLEnginge.getHandshakeStatus is transient and it doesn't record FINISHED status properly + if (handshakeResult.getHandshakeStatus() == HandshakeStatus.FINISHED) { + handshakeComplete = !netOutBuffer.hasRemaining(); + if (handshakeComplete) + return 0; + else + return SelectionKey.OP_WRITE; + } else { + //should never happen + throw new IOException("NOT_HANDSHAKING during handshake"); + } + case FINISHED: + //we are complete if we have delivered the last package + handshakeComplete = !netOutBuffer.hasRemaining(); + //return 0 if we are complete, otherwise we still have data to write + if (handshakeComplete) return 0; + else return SelectionKey.OP_WRITE; + case NEED_WRAP: + handshakeResult = handshakeWrap(write); + if (handshakeResult.getStatus() == Status.OK) { + if (handshakeStatus == HandshakeStatus.NEED_TASK) + handshakeStatus = tasks(); + } else { + //wrap should always work with our buffers + throw new IOException("Unexpected status [" + handshakeResult.getStatus() + "] during handshake WRAP."); + } + if (handshakeStatus != HandshakeStatus.NEED_UNWRAP || (!flush(netOutBuffer))) + return SelectionKey.OP_WRITE; + //fall down to NEED_UNWRAP on the same call, will result in a + //BUFFER_UNDERFLOW if it needs data + case NEED_UNWRAP: + handshakeResult = handshakeUnwrap(read); + if (handshakeResult.getStatus() == Status.OK) { + if (handshakeStatus == HandshakeStatus.NEED_TASK) + handshakeStatus = tasks(); + } else if (handshakeResult.getStatus() == Status.BUFFER_UNDERFLOW) { + return SelectionKey.OP_READ; + } else { + throw new IOException(String.format("Unexpected status [%s] during handshake UNWRAP", handshakeStatus)); + } + break; + case NEED_TASK: + handshakeStatus = tasks(); + break; + default: + throw new IllegalStateException(String.format("Unexpected status [%s]", handshakeStatus)); + } + //return 0 if we are complete, otherwise re-register for any activity that + //would cause this method to be called again. + if (handshakeComplete) return 0; + else return SelectionKey.OP_WRITE | SelectionKey.OP_READ; + } + + /** + * Executes all the tasks needed on the same thread. + * @return HandshakeStatus + */ + private HandshakeStatus tasks() { + Runnable r = null; + while ((r = sslEngine.getDelegatedTask()) != null) r.run(); + return sslEngine.getHandshakeStatus(); + } + + /** + * Performs the WRAP function + * @param doWrite boolean + * @return SSLEngineResult + * @throws IOException + */ + private SSLEngineResult handshakeWrap(Boolean doWrite) throws IOException { + //this should never be called with a network buffer that contains data + //so we can clear it here. + netOutBuffer.clear(); + SSLEngineResult result = sslEngine.wrap(appWriteBuffer, netOutBuffer); + //prepare the results to be written + netOutBuffer.flip(); + handshakeStatus = result.getHandshakeStatus(); + //optimization, if we do have a writable channel, write it now + if (doWrite) flush(netOutBuffer); + return result; + } + + /** + * Perform handshake unwrap + * @param doRead boolean + * @return SSLEngineResult + * @throws IOException + */ + private SSLEngineResult handshakeUnwrap(Boolean doRead) throws IOException { + if (netInBuffer.position() == netInBuffer.limit()) { + //clear the buffer if we have emptied it out on data + netInBuffer.clear(); + } + + if (doRead) { + int read = socketChannel.read(netInBuffer); + if (read == -1) throw new IOException("EOF during handshake."); + } + + SSLEngineResult result; + boolean cont = false; + do { + //prepare the buffer with the incoming data + netInBuffer.flip(); + result = sslEngine.unwrap(netInBuffer, appWriteBuffer); + netInBuffer.compact(); + handshakeStatus = result.getHandshakeStatus(); + if (result.getStatus() == SSLEngineResult.Status.OK && + result.getHandshakeStatus() == HandshakeStatus.NEED_TASK) { + handshakeStatus = tasks(); + } + cont = result.getStatus() == SSLEngineResult.Status.OK && + handshakeStatus == HandshakeStatus.NEED_UNWRAP; + } while(cont); + return result; + } + + + public int getOutboundRemaining() { + return netOutBuffer.remaining(); + } + + /** + * Sends a SSL close message, will not physically close the connection here.
+ * @throws IOException if an I/O error occurs + * @throws IOException if there is data on the outgoing network buffer and we are unable to flush it + */ + public void close() throws IOException { + if (closing) return; + closing = true; + sslEngine.closeOutbound(); + + if (!flush(netOutBuffer)) { + throw new IOException("Remaining data in the network buffer, can't send SSL close message, force a close with close(true) instead"); + } + //prep the buffer for the close message + netOutBuffer.clear(); + //perform the close, since we called sslEngine.closeOutbound + SSLEngineResult handshake = sslEngine.wrap(emptyBuf, netOutBuffer); + //we should be in a close state + if (handshake.getStatus() != SSLEngineResult.Status.CLOSED) { + throw new IOException("Invalid close state, will not send network data."); + } + netOutBuffer.flip(); + flush(netOutBuffer); + socketChannel.socket().close(); + socketChannel.close(); + closed = !netOutBuffer.hasRemaining() && (handshake.getHandshakeStatus() != HandshakeStatus.NEED_WRAP); + } + + public boolean isOpen() { + return socketChannel.isOpen(); + } + + public boolean isReady() { + return handshakeComplete; + } + + /** + * Reads a sequence of bytes from this channel into the given buffer. + * + * @param dst The buffer into which bytes are to be transferred + * @return The number of bytes read, possible zero or -1 if the channel has reached end-of-stream + * @throws IOException if some other I/O error occurs + * @throws IllegalStateException if the destination buffer is different than appBufHandler.getReadBuffer() + */ + public int read(ByteBuffer dst) throws IOException { + if (closing || closed) return -1; + if (!handshakeComplete) throw new IllegalStateException("Handshake incomplete."); + netInBuffer = Utils.ensureCapacity(netInBuffer, packetBufferSize()); + int netread = socketChannel.read(netInBuffer); + if (netread == -1) return -1; + int read = 0; + SSLEngineResult unwrap = null; + + do { + netInBuffer.flip(); + unwrap = sslEngine.unwrap(netInBuffer, appReadBuffer); + //compact the buffer + netInBuffer.compact(); + if (unwrap.getStatus() == Status.OK || unwrap.getStatus() == Status.BUFFER_UNDERFLOW) { + read += unwrap.bytesProduced(); + // perform any task if needed + if (unwrap.getHandshakeStatus() == HandshakeStatus.NEED_TASK) tasks(); + //if we need more network data, than return for now. + if (unwrap.getStatus() == Status.BUFFER_UNDERFLOW) return readFromAppBuffer(dst); + } else if (unwrap.getStatus() == Status.BUFFER_OVERFLOW && read > 0) { + appReadBuffer = Utils.ensureCapacity(appReadBuffer, applicationBufferSize()); + //buffer overflow can happen, if we have read data, then + //empty out the dst buffer before we do another read + return readFromAppBuffer(dst); + } else { + //here we should trap BUFFER_OVERFLOW and call expand on the buffer + // for now, throw an exception, as we initialized the buffers + // in constructor + throw new IOException(String.format("Unable to unwrap data, invalid status [%s]", unwrap.getStatus())); + } + } while(netInBuffer.position() != 0); + return readFromAppBuffer(dst); + } + + public long read(ByteBuffer[] dsts) throws IOException { + return read(dsts, 0, dsts.length); + } + + public long read(ByteBuffer[] dsts, int offset, int length) throws IOException { + int totalRead = 0; + for (int i = offset; i < length; i++) { + int read = read(dsts[i]); + if (read > 0) { + totalRead += read; + } + } + return totalRead; + } + + + /** + * Writes a sequence of bytes to this channel from the given buffer. + * + * @param src The buffer from which bytes are to be retrieved + * @return The number of bytes written, possibly zero + * @throws IOException If some other I/O error occurs + */ + + public int write(ByteBuffer src) throws IOException { + int written = 0; + if (src == this.netOutBuffer) + written = socketChannel.write(src); + else { + if (closing || closed) throw new IOException("Channel is in closing state"); + if (!flush(netOutBuffer)) + return written; + netOutBuffer.clear(); + SSLEngineResult result = sslEngine.wrap(src, netOutBuffer); + written = result.bytesConsumed(); + netOutBuffer.flip(); + if (result.getStatus() == Status.OK) { + if (result.getHandshakeStatus() == HandshakeStatus.NEED_TASK) + tasks(); + } else { + throw new IOException(String.format("Unable to wrap data, invalid status %s", result.getStatus())); + } + flush(netOutBuffer); + } + return written; + } + + public long write(ByteBuffer[] srcs, int offset, int length) throws IOException { + int totalWritten = 0; + for (int i = offset; i < length; i++) { + if (srcs[i].hasRemaining()) { + int written = write(srcs[i]); + if (written > 0) { + totalWritten += written; + } + } + } + return totalWritten; + } + + public long write(ByteBuffer[] srcs) throws IOException { + return write(srcs, 0, srcs.length); + } + + public DataInputStream inStream() throws IOException { + if (inStream == null) + this.inStream = new DataInputStream(socketChannel.socket().getInputStream()); + return inStream; + } + + public DataOutputStream outStream() throws IOException { + if (outStream == null) + this.outStream = new DataOutputStream(socketChannel.socket().getOutputStream()); + return outStream; + } + + public Principal getPeerPrincipal() { + //return sslEngine.getSession().getPeerPrincipal(); + return null; + } + + private int readFromAppBuffer(ByteBuffer dst) { + appReadBuffer.flip(); + try { + int remaining = appReadBuffer.remaining(); + if (remaining > 0) { + if (remaining > dst.remaining()) + remaining = dst.remaining(); + int i = 0; + while (i < remaining) { + dst.put(appReadBuffer.get()); + i++; + } + } + return remaining; + } finally { + appReadBuffer.compact(); + } + } + + private int packetBufferSize() { + return sslEngine.getSession().getPacketBufferSize(); + } + + private int applicationBufferSize() { + return sslEngine.getSession().getApplicationBufferSize(); + } +} diff --git a/clients/src/main/java/org/apache/kafka/common/network/Selectable.java b/clients/src/main/java/org/apache/kafka/common/network/Selectable.java index b5f8d83..4a0c2bd 100644 --- a/clients/src/main/java/org/apache/kafka/common/network/Selectable.java +++ b/clients/src/main/java/org/apache/kafka/common/network/Selectable.java @@ -12,6 +12,7 @@ */ package org.apache.kafka.common.network; + import java.io.IOException; import java.net.InetSocketAddress; import java.util.List; diff --git a/clients/src/main/java/org/apache/kafka/common/network/Selector.java b/clients/src/main/java/org/apache/kafka/common/network/Selector.java index 57de058..0068143 100644 --- a/clients/src/main/java/org/apache/kafka/common/network/Selector.java +++ b/clients/src/main/java/org/apache/kafka/common/network/Selector.java @@ -3,9 +3,9 @@ * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the * License. You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the * specific language governing permissions and limitations under the License. @@ -31,6 +31,7 @@ import java.util.Set; import java.util.concurrent.TimeUnit; import org.apache.kafka.common.KafkaException; +import org.apache.kafka.common.config.SecurityConfig; import org.apache.kafka.common.metrics.Measurable; import org.apache.kafka.common.metrics.MetricConfig; import org.apache.kafka.common.MetricName; @@ -40,6 +41,7 @@ import org.apache.kafka.common.metrics.stats.Avg; import org.apache.kafka.common.metrics.stats.Count; import org.apache.kafka.common.metrics.stats.Max; import org.apache.kafka.common.metrics.stats.Rate; +import org.apache.kafka.common.protocol.SecurityProtocol; import org.apache.kafka.common.utils.Time; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -51,25 +53,25 @@ import org.slf4j.LoggerFactory; * responses. *

* A connection can be added to the selector associated with an integer id by doing - * + * * 

  * selector.connect(42, new InetSocketAddress("google.com", server.port), 64000, 64000);
  *
- * + * * The connect call does not block on the creation of the TCP connection, so the connect method only begins initiating * the connection. The successful invocation of this method does not mean a valid connection has been established. - * + * * Sending requests, receiving responses, processing connection completions, and disconnections on the existing * connections are all done using the poll() call. - * + * * 
  * List<NetworkRequest> requestsToSend = Arrays.asList(new NetworkRequest(0, myBytes), new NetworkRequest(1, myOtherBytes));
  * selector.poll(TIMEOUT_MS, requestsToSend);
  *
- * + * * The selector maintains several lists that are reset by each call to poll() which are available via * various getters. These are reset by each call to poll(). - * + * * This class is not thread safe! */ public class Selector implements Selectable { @@ -78,6 +80,7 @@ public class Selector implements Selectable { private final java.nio.channels.Selector selector; private final Map keys; + private final Map channels; private final List completedSends; private final List completedReceives; private final List disconnected; @@ -87,11 +90,14 @@ public class Selector implements Selectable { private final SelectorMetrics sensors; private final String metricGrpPrefix; private final Map metricTags; + private final SecurityConfig securityConfig; + private final SecurityProtocol securityProtocol; + private SSLFactory sslFactory = null; /** * Create a new selector */ - public Selector(Metrics metrics, Time time, String metricGrpPrefix, Map metricTags) { + public Selector(Metrics metrics, Time time, String metricGrpPrefix, Map metricTags, SecurityConfig securityConfig) { try { this.selector = java.nio.channels.Selector.open(); } catch (IOException e) { @@ -101,12 +107,24 @@ public class Selector implements Selectable { this.metricGrpPrefix = metricGrpPrefix; this.metricTags = metricTags; this.keys = new HashMap(); + this.channels = new HashMap(); this.completedSends = new ArrayList(); this.completedReceives = new ArrayList(); this.connected = new ArrayList(); this.disconnected = new ArrayList(); this.failedSends = new ArrayList(); this.sensors = new SelectorMetrics(metrics); + this.securityConfig = securityConfig; + this.securityProtocol = SecurityProtocol.valueOf(securityConfig.getString(SecurityConfig.SECURITY_PROTOCOL_CONFIG)); + try { + if (securityProtocol == SecurityProtocol.SSL) { + this.sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT); + this.sslFactory.init(this.securityConfig); + } + } catch (Exception e) { + throw new KafkaException(e); + } + } /** @@ -127,25 +145,37 @@ public class Selector implements Selectable { if (this.keys.containsKey(id)) throw new IllegalStateException("There is already a connection for id " + id); - SocketChannel channel = SocketChannel.open(); - channel.configureBlocking(false); - Socket socket = channel.socket(); + SocketChannel socketChannel = SocketChannel.open(); + socketChannel.configureBlocking(false); + Socket socket = socketChannel.socket(); socket.setKeepAlive(true); socket.setSendBufferSize(sendBufferSize); socket.setReceiveBufferSize(receiveBufferSize); socket.setTcpNoDelay(true); try { - channel.connect(address); + socketChannel.connect(address); } catch (UnresolvedAddressException e) { - channel.close(); + socketChannel.close(); throw new IOException("Can't resolve address: " + address, e); } catch (IOException e) { - channel.close(); + socketChannel.close(); throw e; } - SelectionKey key = channel.register(this.selector, SelectionKey.OP_CONNECT); + + TransportLayer transportLayer; + if (securityProtocol == SecurityProtocol.SSL) { + transportLayer = new SSLTransportLayer(socketChannel, + sslFactory.createSSLEngine(socket.getInetAddress().getHostName(), + socket.getPort())); + } else { + transportLayer = new PlainTextTransportLayer(socketChannel); + } + Authenticator authenticator = new DefaultAuthenticator(transportLayer); + Channel channel = new Channel(transportLayer, authenticator); + SelectionKey key = socketChannel.register(this.selector, SelectionKey.OP_CONNECT); key.attach(new Transmissions(id)); this.keys.put(id, key); + this.channels.put(key, channel); } /** @@ -202,12 +232,12 @@ public class Selector implements Selectable { /** * Do whatever I/O can be done on each connection without blocking. This includes completing connections, completing * disconnections, initiating new sends, or making progress on in-progress sends or receives. - * + * * When this call is completed the user can check for completed sends, receives, connections or disconnects using * {@link #completedSends()}, {@link #completedReceives()}, {@link #connected()}, {@link #disconnected()}. These * lists will be cleared at the beginning of each {@link #poll(long, List)} call and repopulated by the call if any * completed I/O. - * + * * @param timeout The amount of time to wait, in milliseconds. If negative, wait indefinitely. * @throws IllegalStateException If a send is given for which we have no existing connection or for which there is * already an in-progress send @@ -230,7 +260,7 @@ public class Selector implements Selectable { iter.remove(); Transmissions transmissions = transmissions(key); - SocketChannel channel = channel(key); + Channel channel = channel(key); // register all per-broker metrics at once sensors.maybeRegisterNodeMetrics(transmissions.id); @@ -242,29 +272,46 @@ public class Selector implements Selectable { key.interestOps(key.interestOps() & ~SelectionKey.OP_CONNECT | SelectionKey.OP_READ); this.connected.add(transmissions.id); this.sensors.connectionCreated.record(); + } /* read from any connections that have readable data */ if (key.isReadable()) { - if (!transmissions.hasReceive()) - transmissions.receive = new NetworkReceive(transmissions.id); - transmissions.receive.readFrom(channel); - if (transmissions.receive.complete()) { - transmissions.receive.payload().rewind(); - this.completedReceives.add(transmissions.receive); - this.sensors.recordBytesReceived(transmissions.id, transmissions.receive.payload().limit()); - transmissions.clearReceive(); + if (!channel.isReady()) { + int status = channel.connect(key.isReadable(), key.isWritable()); + if (status == 0) + key.interestOps(key.interestOps() & ~SelectionKey.OP_CONNECT | SelectionKey.OP_READ); + else + key.interestOps(status); + } else { + if (!transmissions.hasReceive()) + transmissions.receive = new NetworkReceive(transmissions.id); + transmissions.receive.readFrom(channel); + if (transmissions.receive.complete()) { + transmissions.receive.payload().rewind(); + this.completedReceives.add(transmissions.receive); + this.sensors.recordBytesReceived(transmissions.id, transmissions.receive.payload().limit()); + transmissions.clearReceive(); + } } } /* write to any sockets that have space in their buffer and for which we have data */ if (key.isWritable()) { - transmissions.send.writeTo(channel); - if (transmissions.send.remaining() <= 0) { - this.completedSends.add(transmissions.send); - this.sensors.recordBytesSent(transmissions.id, transmissions.send.size()); - transmissions.clearSend(); - key.interestOps(key.interestOps() & ~SelectionKey.OP_WRITE); + if (!channel.isReady()) { + int status = channel.connect(key.isReadable(), key.isWritable()); + if (status == 0) + key.interestOps(key.interestOps() & ~SelectionKey.OP_CONNECT | SelectionKey.OP_READ); + else + key.interestOps(status); + } else { + transmissions.send.writeTo(channel); + if (transmissions.send.remaining() <= 0) { + this.completedSends.add(transmissions.send); + this.sensors.recordBytesSent(transmissions.id, transmissions.send.size()); + transmissions.clearSend(); + key.interestOps(key.interestOps() & ~SelectionKey.OP_WRITE); + } } } @@ -287,9 +334,9 @@ public class Selector implements Selectable { long endIo = time.nanoseconds(); this.sensors.ioTime.record(endIo - endSelect, time.milliseconds()); } - - private String socketDescription(SocketChannel channel) { - Socket socket = channel.socket(); + + private String socketDescription(Channel channel) { + Socket socket = channel.socketChannel().socket(); if (socket == null) return "[unconnected socket]"; else if (socket.getInetAddress() != null) @@ -362,7 +409,7 @@ public class Selector implements Selectable { /** * Check for data, waiting up to the given timeout. - * + * * @param ms Length of time to wait, in milliseconds. If negative, wait indefinitely. * @return The number of keys ready * @throws IOException @@ -380,7 +427,8 @@ public class Selector implements Selectable { * Begin closing this connection */ private void close(SelectionKey key) { - SocketChannel channel = channel(key); + Channel channel = channel(key); + this.channels.remove(key); Transmissions trans = transmissions(key); if (trans != null) { this.keys.remove(trans.id); @@ -390,7 +438,6 @@ public class Selector implements Selectable { key.attach(null); key.cancel(); try { - channel.socket().close(); channel.close(); } catch (IOException e) { log.error("Exception closing connection to node {}:", trans.id, e); @@ -418,8 +465,8 @@ public class Selector implements Selectable { /** * Get the socket channel associated with this selection key */ - private SocketChannel channel(SelectionKey key) { - return (SocketChannel) key.channel(); + private Channel channel(SelectionKey key) { + return this.channels.get(key); } /** diff --git a/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java new file mode 100644 index 0000000..6ce013b --- /dev/null +++ b/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java @@ -0,0 +1,86 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.kafka.common.network; + +/* + * Transport layer for underlying communication + */ +import java.io.IOException; +import java.nio.ByteBuffer; +import java.nio.channels.SocketChannel; + +import java.io.DataInputStream; +import java.io.DataOutputStream; + +import java.security.Principal; + + +public interface TransportLayer { + + /** + * Closes this channel + * + * @throws IOException If and I/O error occurs + */ + void close() throws IOException; + + + /** + * Tells wheather or not this channel is open. + */ + boolean isOpen(); + + /** + * Writes a sequence of bytes to this channel from the given buffer. + */ + int write(ByteBuffer src) throws IOException; + + long write(ByteBuffer[] srcs) throws IOException; + + long write(ByteBuffer[] srcs, int offset, int length) throws IOException; + + int read(ByteBuffer dst) throws IOException; + + long read(ByteBuffer[] dsts) throws IOException; + + long read(ByteBuffer[] dsts, int offset, int length) throws IOException; + + boolean isReady(); + + boolean finishConnect() throws IOException; + + SocketChannel socketChannel(); + + /** + * Performs SSL handshake hence is a no-op for the non-secure + * implementation + * @param read Unused in non-secure implementation + * @param write Unused in non-secure implementation + * @return Always return 0 + * @throws IOException + */ + int handshake(boolean read, boolean write) throws IOException; + + DataInputStream inStream() throws IOException; + + DataOutputStream outStream() throws IOException; + + boolean flush(ByteBuffer buffer) throws IOException; + + Principal getPeerPrincipal(); +} diff --git a/clients/src/main/java/org/apache/kafka/common/protocol/SecurityProtocol.java b/clients/src/main/java/org/apache/kafka/common/protocol/SecurityProtocol.java index dab1a94..d663f7a 100644 --- a/clients/src/main/java/org/apache/kafka/common/protocol/SecurityProtocol.java +++ b/clients/src/main/java/org/apache/kafka/common/protocol/SecurityProtocol.java @@ -24,6 +24,8 @@ import java.util.Map; public enum SecurityProtocol { /** Un-authenticated, non-encrypted channel */ PLAINTEXT(0, "PLAINTEXT"), + /** SSL channe */ + SSL(1, "PLAINTEXT"), /** Currently identical to PLAINTEXT and used for testing only. We may implement extra instrumentation when testing channel code. */ TRACE(Short.MAX_VALUE, "TRACE"); diff --git a/clients/src/main/java/org/apache/kafka/common/utils/Utils.java b/clients/src/main/java/org/apache/kafka/common/utils/Utils.java index f73eedb..9382060 100755 --- a/clients/src/main/java/org/apache/kafka/common/utils/Utils.java +++ b/clients/src/main/java/org/apache/kafka/common/utils/Utils.java @@ -479,4 +479,15 @@ public class Utils { public static String readFileAsString(String path) throws IOException { return Utils.readFileAsString(path, Charset.defaultCharset()); } + + public static ByteBuffer ensureCapacity(ByteBuffer existingBuffer, int newLength) { + if (newLength > existingBuffer.capacity()) { + ByteBuffer newBuffer = ByteBuffer.allocate(newLength); + existingBuffer.flip(); + newBuffer.put(existingBuffer); + return newBuffer; + } + return existingBuffer; + } + } diff --git a/clients/src/test/java/org/apache/kafka/common/network/EchoServer.java b/clients/src/test/java/org/apache/kafka/common/network/EchoServer.java new file mode 100644 index 0000000..47dda69 --- /dev/null +++ b/clients/src/test/java/org/apache/kafka/common/network/EchoServer.java @@ -0,0 +1,108 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE + * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file + * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the + * License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on + * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the + * specific language governing permissions and limitations under the License. + */ +package org.apache.kafka.common.network; + +import org.apache.kafka.common.config.SecurityConfig; +import org.apache.kafka.common.protocol.SecurityProtocol; + +import java.io.DataInputStream; +import java.io.DataOutputStream; +import java.io.IOException; +import java.net.ServerSocket; +import java.net.Socket; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; +import java.util.concurrent.atomic.AtomicBoolean; + + +/** + * A simple server that takes size delimited byte arrays and just echos them back to the sender. + */ +class EchoServer extends Thread { + public final int port; + private final ServerSocket serverSocket; + private final List threads; + private final List sockets; + private SecurityProtocol protocol; + private SSLFactory sslFactory; + private final AtomicBoolean startHandshake = new AtomicBoolean(); + + public EchoServer(SecurityConfig securityConfig) throws Exception { + this.protocol = SecurityProtocol.valueOf(securityConfig.getString(SecurityConfig.SECURITY_PROTOCOL_CONFIG)); + if (protocol == SecurityProtocol.SSL) { + this.sslFactory = new SSLFactory(SSLFactory.Mode.SERVER); + this.sslFactory.init(securityConfig); + this.serverSocket = sslFactory.createSSLServerSocketFactory().createServerSocket(0); + this.startHandshake.set(true); + } else { + this.serverSocket = new ServerSocket(0); + } + this.port = this.serverSocket.getLocalPort(); + this.threads = Collections.synchronizedList(new ArrayList()); + this.sockets = Collections.synchronizedList(new ArrayList()); + } + + + @Override + public void run() { + try { + while (true) { + final Socket socket = serverSocket.accept(); + sockets.add(socket); + Thread thread = new Thread() { + @Override + public void run() { + try { + DataInputStream input = new DataInputStream(socket.getInputStream()); + DataOutputStream output = new DataOutputStream(socket.getOutputStream()); + while (socket.isConnected() && !socket.isClosed()) { + int size = input.readInt(); + byte[] bytes = new byte[size]; + input.readFully(bytes); + output.writeInt(size); + output.write(bytes); + output.flush(); + } + } catch (IOException e) { + // ignore + } finally { + try { + socket.close(); + } catch (IOException e) { + // ignore + } + } + } + }; + thread.start(); + threads.add(thread); + } + } catch (IOException e) { + // ignore + } + } + + public void closeConnections() throws IOException { + for (Socket socket : sockets) + socket.close(); + } + + public void close() throws IOException, InterruptedException { + this.serverSocket.close(); + closeConnections(); + for (Thread t : threads) + t.join(); + join(); + } +} \ No newline at end of file diff --git a/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java b/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java new file mode 100644 index 0000000..f3c6153 --- /dev/null +++ b/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java @@ -0,0 +1,97 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE + * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file + * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the + * License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on + * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the + * specific language governing permissions and limitations under the License. + */ +package org.apache.kafka.common.network; + +import static org.junit.Assert.assertEquals; + +import java.io.IOException; +import java.net.InetSocketAddress; +import java.nio.ByteBuffer; +import java.util.LinkedHashMap; + +import org.apache.kafka.common.config.SecurityConfig; +import org.apache.kafka.common.metrics.Metrics; +import org.apache.kafka.common.utils.MockTime; +import org.apache.kafka.test.TestSSLUtils; +import org.apache.kafka.common.utils.Utils; +import org.apache.kafka.test.TestUtils; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; + +/** + * A set of tests for the selector over ssl. These use a test harness that runs a simple socket server that echos back responses. + */ + +public class SSLSelectorTest { + + private static final int BUFFER_SIZE = 4 * 1024; + + private EchoServer server; + private Selectable selector; + + @Before + public void setup() throws Exception { + SecurityConfig serverSecurityConfig = TestSSLUtils.createSSLConfigFile(SSLFactory.Mode.SERVER, null); + this.server = new EchoServer(serverSecurityConfig); + this.server.start(); + String trustStoreServer = serverSecurityConfig.getString(SecurityConfig.SSL_TRUSTSTORE_LOCATION_CONFIG); + SecurityConfig clientSecurityConfig = TestSSLUtils.createSSLConfigFile(SSLFactory.Mode.CLIENT, trustStoreServer); + this.selector = new Selector(new Metrics(), new MockTime(), "MetricGroup", new LinkedHashMap(), clientSecurityConfig); + } + + @After + public void teardown() throws Exception { + this.selector.close(); + this.server.close(); + } + + + /** + * Validate that we can send and receive a message larger than the receive and send buffer size + */ + @Test + public void testSendLargeRequest() throws Exception { + int node = 0; + blockingConnect(node); + String big = TestUtils.randomString(10 * BUFFER_SIZE); + assertEquals(big, blockingRequest(node, big)); + } + + private String blockingRequest(int node, String s) throws IOException { + selector.send(createSend(node, s)); + selector.poll(1000L); + while (true) { + selector.poll(1000L); + for (NetworkReceive receive : selector.completedReceives()) + if (receive.source() == node) + return asString(receive); + } + } + + private String asString(NetworkReceive receive) { + return new String(Utils.toArray(receive.payload())); + } + + private NetworkSend createSend(int node, String s) { + return new NetworkSend(node, ByteBuffer.wrap(s.getBytes())); + } + + /* connect and wait for the connection to complete */ + private void blockingConnect(int node) throws IOException { + selector.connect(node, new InetSocketAddress("localhost", server.port), BUFFER_SIZE, BUFFER_SIZE); + while (!selector.connected().contains(node)) + selector.poll(10000L); + } + +} \ No newline at end of file diff --git a/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java b/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java index d5b306b..e4100d3 100644 --- a/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java +++ b/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java @@ -15,18 +15,14 @@ package org.apache.kafka.common.network; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; -import java.io.DataInputStream; -import java.io.DataOutputStream; import java.io.IOException; import java.net.InetSocketAddress; import java.net.ServerSocket; -import java.net.Socket; import java.nio.ByteBuffer; -import java.util.ArrayList; -import java.util.Collections; import java.util.LinkedHashMap; -import java.util.List; +import org.apache.kafka.clients.ClientUtils; +import org.apache.kafka.common.config.SecurityConfig; import org.apache.kafka.common.metrics.Metrics; import org.apache.kafka.common.utils.MockTime; import org.apache.kafka.common.utils.Utils; @@ -47,9 +43,10 @@ public class SelectorTest { @Before public void setup() throws Exception { - this.server = new EchoServer(); + SecurityConfig securityConfig = ClientUtils.parseSecurityConfig(""); + this.server = new EchoServer(securityConfig); this.server.start(); - this.selector = new Selector(new Metrics(), new MockTime() , "MetricGroup", new LinkedHashMap()); + this.selector = new Selector(new Metrics(), new MockTime() , "MetricGroup", new LinkedHashMap(), securityConfig); } @After @@ -264,71 +261,5 @@ public class SelectorTest { return new String(Utils.toArray(receive.payload())); } - /** - * A simple server that takes size delimited byte arrays and just echos them back to the sender. - */ - static class EchoServer extends Thread { - public final int port; - private final ServerSocket serverSocket; - private final List threads; - private final List sockets; - - public EchoServer() throws Exception { - this.serverSocket = new ServerSocket(0); - this.port = this.serverSocket.getLocalPort(); - this.threads = Collections.synchronizedList(new ArrayList()); - this.sockets = Collections.synchronizedList(new ArrayList()); - } - - public void run() { - try { - while (true) { - final Socket socket = serverSocket.accept(); - sockets.add(socket); - Thread thread = new Thread() { - public void run() { - try { - DataInputStream input = new DataInputStream(socket.getInputStream()); - DataOutputStream output = new DataOutputStream(socket.getOutputStream()); - while (socket.isConnected() && !socket.isClosed()) { - int size = input.readInt(); - byte[] bytes = new byte[size]; - input.readFully(bytes); - output.writeInt(size); - output.write(bytes); - output.flush(); - } - } catch (IOException e) { - // ignore - } finally { - try { - socket.close(); - } catch (IOException e) { - // ignore - } - } - } - }; - thread.start(); - threads.add(thread); - } - } catch (IOException e) { - // ignore - } - } - - public void closeConnections() throws IOException { - for (Socket socket : sockets) - socket.close(); - } - - public void close() throws IOException, InterruptedException { - this.serverSocket.close(); - closeConnections(); - for (Thread t : threads) - t.join(); - join(); - } - } } diff --git a/clients/src/test/java/org/apache/kafka/common/utils/UtilsTest.java b/clients/src/test/java/org/apache/kafka/common/utils/UtilsTest.java index 2ebe3c2..bf2b5bd 100755 --- a/clients/src/test/java/org/apache/kafka/common/utils/UtilsTest.java +++ b/clients/src/test/java/org/apache/kafka/common/utils/UtilsTest.java @@ -100,4 +100,6 @@ public class UtilsTest { buffer = ByteBuffer.wrap(myvar).asReadOnlyBuffer(); this.subTest(buffer); } + + } \ No newline at end of file diff --git a/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java b/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java new file mode 100644 index 0000000..c811096 --- /dev/null +++ b/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java @@ -0,0 +1,208 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.kafka.test; + +import org.apache.kafka.common.config.SecurityConfig; +import org.apache.kafka.common.network.SSLFactory; +import sun.security.x509.AlgorithmId; +import sun.security.x509.CertificateAlgorithmId; +import sun.security.x509.CertificateIssuerName; +import sun.security.x509.CertificateSerialNumber; +import sun.security.x509.CertificateSubjectName; +import sun.security.x509.CertificateValidity; +import sun.security.x509.CertificateVersion; +import sun.security.x509.CertificateX509Key; +import sun.security.x509.X500Name; +import sun.security.x509.X509CertImpl; +import sun.security.x509.X509CertInfo; + +import java.io.File; +import java.io.FileOutputStream; +import java.io.IOException; +import java.math.BigInteger; +import java.security.GeneralSecurityException; +import java.security.Key; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.SecureRandom; +import java.security.cert.Certificate; +import java.security.cert.X509Certificate; +import java.util.Date; +import java.util.HashMap; +import java.util.Map; +import java.util.Properties; + + +public class TestSSLUtils { + + /** + * Create a self-signed X.509 Certificate. + * From http://bfo.com/blog/2011/03/08/odds_and_ends_creating_a_new_x_509_certificate.html. + * + * @param dn the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB" + * @param pair the KeyPair + * @param days how many days from now the Certificate is valid for + * @param algorithm the signing algorithm, eg "SHA1withRSA" + * @return the self-signed certificate + * @throws IOException thrown if an IO error ocurred. + * @throws GeneralSecurityException thrown if an Security error ocurred. + */ + public static X509Certificate generateCertificate(String dn, KeyPair pair, + int days, String algorithm) throws GeneralSecurityException, IOException { + PrivateKey privkey = pair.getPrivate(); + X509CertInfo info = new X509CertInfo(); + Date from = new Date(); + Date to = new Date(from.getTime() + days * 86400000L); + CertificateValidity interval = new CertificateValidity(from, to); + BigInteger sn = new BigInteger(64, new SecureRandom()); + X500Name owner = new X500Name(dn); + + info.set(X509CertInfo.VALIDITY, interval); + info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn)); + info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner)); + info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner)); + info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic())); + info + .set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3)); + AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid); + info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo)); + + // Sign the cert to identify the algorithm that's used. + X509CertImpl cert = new X509CertImpl(info); + cert.sign(privkey, algorithm); + + // Update the algorith, and resign. + algo = (AlgorithmId) cert.get(X509CertImpl.SIG_ALG); + info + .set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, + algo); + cert = new X509CertImpl(info); + cert.sign(privkey, algorithm); + return cert; + } + + public static KeyPair generateKeyPair(String algorithm) throws NoSuchAlgorithmException { + KeyPairGenerator keyGen = KeyPairGenerator.getInstance(algorithm); + keyGen.initialize(1024); + return keyGen.genKeyPair(); + } + + private static KeyStore createEmptyKeyStore() throws GeneralSecurityException, IOException { + KeyStore ks = KeyStore.getInstance("JKS"); + ks.load(null, null); // initialize + return ks; + } + + private static void saveKeyStore(KeyStore ks, String filename, + String password) throws GeneralSecurityException, IOException { + FileOutputStream out = new FileOutputStream(filename); + try { + ks.store(out, password.toCharArray()); + } finally { + out.close(); + } + } + + public static void createKeyStore(String filename, + String password, String alias, + Key privateKey, Certificate cert) throws GeneralSecurityException, IOException { + KeyStore ks = createEmptyKeyStore(); + ks.setKeyEntry(alias, privateKey, password.toCharArray(), + new Certificate[]{cert}); + saveKeyStore(ks, filename, password); + } + + /** + * Creates a keystore with a single key and saves it to a file. + * + * @param filename String file to save + * @param password String store password to set on keystore + * @param keyPassword String key password to set on key + * @param alias String alias to use for the key + * @param privateKey Key to save in keystore + * @param cert Certificate to use as certificate chain associated to key + * @throws GeneralSecurityException for any error with the security APIs + * @throws IOException if there is an I/O error saving the file + */ + public static void createKeyStore(String filename, + String password, String keyPassword, String alias, + Key privateKey, Certificate cert) throws GeneralSecurityException, IOException { + KeyStore ks = createEmptyKeyStore(); + ks.setKeyEntry(alias, privateKey, keyPassword.toCharArray(), + new Certificate[]{cert}); + saveKeyStore(ks, filename, password); + } + + public static void createTrustStore(String filename, + String password, String alias, + Certificate cert) throws GeneralSecurityException, IOException { + KeyStore ks = createEmptyKeyStore(); + ks.setCertificateEntry(alias, cert); + saveKeyStore(ks, filename, password); + } + + public static void createTrustStore( + String filename, String password, Map certs) throws GeneralSecurityException, IOException { + KeyStore ks = createEmptyKeyStore(); + for (Map.Entry cert : certs.entrySet()) { + ks.setCertificateEntry(cert.getKey(), cert.getValue()); + } + saveKeyStore(ks, filename, password); + } + + public static SecurityConfig createSSLConfigFile(SSLFactory.Mode mode, String trustStoreFileClient) throws IOException, GeneralSecurityException { + Properties securityConfigProps = new Properties(); + Map certs = new HashMap(); + KeyPair keyPair = generateKeyPair("RSA"); + X509Certificate cert = generateCertificate("CN=localhost, O=localhost", keyPair, 30, "SHA1withRSA"); + String password = "test"; + + if (mode == SSLFactory.Mode.SERVER) { + File keyStoreFile = File.createTempFile("keystore", ".jks"); + createKeyStore(keyStoreFile.getPath(), password, password, "localhost", keyPair.getPrivate(), cert); + certs.put("localhost", cert); + securityConfigProps.put(SecurityConfig.SSL_KEYSTORE_LOCATION_CONFIG, keyStoreFile.getPath()); + securityConfigProps.put(SecurityConfig.SSL_KEYSTORE_TYPE_CONFIG, "JKS"); + securityConfigProps.put(SecurityConfig.SSL_KEYMANAGER_ALGORITHM_CONFIG, "SunX509"); + securityConfigProps.put(SecurityConfig.SSL_KEYSTORE_PASSWORD_CONFIG, password); + securityConfigProps.put(SecurityConfig.SSL_KEY_PASSWORD_CONFIG, password); + + File trustStoreFile = File.createTempFile("truststore", ".jks"); + createTrustStore(trustStoreFile.getPath(), password, certs); + + securityConfigProps.put(SecurityConfig.SECURITY_PROTOCOL_CONFIG, "SSL"); + securityConfigProps.put(SecurityConfig.SSL_CLIENT_REQUIRE_CERT_CONFIG, "false"); + securityConfigProps.put(SecurityConfig.SSL_TRUSTSTORE_LOCATION_CONFIG, trustStoreFile.getPath()); + securityConfigProps.put(SecurityConfig.SSL_TRUSTSTORE_PASSWORD_CONFIG, password); + securityConfigProps.put(SecurityConfig.SSL_TRUSTSTORE_TYPE_CONFIG, "JKS"); + } else { + securityConfigProps.put(SecurityConfig.SECURITY_PROTOCOL_CONFIG, "SSL"); + securityConfigProps.put(SecurityConfig.SSL_CLIENT_REQUIRE_CERT_CONFIG, "false"); + securityConfigProps.put(SecurityConfig.SSL_TRUSTSTORE_LOCATION_CONFIG, trustStoreFileClient); + securityConfigProps.put(SecurityConfig.SSL_TRUSTSTORE_PASSWORD_CONFIG, password); + securityConfigProps.put(SecurityConfig.SSL_TRUSTSTORE_TYPE_CONFIG, "JKS"); + } + + securityConfigProps.put(SecurityConfig.SSL_TRUSTMANAGER_ALGORITHM_CONFIG, "SunX509"); + return new SecurityConfig(securityConfigProps); + } + +} -- 2.4.4 From 754a121e7582f1452a9ae3a3ab72c58cf284da1d Mon Sep 17 00:00:00 2001 From: Sriharsha Chintalapani Date: Sun, 10 May 2015 23:02:01 -0700 Subject: [PATCH 02/19] KAFKA-1690. new java producer needs ssl support as a client. --- build.gradle | 13 +- checkstyle/import-control.xml | 39 ++-- .../java/org/apache/kafka/clients/ClientUtils.java | 11 +- .../apache/kafka/clients/CommonClientConfigs.java | 67 ++++++- .../kafka/clients/consumer/ConsumerConfig.java | 28 ++- .../kafka/clients/consumer/KafkaConsumer.java | 99 +++++----- .../kafka/clients/producer/KafkaProducer.java | 61 +++--- .../kafka/clients/producer/ProducerConfig.java | 25 ++- .../apache/kafka/common/config/AbstractConfig.java | 12 +- .../apache/kafka/common/config/SecurityConfig.java | 113 ----------- .../apache/kafka/common/network/Authenticator.java | 2 +- .../org/apache/kafka/common/network/Channel.java | 2 +- .../kafka/common/network/DefaultAuthenticator.java | 2 +- .../common/network/PlainTextTransportLayer.java | 3 +- .../apache/kafka/common/network/SSLFactory.java | 55 +++--- .../kafka/common/network/SSLTransportLayer.java | 217 +++++++++++---------- .../org/apache/kafka/common/network/Selector.java | 33 ++-- .../kafka/common/network/TransportLayer.java | 2 +- .../apache/kafka/common/network/EchoServer.java | 18 +- .../kafka/common/network/SSLSelectorTest.java | 72 ++++++- .../apache/kafka/common/network/SelectorTest.java | 14 +- .../java/org/apache/kafka/test/TestSSLUtils.java | 157 ++++++++------- 22 files changed, 551 insertions(+), 494 deletions(-) delete mode 100644 clients/src/main/java/org/apache/kafka/common/config/SecurityConfig.java diff --git a/build.gradle b/build.gradle index cd2aa83..4e83d7d 100644 --- a/build.gradle +++ b/build.gradle @@ -4,9 +4,9 @@ // The ASF licenses this file to You under the Apache License, Version 2.0 // (the "License"); you may not use this file except in compliance with // the License. You may obtain a copy of the License at -// +// // http://www.apache.org/licenses/LICENSE-2.0 -// +// // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -109,7 +109,7 @@ subprojects { archives srcJar archives javadocJar } - + plugins.withType(ScalaPlugin) { //source jar should also contain scala source: srcJar.from sourceSets.main.scala @@ -250,9 +250,9 @@ project(':core') { into "$buildDir/dependant-libs-${scalaVersion}" } - tasks.create(name: "releaseTarGz", dependsOn: configurations.archives.artifacts, type: Tar) { + tasks.create(name: "releaseTarGz", dependsOn: configurations.archives.artifacts, type: Tar) { into "kafka_${baseScalaVersion}-${version}" - compression = Compression.GZIP + compression = Compression.GZIP from(project.file("../bin")) { into "bin/" } from(project.file("../config")) { into "config/" } from '../LICENSE' @@ -354,6 +354,7 @@ project(':clients') { compile "org.slf4j:slf4j-api:1.7.6" compile 'org.xerial.snappy:snappy-java:1.1.1.6' compile 'net.jpountz.lz4:lz4:1.2.0' + compile 'org.bouncycastle:bcprov-jdk16:1.46' testCompile 'com.novocode:junit-interface:0.9' testRuntime "$slf4jlog4j" @@ -382,7 +383,7 @@ project(':clients') { artifacts { archives testJar } - + checkstyle { configFile = new File(rootDir, "checkstyle/checkstyle.xml") } diff --git a/checkstyle/import-control.xml b/checkstyle/import-control.xml index e649189..339c620 100644 --- a/checkstyle/import-control.xml +++ b/checkstyle/import-control.xml @@ -8,19 +8,19 @@ // The ASF licenses this file to You under the Apache License, Version 2.0 // (the "License"); you may not use this file except in compliance with // the License. You may obtain a copy of the License at -// +// // http://www.apache.org/licenses/LICENSE-2.0 -// +// // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. ---> +--> - + - + @@ -28,11 +28,11 @@ - - + + - + @@ -43,7 +43,7 @@ - + @@ -51,35 +51,35 @@ - + - + - + - + - + - + @@ -92,15 +92,15 @@ - + - + - + @@ -109,6 +109,7 @@ + - + diff --git a/clients/src/main/java/org/apache/kafka/clients/ClientUtils.java b/clients/src/main/java/org/apache/kafka/clients/ClientUtils.java index 54a554f..3657279 100644 --- a/clients/src/main/java/org/apache/kafka/clients/ClientUtils.java +++ b/clients/src/main/java/org/apache/kafka/clients/ClientUtils.java @@ -3,9 +3,9 @@ * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the * License. You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the * specific language governing permissions and limitations under the License. @@ -69,10 +69,9 @@ public class ClientUtils { public static SecurityConfig parseSecurityConfig(String securityConfigFile) throws IOException { Properties securityProps = new Properties(); - if (securityConfigFile == null || securityConfigFile == "") { - return new SecurityConfig(securityProps); + if (securityConfigFile != null && securityConfigFile != "") { + securityProps = loadProps(securityConfigFile); } - securityProps = loadProps(securityConfigFile); return new SecurityConfig(securityProps); } -} \ No newline at end of file +} diff --git a/clients/src/main/java/org/apache/kafka/clients/CommonClientConfigs.java b/clients/src/main/java/org/apache/kafka/clients/CommonClientConfigs.java index 0b23875..ead3826 100644 --- a/clients/src/main/java/org/apache/kafka/clients/CommonClientConfigs.java +++ b/clients/src/main/java/org/apache/kafka/clients/CommonClientConfigs.java @@ -3,9 +3,9 @@ * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the * License. You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the * specific language governing permissions and limitations under the License. @@ -17,7 +17,7 @@ package org.apache.kafka.clients; * Some configurations shared by both producer and consumer */ public class CommonClientConfigs { - + /* * NOTE: DO NOT CHANGE EITHER CONFIG NAMES AS THESE ARE PART OF THE PUBLIC API AND CHANGE WILL BREAK USER CODE. */ @@ -27,10 +27,10 @@ public class CommonClientConfigs { + "host1:port1,host2:port2,.... Since these servers are just used for the initial connection to " + "discover the full cluster membership (which may change dynamically), this list need not contain the full set of " + "servers (you may want more than one, though, in case a server is down)."; - + public static final String METADATA_MAX_AGE_CONFIG = "metadata.max.age.ms"; public static final String METADATA_MAX_AGE_DOC = "The period of time in milliseconds after which we force a refresh of metadata even if we haven't seen any partition leadership changes to proactively discover any new brokers or partitions."; - + public static final String SEND_BUFFER_CONFIG = "send.buffer.bytes"; public static final String SEND_BUFFER_DOC = "The size of the TCP send buffer (SO_SNDBUF) to use when sending data."; @@ -45,7 +45,7 @@ public class CommonClientConfigs { public static final String RETRY_BACKOFF_MS_CONFIG = "retry.backoff.ms"; public static final String RETRY_BACKOFF_MS_DOC = "The amount of time to wait before attempting to retry a failed fetch request to a given topic partition. This avoids repeated fetching-and-failing in a tight loop."; - + public static final String METRICS_SAMPLE_WINDOW_MS_CONFIG = "metrics.sample.window.ms"; public static final String METRICS_SAMPLE_WINDOW_MS_DOC = "The number of samples maintained to compute metrics."; @@ -57,4 +57,57 @@ public class CommonClientConfigs { public static final String SECURITY_CONFIG_FILE_CONFIG = "security.config.file"; public static final String SECURITY_CONFIG_FILE_DOC = "Kafka client security related config file."; -} \ No newline at end of file + + public static final String SECURITY_PROTOCOL_CONFIG = "security.protocol"; + public static final String SECURITY_PROTOCOL_DOC = "Protocol used to communicate with brokers. Currently only PLAINTEXT and SSL are supported."; + + public static final String SSL_PROTOCOL_CONFIG = "ssl.protocol"; + public static final String SSL_PROTOCOL_DOC = "The ssl protocol used to generate SSLContext." + + "Default setting is TLS. Allowed values are SSL, SSLv2, SSLv3, TLS, TLSv1.1, TLSv1.2"; + + public static final String SSL_CIPHER_SUITES_CONFIG = "ssl.cipher.suites"; + public static final String SSL_CIPHER_SUITES_DOC = "A cipher suite is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS or SSL network protocol." + + "By default all the available cipher suites are supported."; + + public static final String SSL_ENABLED_PROTOCOLS_CONFIG = "ssl.enabled.protocols"; + public static final String SSL_ENABLED_PROTOCOLS_DOC = "The list of protocols enabled for SSL connections. " + + "All versions of TLS is enabled by default."; + + public static final String SSL_KEYSTORE_TYPE_CONFIG = "ssl.keystore.type"; + public static final String SSL_KEYSTORE_TYPE_DOC = "The file format of the key store file. " + + "This is optional for client. Default value is JKS"; + + public static final String SSL_KEYSTORE_LOCATION_CONFIG = "ssl.keystore.location"; + public static final String SSL_KEYSTORE_LOCATION_DOC = "The location of the key store file. " + + "This is optional for Client and can be used for two-way authentication for client."; + + public static final String SSL_KEYSTORE_PASSWORD_CONFIG = "ssl.keystore.password"; + public static final String SSL_KEYSTORE_PASSWORD_DOC = "The store password for the key store file. "; + + public static final String SSL_KEY_PASSWORD_CONFIG = "ssl.key.password"; + public static final String SSL_KEY_PASSWORD_DOC = "The password of the private key in the key store file. " + + "This is optional for client."; + + public static final String SSL_TRUSTSTORE_TYPE_CONFIG = "ssl.truststore.type"; + public static final String SSL_TRUSTSTORE_TYPE_DOC = "The file format of the trust store file. " + + "Default value is JKS."; + + public static final String SSL_TRUSTSTORE_LOCATION_CONFIG = "ssl.truststore.location"; + public static final String SSL_TRUSTSTORE_LOCATION_DOC = "The location of the trust store file. "; + + public static final String SSL_TRUSTSTORE_PASSWORD_CONFIG = "ssl.truststore.password"; + public static final String SSL_TRUSTSTORE_PASSWORD_DOC = "The password for the trust store file. "; + + public static final String SSL_CLIENT_REQUIRE_CERT_CONFIG = "ssl.client.require.cert"; + public static final String SSL_CLIENT_REQUIRE_CERT_DOC = "This is to enforce two-way authentication between client and server." + + "Default value is false. If set to true client need to prover Keystrore releated config"; + + public static final String SSL_KEYMANAGER_ALGORITHM_CONFIG = "ssl.keymanager.algorithm"; + public static final String SSL_KEYMANAGER_ALGORITHM_DOC = "The algorithm used by key manager factory for SSL connections. " + + "Default value is the key manager factory algorithm configured for the Java Virtual Machine."; + + public static final String SSL_TRUSTMANAGER_ALGORITHM_CONFIG = "ssl.trustmanager.algorithm"; + public static final String SSL_TRUSTMANAGER_ALGORITHM_DOC = "The algorithm used by trust manager factory for SSL connections. " + + "Default value is the trust manager factory algorithm configured for the Java Virtual Machine."; + +} diff --git a/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java b/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java index 190fe63..4ccd423 100644 --- a/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java +++ b/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java @@ -3,9 +3,9 @@ * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the * License. You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the * specific language governing permissions and limitations under the License. @@ -19,6 +19,7 @@ import org.apache.kafka.common.config.ConfigDef; import org.apache.kafka.common.config.ConfigDef.Importance; import org.apache.kafka.common.config.ConfigDef.Type; import org.apache.kafka.common.serialization.Deserializer; +import org.apache.kafka.common.protocol.SecurityProtocol; import java.util.HashMap; import java.util.Map; @@ -147,7 +148,7 @@ public class ConsumerConfig extends AbstractConfig { */ public static final String CHECK_CRCS_CONFIG = "check.crcs"; private static final String CHECK_CRCS_DOC = "Automatically check the CRC32 of the records consumed. This ensures no on-the-wire or on-disk corruption to the messages occurred. This check adds some overhead, so it may be disabled in cases seeking extreme performance."; - + /** key.deserializer */ public static final String KEY_DESERIALIZER_CLASS_CONFIG = "key.deserializer"; private static final String KEY_DESERIALIZER_CLASS_DOC = "Deserializer class for key that implements the Deserializer interface."; @@ -256,7 +257,7 @@ public class ConsumerConfig extends AbstractConfig { Type.BOOLEAN, true, Importance.LOW, - CHECK_CRCS_DOC) + CHECK_CRCS_DOC) .define(METRICS_SAMPLE_WINDOW_MS_CONFIG, Type.LONG, 30000, @@ -282,11 +283,20 @@ public class ConsumerConfig extends AbstractConfig { Type.CLASS, Importance.HIGH, VALUE_DESERIALIZER_CLASS_DOC) - .define(SECURITY_CONFIG_FILE_CONFIG, - Type.STRING, - "", - Importance.MEDIUM, - SECURITY_CONFIG_FILE_DOC); + .define(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, Type.STRING, SecurityProtocol.PLAINTEXT.toString(), Importance.MEDIUM, CommonClientConfigs.SECURITY_PROTOCOL_DOC) + .define(CommonClientConfigs.SSL_PROTOCOL_CONFIG, Type.STRING, "TLS", Importance.MEDIUM, CommonClientConfigs.SSL_PROTOCOL_DOC) + .define(CommonClientConfigs.SSL_CIPHER_SUITES_CONFIG, Type.LIST, "", Importance.LOW, CommonClientConfigs.SSL_CIPHER_SUITES_DOC) + .define(CommonClientConfigs.SSL_ENABLED_PROTOCOLS_CONFIG, Type.LIST, "TLSv1.2, TLSv1.1, TLSv1", Importance.MEDIUM, CommonClientConfigs.SSL_ENABLED_PROTOCOLS_DOC) + .define(CommonClientConfigs.SSL_KEYSTORE_TYPE_CONFIG, Type.STRING, "JKS", Importance.MEDIUM, CommonClientConfigs.SSL_KEYSTORE_TYPE_DOC) + .define(CommonClientConfigs.SSL_KEYSTORE_LOCATION_CONFIG, Type.STRING, Importance.HIGH, CommonClientConfigs.SSL_KEYSTORE_LOCATION_DOC, false) + .define(CommonClientConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, Type.STRING, Importance.HIGH, CommonClientConfigs.SSL_KEYSTORE_PASSWORD_DOC, false) + .define(CommonClientConfigs.SSL_KEY_PASSWORD_CONFIG, Type.STRING, Importance.HIGH, CommonClientConfigs.SSL_KEY_PASSWORD_DOC, false) + .define(CommonClientConfigs.SSL_TRUSTSTORE_TYPE_CONFIG, Type.STRING, "JKS", Importance.MEDIUM, CommonClientConfigs.SSL_TRUSTSTORE_TYPE_DOC) + .define(CommonClientConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, Type.STRING, Importance.HIGH, CommonClientConfigs.SSL_TRUSTSTORE_LOCATION_DOC, false) + .define(CommonClientConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, Type.STRING, Importance.HIGH, CommonClientConfigs.SSL_TRUSTSTORE_PASSWORD_DOC, false) + .define(CommonClientConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG, Type.STRING, "SunX509", Importance.LOW, CommonClientConfigs.SSL_KEYMANAGER_ALGORITHM_DOC) + .define(CommonClientConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG, Type.STRING, "SunX509", Importance.LOW, CommonClientConfigs.SSL_TRUSTMANAGER_ALGORITHM_DOC) + .define(CommonClientConfigs.SSL_CLIENT_REQUIRE_CERT_CONFIG, Type.BOOLEAN, false, Importance.MEDIUM, CommonClientConfigs.SSL_CLIENT_REQUIRE_CERT_DOC); } public static Map addDeserializerToConfig(Map configs, diff --git a/clients/src/main/java/org/apache/kafka/clients/consumer/KafkaConsumer.java b/clients/src/main/java/org/apache/kafka/clients/consumer/KafkaConsumer.java index 032fd4b..375669f 100644 --- a/clients/src/main/java/org/apache/kafka/clients/consumer/KafkaConsumer.java +++ b/clients/src/main/java/org/apache/kafka/clients/consumer/KafkaConsumer.java @@ -3,9 +3,9 @@ * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the * License. You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the * specific language governing permissions and limitations under the License. @@ -37,7 +37,6 @@ import org.apache.kafka.common.KafkaException; import org.apache.kafka.common.Metric; import org.apache.kafka.common.PartitionInfo; import org.apache.kafka.common.TopicPartition; -import org.apache.kafka.common.config.SecurityConfig; import org.apache.kafka.common.metrics.JmxReporter; import org.apache.kafka.common.metrics.MetricConfig; import org.apache.kafka.common.MetricName; @@ -63,7 +62,7 @@ import org.slf4j.LoggerFactory; *

* The consumer is thread safe but generally will be used only from within a single thread. The consumer client has no * threads of it's own, all work is done in the caller's thread when calls are made on the various methods exposed. - * + * *

Offsets and Consumer Position

* Kafka maintains a numerical offset for each record in a partition. This offset acts as a kind of unique identifier of * a record within that partition, and also denotes the position of the consumer in the partition. That is, a consumer @@ -81,9 +80,9 @@ import org.slf4j.LoggerFactory; *

* This distinction gives the consumer control over when a record is considered consumed. It is discussed in further * detail below. - * + * *

Consumer Groups

- * + * * Kafka uses the concept of consumer groups to allow a pool of processes to divide up the work of consuming and * processing records. These processes can either be running on the same machine or, as is more likely, they can be * distributed over many machines to provide additional scalability and fault tolerance for processing. @@ -112,14 +111,14 @@ import org.slf4j.LoggerFactory; *

* It is also possible for the consumer to manually specify the partitions it subscribes to, which disables this dynamic * partition balancing. - * + * *

Usage Examples

* The consumer APIs offer flexibility to cover a variety of consumption use cases. Here are some examples to * demonstrate how to use them. - * + * *

Simple Processing

* This example demonstrates the simplest usage of Kafka's consumer api. - * + * * 
  *     Properties props = new Properties();
  *     props.put("bootstrap.servers", "localhost:9092");
@@ -137,7 +136,7 @@ import org.slf4j.LoggerFactory;
  *             System.out.printf("offset = %d, key = %s, value = %s", record.offset(), record.key(), record.value());
  *     }
  *
- * + * * Setting enable.auto.commit means that offsets are committed automatically with a frequency controlled by * the config auto.commit.interval.ms. *

@@ -157,9 +156,9 @@ import org.slf4j.LoggerFactory; *

* The serializers settings specify how to turn the objects the user provides into bytes. By specifying the string * serializers we are saying that our record's key and value will just be simple strings. - * + * *

Controlling When Messages Are Considered Consumed

- * + * * In this example we will consume a batch of records and batch them up in memory, when we have sufficient records * batched we will insert them into a database. If we allowed offsets to auto commit as in the previous example messages * would be considered consumed after they were given out by the consumer, and it would be possible that our process @@ -171,7 +170,7 @@ import org.slf4j.LoggerFactory; * would consume from last committed offset and would repeat the insert of the last batch of data. Used in this way * Kafka provides what is often called "at-least once delivery" guarantees, as each message will likely be delivered one * time but in failure cases could be duplicated. - * + * * 
  *     Properties props = new Properties();
  *     props.put("bootstrap.servers", "localhost:9092");
@@ -197,9 +196,9 @@ import org.slf4j.LoggerFactory;
  *         }
  *     }
  *
- * + * *

Subscribing To Specific Partitions

- * + * * In the previous examples we subscribed to the topics we were interested in and let Kafka give our particular process * a fair share of the partitions for those topics. This provides a simple load balancing mechanism so multiple * instances of our program can divided up the work of processing records. @@ -219,7 +218,7 @@ import org.slf4j.LoggerFactory; *

* This mode is easy to specify, rather than subscribing to the topic, the consumer just subscribes to particular * partitions: - * + * * 

  *     String topic = "foo";
  *     TopicPartition partition0 = new TopicPartition(topic, 0);
@@ -227,15 +226,15 @@ import org.slf4j.LoggerFactory;
  *     consumer.subscribe(partition0);
  *     consumer.subscribe(partition1);
  *
- * + * * The group that the consumer specifies is still used for committing offsets, but now the set of partitions will only * be changed if the consumer specifies new partitions, and no attempt at failure detection will be made. *

* It isn't possible to mix both subscription to specific partitions (with no load balancing) and to topics (with load * balancing) using the same consumer instance. - * + * *

Managing Your Own Offsets

- * + * * The consumer application need not use Kafka's built-in offset storage, it can store offsets in a store of it's own * choosing. The primary use case for this is allowing the application to store both the offset and the results of the * consumption in the same system in a way that both the results and offsets are stored atomically. This is not always @@ -255,14 +254,14 @@ import org.slf4j.LoggerFactory; * This means that in this case the indexing process that comes back having lost recent updates just resumes indexing * from what it has ensuring that no updates are lost. * - * + * * Each record comes with it's own offset, so to manage your own offset you just need to do the following: *
    *
  1. Configure enable.auto.commit=false *
  2. Use the offset provided with each {@link ConsumerRecord} to save your position. *
  3. On restart restore the position of the consumer using {@link #seek(TopicPartition, long)}. *
- * + * * This type of usage is simplest when the partition assignment is also done manually (this would be likely in the * search index use case described above). If the partition assignment is done automatically special care will also be * needed to handle the case where partition assignments change. This can be handled using a special callback specified @@ -275,9 +274,9 @@ import org.slf4j.LoggerFactory; *

* Another common use for {@link ConsumerRebalanceCallback} is to flush any caches the application maintains for * partitions that are moved elsewhere. - * + * *

Controlling The Consumer's Position

- * + * * In most use cases the consumer will simply consume records from beginning to end, periodically committing it's * position (either automatically or manually). However Kafka allows the consumer to manually control it's position, * moving forward or backwards in a partition at will. This means a consumer can re-consume older records, or skip to @@ -292,20 +291,20 @@ import org.slf4j.LoggerFactory; * the consumer will want to initialize it's position on start-up to whatever is contained in the local store. Likewise * if the local state is destroyed (say because the disk is lost) the state may be recreated on a new machine by * reconsuming all the data and recreating the state (assuming that Kafka is retaining sufficient history). - * + * * Kafka allows specifying the position using {@link #seek(TopicPartition, long)} to specify the new position. Special * methods for seeking to the earliest and latest offset the server maintains are also available ( * {@link #seekToBeginning(TopicPartition...)} and {@link #seekToEnd(TopicPartition...)} respectively). - * + * *

Multithreaded Processing

- * + * * The Kafka consumer is threadsafe but coarsely synchronized. All network I/O happens in the thread of the application * making the call. We have intentionally avoided implementing a particular threading model for processing. *

* This leaves several options for implementing multi-threaded processing of records. - * + * *

1. One Consumer Per Thread

- * + * * A simple option is to give each thread it's own consumer instance. Here are the pros and cons of this approach: *
    *
  • PRO: It is the easiest to implement @@ -318,13 +317,13 @@ import org.slf4j.LoggerFactory; * which can cause some drop in I/O throughput. *
  • CON: The number of total threads across all processes will be limited by the total number of partitions. *
- * + * *

2. Decouple Consumption and Processing

- * + * * Another alternative is to have one or more consumer threads that do all data consumption and hands off * {@link ConsumerRecords} instances to a blocking queue consumed by a pool of processor threads that actually handle * the record processing. - * + * * This option likewise has pros and cons: *
    *
  • PRO: This option allows independently scaling the number of consumers and processors. This makes it @@ -335,11 +334,11 @@ import org.slf4j.LoggerFactory; *
  • CON: Manually committing the position becomes harder as it requires that all threads co-ordinate to ensure * that processing is complete for that partition. *
- * + * * There are many possible variations on this approach. For example each processor thread can have it's own queue, and * the consumer threads can hash into these queues using the TopicPartition to ensure in-order consumption and simplify * commit. - * + * */ public class KafkaConsumer implements Consumer { @@ -362,7 +361,6 @@ public class KafkaConsumer implements Consumer { private final boolean autoCommit; private final long autoCommitIntervalMs; private final ConsumerRebalanceCallback rebalanceCallback; - private final SecurityConfig securityConfig; private long lastCommitAttemptMs; private boolean closed = false; @@ -373,7 +371,7 @@ public class KafkaConsumer implements Consumer { * string "42" or the integer 42). *

* Valid configuration strings are documented at {@link ConsumerConfig} - * + * * @param configs The consumer configs */ public KafkaConsumer(Map configs) { @@ -385,7 +383,7 @@ public class KafkaConsumer implements Consumer { * {@link ConsumerRebalanceCallback} implementation, a key and a value {@link Deserializer}. *

* Valid configuration strings are documented at {@link ConsumerConfig} - * + * * @param configs The consumer configs * @param callback A callback interface that the user can implement to manage customized offsets on the start and * end of every rebalance operation. @@ -419,7 +417,7 @@ public class KafkaConsumer implements Consumer { * {@link ConsumerRebalanceCallback} implementation, a key and a value {@link Deserializer}. *

* Valid configuration strings are documented at {@link ConsumerConfig} - * + * * @param properties The consumer configuration properties * @param callback A callback interface that the user can implement to manage customized offsets on the start and * end of every rebalance operation. @@ -470,12 +468,11 @@ public class KafkaConsumer implements Consumer { this.metadata = new Metadata(retryBackoffMs, config.getLong(ConsumerConfig.METADATA_MAX_AGE_CONFIG)); List addresses = ClientUtils.parseAndValidateAddresses(config.getList(ConsumerConfig.BOOTSTRAP_SERVERS_CONFIG)); this.metadata.update(Cluster.bootstrap(addresses), 0); - String metricGrpPrefix = "consumer"; Map metricsTags = new LinkedHashMap(); metricsTags.put("client-id", clientId); - this.securityConfig = ClientUtils.parseSecurityConfig(config.getString(ConsumerConfig.SECURITY_CONFIG_FILE_CONFIG)); - this.client = new NetworkClient(new Selector(metrics, time, metricGrpPrefix, metricsTags, securityConfig), + + this.client = new NetworkClient(new Selector(metrics, time, metricGrpPrefix, metricsTags, config.values()), this.metadata, clientId, 100, // a fixed large enough value will suffice @@ -559,7 +556,7 @@ public class KafkaConsumer implements Consumer { *

  • An existing member of the consumer group dies *
  • A new member is added to an existing consumer group via the join API * - * + * * @param topics A variable list of topics that the consumer wants to subscribe to */ @Override @@ -576,7 +573,7 @@ public class KafkaConsumer implements Consumer { * functionality. As such, there will be no rebalance operation triggered when group membership or cluster and topic * metadata change. *

    - * + * * @param partitions Partitions to incrementally subscribe to */ @Override @@ -592,7 +589,7 @@ public class KafkaConsumer implements Consumer { /** * Unsubscribe from the specific topics. This will trigger a rebalance operation and records for this topic will not * be returned from the next {@link #poll(long) poll()} onwards - * + * * @param topics Topics to unsubscribe from */ public synchronized void unsubscribe(String... topics) { @@ -606,7 +603,7 @@ public class KafkaConsumer implements Consumer { /** * Unsubscribe from the specific topic partitions. records for these partitions will not be returned from the next * {@link #poll(long) poll()} onwards - * + * * @param partitions Partitions to unsubscribe from */ public synchronized void unsubscribe(TopicPartition... partitions) { @@ -625,11 +622,11 @@ public class KafkaConsumer implements Consumer { * If {@link #seek(TopicPartition, long)} is used, it will use the specified offsets on startup and on every * rebalance, to consume data from that offset sequentially on every poll. If not, it will use the last checkpointed * offset using {@link #commit(Map, CommitType) commit(offsets, sync)} for the subscribed list of partitions. - * + * * @param timeout The time, in milliseconds, spent waiting in poll if data is not available. If 0, waits * indefinitely. Must not be negative * @return map of topic to records since the last fetch for the subscribed list of topics and partitions - * + * * @throws NoOffsetForPartitionException If there is no stored offset for a subscribed partition and no automatic * offset reset policy has been configured. */ @@ -683,7 +680,7 @@ public class KafkaConsumer implements Consumer { * A non-blocking commit will attempt to commit offsets asychronously. No error will be thrown if the commit fails. * A blocking commit will wait for a response acknowledging the commit. In the event of an error it will retry until * the commit succeeds. - * + * * @param offsets The list of offsets per partition that should be committed to Kafka. * @param commitType Control whether the commit is blocking */ @@ -708,7 +705,7 @@ public class KafkaConsumer implements Consumer { * This commits offsets only to Kafka. The offsets committed using this API will be used on the first fetch after * every rebalance and also on startup. As such, if you need to store offsets in anything other than Kafka, this API * should not be used. - * + * * @param commitType Whether or not the commit should block until it is acknowledged. */ @Override @@ -757,7 +754,7 @@ public class KafkaConsumer implements Consumer { /** * Returns the offset of the next record that will be fetched (if a record with that offset exists). - * + * * @param partition The partition to get the position for * @return The offset * @throws NoOffsetForPartitionException If a position hasn't been set for a given partition, and no reset policy is @@ -782,7 +779,7 @@ public class KafkaConsumer implements Consumer { *

    * This call may block to do a remote call if the partition in question isn't assigned to this consumer or if the * consumer hasn't yet initialized it's cache of committed offsets. - * + * * @param partition The partition to check * @return The last committed offset or null if no offset has been committed * @throws NoOffsetForPartitionException If no offset has ever been committed by any process for the given @@ -818,7 +815,7 @@ public class KafkaConsumer implements Consumer { /** * Get metadata about the partitions for a given topic. This method will issue a remote call to the server if it * does not already have any metadata about the given topic. - * + * * @param topic The topic to get partition metadata for * @return The list of partitions */ diff --git a/clients/src/main/java/org/apache/kafka/clients/producer/KafkaProducer.java b/clients/src/main/java/org/apache/kafka/clients/producer/KafkaProducer.java index 2c21dee..1650d85 100644 --- a/clients/src/main/java/org/apache/kafka/clients/producer/KafkaProducer.java +++ b/clients/src/main/java/org/apache/kafka/clients/producer/KafkaProducer.java @@ -3,9 +3,9 @@ * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the * License. You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the * specific language governing permissions and limitations under the License. @@ -32,7 +32,6 @@ import org.apache.kafka.common.Metric; import org.apache.kafka.common.PartitionInfo; import org.apache.kafka.common.TopicPartition; import org.apache.kafka.common.config.ConfigException; -import org.apache.kafka.common.config.SecurityConfig; import org.apache.kafka.common.errors.ApiException; import org.apache.kafka.common.errors.InterruptException; import org.apache.kafka.common.errors.RecordTooLargeException; @@ -74,11 +73,11 @@ import org.slf4j.LoggerFactory; * props.put("buffer.memory", 33554432); * props.put("key.serializer", "org.apache.kafka.common.serialization.StringSerializer"); * props.put("value.serializer", "org.apache.kafka.common.serialization.StringSerializer"); - * + * * Producer producer = new KafkaProducer(props); * for(int i = 0; i < 100; i++) * producer.send(new ProducerRecord("my-topic", Integer.toString(i), Integer.toString(i))); - * + * * producer.close(); * } *

    @@ -93,25 +92,25 @@ import org.slf4j.LoggerFactory; * we have specified will result in blocking on the full commit of the record, the slowest but most durable setting. *

    * If the request fails, the producer can automatically retry, though since we have specified retries - * as 0 it won't. Enabling retries also opens up the possibility of duplicates (see the documentation on + * as 0 it won't. Enabling retries also opens up the possibility of duplicates (see the documentation on * message delivery semantics for details). *

    - * The producer maintains buffers of unsent records for each partition. These buffers are of a size specified by + * The producer maintains buffers of unsent records for each partition. These buffers are of a size specified by * the batch.size config. Making this larger can result in more batching, but requires more memory (since we will * generally have one of these buffers for each active partition). *

    - * By default a buffer is available to send immediately even if there is additional unused space in the buffer. However if you + * By default a buffer is available to send immediately even if there is additional unused space in the buffer. However if you * want to reduce the number of requests you can set linger.ms to something greater than 0. This will - * instruct the producer to wait up to that number of milliseconds before sending a request in hope that more records will - * arrive to fill up the same batch. This is analogous to Nagle's algorithm in TCP. For example, in the code snippet above, - * likely all 100 records would be sent in a single request since we set our linger time to 1 millisecond. However this setting - * would add 1 millisecond of latency to our request waiting for more records to arrive if we didn't fill up the buffer. Note that - * records that arrive close together in time will generally batch together even with linger.ms=0 so under heavy load + * instruct the producer to wait up to that number of milliseconds before sending a request in hope that more records will + * arrive to fill up the same batch. This is analogous to Nagle's algorithm in TCP. For example, in the code snippet above, + * likely all 100 records would be sent in a single request since we set our linger time to 1 millisecond. However this setting + * would add 1 millisecond of latency to our request waiting for more records to arrive if we didn't fill up the buffer. Note that + * records that arrive close together in time will generally batch together even with linger.ms=0 so under heavy load * batching will occur regardless of the linger configuration; however setting this to something larger than 0 can lead to fewer, more * efficient requests when not under maximal load at the cost of a small amount of latency. *

    * The buffer.memory controls the total amount of memory available to the producer for buffering. If records - * are sent faster than they can be transmitted to the server then this buffer space will be exhausted. When the buffer space is + * are sent faster than they can be transmitted to the server then this buffer space will be exhausted. When the buffer space is * exhausted additional send calls will block. For uses where you want to avoid any blocking you can set block.on.buffer.full=false which * will cause the send call to result in an exception. *

    @@ -139,7 +138,6 @@ public class KafkaProducer implements Producer { private final Serializer keySerializer; private final Serializer valueSerializer; private final ProducerConfig producerConfig; - private final SecurityConfig securityConfig; /** * A producer is instantiated by providing a set of key-value pairs as configuration. Valid configuration strings @@ -216,7 +214,6 @@ public class KafkaProducer implements Producer { this.maxRequestSize = config.getInt(ProducerConfig.MAX_REQUEST_SIZE_CONFIG); this.totalMemorySize = config.getLong(ProducerConfig.BUFFER_MEMORY_CONFIG); this.compressionType = CompressionType.forName(config.getString(ProducerConfig.COMPRESSION_TYPE_CONFIG)); - this.securityConfig = ClientUtils.parseSecurityConfig(config.getString(ProducerConfig.SECURITY_CONFIG_FILE_CONFIG)); Map metricTags = new LinkedHashMap(); metricTags.put("client-id", clientId); this.accumulator = new RecordAccumulator(config.getInt(ProducerConfig.BATCH_SIZE_CONFIG), @@ -231,7 +228,7 @@ public class KafkaProducer implements Producer { List addresses = ClientUtils.parseAndValidateAddresses(config.getList(ProducerConfig.BOOTSTRAP_SERVERS_CONFIG)); this.metadata.update(Cluster.bootstrap(addresses), time.milliseconds()); - NetworkClient client = new NetworkClient(new Selector(this.metrics, time, "producer", metricTags, securityConfig), + NetworkClient client = new NetworkClient(new Selector(this.metrics, time, "producer", metricTags, config.values()), this.metadata, clientId, config.getInt(ProducerConfig.MAX_IN_FLIGHT_REQUESTS_PER_CONNECTION), @@ -288,7 +285,7 @@ public class KafkaProducer implements Producer { } /** - * Asynchronously send a record to a topic. Equivalent to send(record, null). + * Asynchronously send a record to a topic. Equivalent to send(record, null). * See {@link #send(ProducerRecord, Callback)} for details. */ @Override @@ -308,11 +305,11 @@ public class KafkaProducer implements Producer { *

    * Since the send call is asynchronous it returns a {@link java.util.concurrent.Future Future} for the * {@link RecordMetadata} that will be assigned to this record. Invoking {@link java.util.concurrent.Future#get() - * get()} on this future will block until the associated request completes and then return the metadata for the record + * get()} on this future will block until the associated request completes and then return the metadata for the record * or throw any exception that occurred while sending the record. *

    * If you want to simulate a simple blocking call you can call the get() method immediately: - * + * * 

          * {@code
      * byte[] key = "key".getBytes();
@@ -323,7 +320,7 @@ public class KafkaProducer implements Producer {
      * 
    
      * Fully non-blocking usage can make use of the {@link Callback} parameter to provide a callback that
      * will be invoked when the request is complete.
-     * 
+     *
      * 
          * {@code
      * ProducerRecord record = new ProducerRecord("the-topic", key, value);
@@ -337,10 +334,10 @@ public class KafkaProducer implements Producer {
      *               });
      * }
      * 
    
-     * 
+     *
      * Callbacks for records being sent to the same partition are guaranteed to execute in order. That is, in the
      * following example callback1 is guaranteed to execute before callback2:
-     * 
+     *
      * 
          * {@code
      * producer.send(new ProducerRecord(topic, partition, key1, value1), callback1);
@@ -352,15 +349,15 @@ public class KafkaProducer implements Producer {
      * they will delay the sending of messages from other threads. If you want to execute blocking or computationally
      * expensive callbacks it is recommended to use your own {@link java.util.concurrent.Executor} in the callback body
      * to parallelize processing.
-     * 
+     *
      * @param record The record to send
      * @param callback A user-supplied callback to execute when the record has been acknowledged by the server (null
      *        indicates no callback)
-     *        
+     *
      * @throws InterruptException If the thread is interrupted while blocked
      * @throws SerializationException If the key or value are not valid objects given the configured serializers
      * @throws BufferExhaustedException If block.on.buffer.full=false and the buffer is full.
-     * 
+     *
      */
     @Override
     public Future send(ProducerRecord record, Callback callback) {
@@ -455,12 +452,12 @@ public class KafkaProducer implements Producer {
                                               ProducerConfig.BUFFER_MEMORY_CONFIG +
                                               " configuration.");
     }
-    
+
     /**
-     * Invoking this method makes all buffered records immediately available to send (even if linger.ms is 
+     * Invoking this method makes all buffered records immediately available to send (even if linger.ms is
      * greater than 0) and blocks on the completion of the requests associated with these records. The post-condition
-     * of flush() is that any previously sent record will have completed (e.g. Future.isDone() == true). 
-     * A request is considered completed when it is successfully acknowledged 
+     * of flush() is that any previously sent record will have completed (e.g. Future.isDone() == true).
+     * A request is considered completed when it is successfully acknowledged
      * according to the acks configuration you have specified or else it results in an error.
      * 
    
      * Other threads can continue sending records while one thread is blocked waiting for a flush call to complete,
@@ -478,10 +475,10 @@ public class KafkaProducer implements Producer {
      * consumer.commit();
      * }
      * 
    
-     * 
+     *
      * Note that the above example may drop records if the produce request fails. If we want to ensure that this does not occur
      * we need to set retries=<large_number> in our config.
-     * 
+     *
      * @throws InterruptException If the thread is interrupted while blocked
      */
     @Override
diff --git a/clients/src/main/java/org/apache/kafka/clients/producer/ProducerConfig.java b/clients/src/main/java/org/apache/kafka/clients/producer/ProducerConfig.java
index 83506e7..69563ee 100644
--- a/clients/src/main/java/org/apache/kafka/clients/producer/ProducerConfig.java
+++ b/clients/src/main/java/org/apache/kafka/clients/producer/ProducerConfig.java
@@ -3,9 +3,9 @@
  * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file
  * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the
  * License. You may obtain a copy of the License at
- * 
+ *
  * http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
  * specific language governing permissions and limitations under the License.
@@ -26,6 +26,7 @@ import org.apache.kafka.common.config.ConfigDef;
 import org.apache.kafka.common.config.ConfigDef.Importance;
 import org.apache.kafka.common.config.ConfigDef.Type;
 import org.apache.kafka.common.serialization.Serializer;
+import org.apache.kafka.common.protocol.SecurityProtocol;
 
 /**
  * Configuration for the Kafka Producer. Documentation for these configurations can be found in the metadata.max.age.ms */
     public static final String METADATA_MAX_AGE_CONFIG = CommonClientConfigs.METADATA_MAX_AGE_CONFIG;
     private static final String METADATA_MAX_AGE_DOC = CommonClientConfigs.METADATA_MAX_AGE_DOC;
-            
+
     /** batch.size */
     public static final String BATCH_SIZE_CONFIG = "batch.size";
     private static final String BATCH_SIZE_DOC = "The producer will attempt to batch records together into fewer requests whenever multiple records are being sent" + " to the same partition. This helps performance on both the client and the server. This configuration controls the "
@@ -169,9 +170,6 @@ public class ProducerConfig extends AbstractConfig {
     public static final String VALUE_SERIALIZER_CLASS_CONFIG = "value.serializer";
     private static final String VALUE_SERIALIZER_CLASS_DOC = "Serializer class for value that implements the Serializer interface.";
 
-    /** security.config.file  */
-    public static final String SECURITY_CONFIG_FILE_CONFIG = CommonClientConfigs.SECURITY_CONFIG_FILE_CONFIG;
-    private static final String SECURITY_CONFIG_FILE_DOC = CommonClientConfigs.SECURITY_CONFIG_FILE_DOC;
 
 
     static {
@@ -223,7 +221,20 @@ public class ProducerConfig extends AbstractConfig {
                                         MAX_IN_FLIGHT_REQUESTS_PER_CONNECTION_DOC)
                                 .define(KEY_SERIALIZER_CLASS_CONFIG, Type.CLASS, Importance.HIGH, KEY_SERIALIZER_CLASS_DOC)
                                 .define(VALUE_SERIALIZER_CLASS_CONFIG, Type.CLASS, Importance.HIGH, VALUE_SERIALIZER_CLASS_DOC)
-                                .define(SECURITY_CONFIG_FILE_CONFIG, Type.STRING, "", Importance.MEDIUM, SECURITY_CONFIG_FILE_DOC);
+                                .define(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, Type.STRING, SecurityProtocol.PLAINTEXT.toString(), Importance.MEDIUM, CommonClientConfigs.SECURITY_PROTOCOL_DOC)
+                                .define(CommonClientConfigs.SSL_PROTOCOL_CONFIG, Type.STRING, "TLS", Importance.MEDIUM, CommonClientConfigs.SSL_PROTOCOL_DOC)
+                                .define(CommonClientConfigs.SSL_CIPHER_SUITES_CONFIG, Type.LIST, "", Importance.LOW, CommonClientConfigs.SSL_CIPHER_SUITES_DOC)
+                                .define(CommonClientConfigs.SSL_ENABLED_PROTOCOLS_CONFIG, Type.LIST, "TLSv1.2, TLSv1.1, TLSv1", Importance.MEDIUM, CommonClientConfigs.SSL_ENABLED_PROTOCOLS_DOC)
+                                .define(CommonClientConfigs.SSL_KEYSTORE_TYPE_CONFIG, Type.STRING, "JKS", Importance.MEDIUM, CommonClientConfigs.SSL_KEYSTORE_TYPE_DOC)
+                                .define(CommonClientConfigs.SSL_KEYSTORE_LOCATION_CONFIG, Type.STRING, Importance.HIGH, CommonClientConfigs.SSL_KEYSTORE_LOCATION_DOC, false)
+                                .define(CommonClientConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, Type.STRING, Importance.HIGH, CommonClientConfigs.SSL_KEYSTORE_PASSWORD_DOC, false)
+                                .define(CommonClientConfigs.SSL_KEY_PASSWORD_CONFIG, Type.STRING, Importance.HIGH, CommonClientConfigs.SSL_KEY_PASSWORD_DOC, false)
+                                .define(CommonClientConfigs.SSL_TRUSTSTORE_TYPE_CONFIG, Type.STRING, "JKS", Importance.MEDIUM, CommonClientConfigs.SSL_TRUSTSTORE_TYPE_DOC)
+                                .define(CommonClientConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, Type.STRING, Importance.HIGH, CommonClientConfigs.SSL_TRUSTSTORE_LOCATION_DOC, false)
+                                .define(CommonClientConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, Type.STRING, Importance.HIGH, CommonClientConfigs.SSL_TRUSTSTORE_PASSWORD_DOC, false)
+                                .define(CommonClientConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG, Type.STRING, "SunX509", Importance.LOW, CommonClientConfigs.SSL_KEYMANAGER_ALGORITHM_DOC)
+                                .define(CommonClientConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG, Type.STRING, "SunX509", Importance.LOW, CommonClientConfigs.SSL_TRUSTMANAGER_ALGORITHM_DOC)
+                                .define(CommonClientConfigs.SSL_CLIENT_REQUIRE_CERT_CONFIG, Type.BOOLEAN, false, Importance.MEDIUM, CommonClientConfigs.SSL_CLIENT_REQUIRE_CERT_DOC);
     }
 
     public static Map addSerializerToConfig(Map configs,
diff --git a/clients/src/main/java/org/apache/kafka/common/config/AbstractConfig.java b/clients/src/main/java/org/apache/kafka/common/config/AbstractConfig.java
index c4fa058..a8f15bc 100644
--- a/clients/src/main/java/org/apache/kafka/common/config/AbstractConfig.java
+++ b/clients/src/main/java/org/apache/kafka/common/config/AbstractConfig.java
@@ -3,9 +3,9 @@
  * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file
  * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the
  * License. You may obtain a copy of the License at
- * 
+ *
  * http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
  * specific language governing permissions and limitations under the License.
@@ -98,6 +98,12 @@ public class AbstractConfig {
         return copy;
     }
 
+    public Map values() {
+        Map copy = new HashMap();
+        copy.putAll(values);
+        return values;
+    }
+
     private void logAll() {
         StringBuilder b = new StringBuilder();
         b.append(getClass().getSimpleName());
@@ -124,7 +130,7 @@ public class AbstractConfig {
     /**
      * Get a configured instance of the give class specified by the given configuration key. If the object implements
      * Configurable configure it using the configuration.
-     * 
+     *
      * @param key The configuration key for the class
      * @param t The interface the class should implement
      * @return A configured instance of the class
diff --git a/clients/src/main/java/org/apache/kafka/common/config/SecurityConfig.java b/clients/src/main/java/org/apache/kafka/common/config/SecurityConfig.java
deleted file mode 100644
index 7954a7e..0000000
--- a/clients/src/main/java/org/apache/kafka/common/config/SecurityConfig.java
+++ /dev/null
@@ -1,113 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE
- * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file
- * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the
- * License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
- * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package org.apache.kafka.common.config;
-
-
-import java.util.Map;
-
-import org.apache.kafka.common.config.ConfigDef.Importance;
-import org.apache.kafka.common.config.ConfigDef.Type;
-import org.apache.kafka.common.protocol.SecurityProtocol;
-
-
-/**
- * Security Related config for clients and server.
- */
-
-public class SecurityConfig extends AbstractConfig {
-    /*
-     * NOTE: DO NOT CHANGE EITHER CONFIG STRINGS OR THEIR JAVA VARIABLE NAMES AS THESE ARE PART OF THE PUBLIC API AND
-     * CHANGE WILL BREAK USER CODE.
-     */
-
-    private static final ConfigDef CONFIG;
-
-    public static final String SECURITY_PROTOCOL_CONFIG = "security.protocol";
-    public static final String SECURITY_PROTOCOL_DOC = "Protocol used to communicate with brokers. Currently only PLAINTEXT and SSL are supported.";
-
-    public static final String SSL_PROTOCOL_CONFIG = "ssl.protocol";
-    public static final String SSL_PROTOCOL_DOC = "The TLS protocol used for broker connections if security protocol is SSL. "
-            + "Any version of TLS is accepted by default.";
-
-    public static final String SSL_CIPHER_SUITES_CONFIG = "ssl.cipher.suites";
-    public static final String SSL_CIPHER_SUITES_DOC = "The list of cipher suites enabled for SSL connections. "
-            + "Default value is the list of cipher suites enabled for the Java Virtual Machine.";
-
-    public static final String SSL_ENABLED_PROTOCOLS_CONFIG = "ssl.enabled.protocols";
-    public static final String SSL_ENABLED_PROTOCOLS_DOC = "The list of protocols enabled for SSL connections. "
-            + "Default value is the list of protocols enabled for the Java Virtual Machine.";
-
-
-    public static final String SSL_KEYSTORE_TYPE_CONFIG = "ssl.keystore.type";
-    public static final String SSL_KEYSTORE_TYPE_DOC = "The file format of the key store file. "
-            + "Default value is the default key store format of the Java Virtual Machine.";
-
-    public static final String SSL_KEYSTORE_LOCATION_CONFIG = "ssl.keystore.location";
-    public static final String SSL_KEYSTORE_LOCATION_DOC = "The location of the key store file. "
-            + "This is optional for Client and can be used for two-way authentication for client.";
-
-    public static final String SSL_KEYSTORE_PASSWORD_CONFIG = "ssl.keystore.password";
-    public static final String SSL_KEYSTORE_PASSWORD_DOC = "The store password for the key store file. ";
-
-
-    public static final String SSL_KEY_PASSWORD_CONFIG = "ssl.key.password";
-    public static final String SSL_KEY_PASSWORD_DOC = "The password of the private key in the key store file. "
-            + "This is optional for client.";
-
-    public static final String SSL_TRUSTSTORE_TYPE_CONFIG = "ssl.truststore.type";
-    public static final String SSL_TRUSTSTORE_TYPE_DOC = "The file format of the trust store file. "
-            + "Default value is JKS.";
-
-    public static final String SSL_TRUSTSTORE_LOCATION_CONFIG = "ssl.truststore.location";
-    public static final String SSL_TRUSTSTORE_LOCATION_DOC = "The location of the trust store file. ";
-
-    public static final String SSL_TRUSTSTORE_PASSWORD_CONFIG = "ssl.truststore.password";
-    public static final String SSL_TRUSTSTORE_PASSWORD_DOC = "The password for the trust store file. ";
-
-    public static final String SSL_CLIENT_REQUIRE_CERT_CONFIG = "ssl.client.require.cert";
-    public static final String SSL_CLIENT_REQUIRE_CERT_DOC = "This is to enforce two-way authentication between client and server."
-            + "Default value is false. If set to true client need to prover Keystrore releated config";
-
-    public static final String SSL_KEYMANAGER_ALGORITHM_CONFIG = "ssl.keymanager.algorithm";
-    public static final String SSL_KEYMANAGER_ALGORITHM_DOC = "The algorithm used by key manager factory for SSL connections. "
-            + "Default value is the key manager factory algorithm configured for the Java Virtual Machine.";
-
-    public static final String SSL_TRUSTMANAGER_ALGORITHM_CONFIG = "ssl.trustmanager.algorithm";
-    public static final String SSL_TRUSTMANAGER_ALGORITHM_DOC = "The algorithm used by trust manager factory for SSL connections. "
-            + "Default value is the trust manager factory algorithm configured for the Java Virtual Machine.";
-
-
-    static {
-        CONFIG = new ConfigDef().define(SECURITY_PROTOCOL_CONFIG, Type.STRING, SecurityProtocol.PLAINTEXT.toString(), Importance.MEDIUM, SECURITY_PROTOCOL_DOC)
-                .define(SSL_PROTOCOL_CONFIG, Type.STRING, "TLS", Importance.MEDIUM, SSL_PROTOCOL_DOC)
-                .define(SSL_CIPHER_SUITES_CONFIG, Type.LIST, Importance.MEDIUM, SSL_CIPHER_SUITES_DOC, false)
-                .define(SSL_ENABLED_PROTOCOLS_CONFIG, Type.LIST, "TLSv1.2, TLSv1.1, TLSv1", Importance.MEDIUM, SSL_ENABLED_PROTOCOLS_DOC)
-                .define(SSL_KEYSTORE_TYPE_CONFIG, Type.STRING, Importance.MEDIUM, SSL_KEYSTORE_TYPE_DOC, false)
-                .define(SSL_KEYSTORE_LOCATION_CONFIG, Type.STRING, Importance.MEDIUM, SSL_KEYSTORE_LOCATION_DOC, false)
-                .define(SSL_KEYSTORE_PASSWORD_CONFIG, Type.STRING, Importance.MEDIUM, SSL_KEYSTORE_PASSWORD_DOC, false)
-                .define(SSL_KEY_PASSWORD_CONFIG, Type.STRING, Importance.MEDIUM, SSL_KEY_PASSWORD_DOC, false)
-                .define(SSL_TRUSTSTORE_TYPE_CONFIG, Type.STRING, Importance.MEDIUM, SSL_TRUSTSTORE_TYPE_DOC, false)
-                .define(SSL_TRUSTSTORE_LOCATION_CONFIG, Type.STRING, Importance.MEDIUM, SSL_TRUSTSTORE_LOCATION_DOC, false)
-                .define(SSL_TRUSTSTORE_PASSWORD_CONFIG, Type.STRING, Importance.MEDIUM, SSL_TRUSTSTORE_PASSWORD_DOC, false)
-                .define(SSL_KEYMANAGER_ALGORITHM_CONFIG, Type.STRING, Importance.MEDIUM, SSL_KEYMANAGER_ALGORITHM_DOC, false)
-                .define(SSL_TRUSTMANAGER_ALGORITHM_CONFIG, Type.STRING, Importance.MEDIUM, SSL_TRUSTMANAGER_ALGORITHM_DOC, false)
-                .define(SSL_CLIENT_REQUIRE_CERT_CONFIG, Type.BOOLEAN, false, Importance.MEDIUM, SSL_CLIENT_REQUIRE_CERT_DOC);
-    }
-
-    public SecurityConfig(Map props) {
-        super(CONFIG, props);
-    }
-
-
-}
diff --git a/clients/src/main/java/org/apache/kafka/common/network/Authenticator.java b/clients/src/main/java/org/apache/kafka/common/network/Authenticator.java
index ee8516f..1b6b32a 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/Authenticator.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/Authenticator.java
@@ -43,7 +43,7 @@ public interface Authenticator {
     /**
      * Returns UserPrincipal after authentication is established
      */
-    UserPrincipal userPrincipal();
+    UserPrincipal userPrincipal() throws IOException;
 
 
     /**
diff --git a/clients/src/main/java/org/apache/kafka/common/network/Channel.java b/clients/src/main/java/org/apache/kafka/common/network/Channel.java
index 3526ba3..d9d1192 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/Channel.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/Channel.java
@@ -58,7 +58,7 @@ public class Channel implements ScatteringByteChannel, GatheringByteChannel {
      * Incase of PLAINTEXT and No Authentication returns ANONYMOUS as the userPrincipal
      * If SSL used without any SASL Authentication returns SSLSession.peerPrincipal
      */
-    public UserPrincipal userPrincipal() {
+    public UserPrincipal userPrincipal() throws IOException {
         return authenticator.userPrincipal();
     }
 
diff --git a/clients/src/main/java/org/apache/kafka/common/network/DefaultAuthenticator.java b/clients/src/main/java/org/apache/kafka/common/network/DefaultAuthenticator.java
index c1ec794..97b1135 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/DefaultAuthenticator.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/DefaultAuthenticator.java
@@ -34,7 +34,7 @@ public class DefaultAuthenticator implements Authenticator {
         return 0;
     }
 
-    public UserPrincipal userPrincipal() {
+    public UserPrincipal userPrincipal() throws IOException {
         return new UserPrincipal(transportLayer.getPeerPrincipal().toString());
     }
 
diff --git a/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java
index 11cd80c..dbf0a30 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java
@@ -42,7 +42,6 @@ public class PlainTextTransportLayer implements TransportLayer {
 
     public PlainTextTransportLayer(SocketChannel socketChannel) throws IOException {
         this.socketChannel = socketChannel;
-
     }
 
 
@@ -141,7 +140,7 @@ public class PlainTextTransportLayer implements TransportLayer {
         return outStream;
     }
 
-    public Principal getPeerPrincipal() {
+    public Principal getPeerPrincipal() throws IOException {
         return new UserPrincipal("ANONYMOUS");
     }
 
diff --git a/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java b/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java
index 9cf9051..73f976b 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java
@@ -16,6 +16,8 @@
  */
 package org.apache.kafka.common.network;
 
+import java.util.Map;
+import java.util.List;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.security.GeneralSecurityException;
@@ -24,10 +26,11 @@ import java.security.KeyStore;
 import javax.net.ssl.*;
 
 import org.apache.kafka.common.KafkaException;
-import org.apache.kafka.common.config.SecurityConfig;
+import org.apache.kafka.common.Configurable;
+import org.apache.kafka.clients.CommonClientConfigs;
 
 
-public class SSLFactory  {
+public class SSLFactory implements Configurable {
 
     public enum Mode { CLIENT, SERVER };
     private String protocol;
@@ -48,27 +51,31 @@ public class SSLFactory  {
         this.mode = mode;
     }
 
-
-    public void init(SecurityConfig securityConfig) throws IOException, GeneralSecurityException {
-        this.protocol =  securityConfig.getString(SecurityConfig.SSL_PROTOCOL_CONFIG);
-        if (securityConfig.getList(SecurityConfig.SSL_CIPHER_SUITES_CONFIG) != null)
-         this.cipherSuites = (String[]) securityConfig.getList(SecurityConfig.SSL_CIPHER_SUITES_CONFIG).toArray();
-        if (securityConfig.getList(SecurityConfig.SSL_ENABLED_PROTOCOLS_CONFIG) != null)
-            this.enabledProtocols = (String[]) securityConfig.getList(SecurityConfig.SSL_ENABLED_PROTOCOLS_CONFIG).toArray();
-        this.requireClientCert = securityConfig.getBoolean(SecurityConfig.SSL_CLIENT_REQUIRE_CERT_CONFIG);
-        this.kmfAlgorithm = securityConfig.getString(SecurityConfig.SSL_KEYMANAGER_ALGORITHM_CONFIG);
-        this.tmfAlgorithm = securityConfig.getString(SecurityConfig.SSL_TRUSTMANAGER_ALGORITHM_CONFIG);
-        if ((mode == Mode.CLIENT && requireClientCert) || (mode == Mode.SERVER))
-            createKeystore(securityConfig.getString(SecurityConfig.SSL_KEYSTORE_TYPE_CONFIG),
-                                           securityConfig.getString(SecurityConfig.SSL_KEYSTORE_LOCATION_CONFIG),
-                                           securityConfig.getString(SecurityConfig.SSL_KEYSTORE_PASSWORD_CONFIG),
-                                           securityConfig.getString(SecurityConfig.SSL_KEY_PASSWORD_CONFIG));
-        createTruststore(securityConfig.getString(SecurityConfig.SSL_TRUSTSTORE_TYPE_CONFIG),
-                securityConfig.getString(SecurityConfig.SSL_TRUSTSTORE_LOCATION_CONFIG),
-                securityConfig.getString(SecurityConfig.SSL_TRUSTSTORE_PASSWORD_CONFIG));
-
-        this.sslContext = createSSLContext();
-
+    @Override
+    public void configure(Map configs) throws KafkaException {
+        this.protocol =  (String) configs.get(CommonClientConfigs.SSL_PROTOCOL_CONFIG);
+        if (configs.get(CommonClientConfigs.SSL_CIPHER_SUITES_CONFIG) != null)
+            this.cipherSuites = (String[]) ((List) configs.get(CommonClientConfigs.SSL_CIPHER_SUITES_CONFIG)).toArray();
+        if (configs.get(CommonClientConfigs.SSL_ENABLED_PROTOCOLS_CONFIG) != null)
+            this.enabledProtocols = (String[]) ((List) configs.get(CommonClientConfigs.SSL_ENABLED_PROTOCOLS_CONFIG)).toArray();
+        this.requireClientCert = (Boolean) configs.get(CommonClientConfigs.SSL_CLIENT_REQUIRE_CERT_CONFIG);
+        this.kmfAlgorithm = (String) configs.get(CommonClientConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG);
+        this.tmfAlgorithm = (String) configs.get(CommonClientConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG);
+        if ((mode == Mode.CLIENT && requireClientCert) || (mode == Mode.SERVER)) {
+            createKeystore((String) configs.get(CommonClientConfigs.SSL_KEYSTORE_TYPE_CONFIG),
+                           (String) configs.get(CommonClientConfigs.SSL_KEYSTORE_LOCATION_CONFIG),
+                           (String) configs.get(CommonClientConfigs.SSL_KEYSTORE_PASSWORD_CONFIG),
+                           (String) configs.get(CommonClientConfigs.SSL_KEY_PASSWORD_CONFIG));
+        }
+        createTruststore((String) configs.get(CommonClientConfigs.SSL_TRUSTSTORE_TYPE_CONFIG),
+                         (String) configs.get(CommonClientConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG),
+                         (String) configs.get(CommonClientConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG));
+        try {
+            this.sslContext = createSSLContext();
+        } catch (Exception e) {
+            e.printStackTrace();
+            throw new KafkaException(e);
+        }
     }
 
 
@@ -183,6 +190,4 @@ public class SSLFactory  {
         }
     }
 
-    public void close() {
-    }
 }
diff --git a/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
index dc84975..2d6a519 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
@@ -27,9 +27,12 @@ import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLEngineResult;
 import javax.net.ssl.SSLEngineResult.HandshakeStatus;
 import javax.net.ssl.SSLEngineResult.Status;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLPeerUnverifiedException;
 
 import java.io.DataInputStream;
 import java.io.DataOutputStream;
+import java.util.concurrent.ExecutorService;
 
 import org.apache.kafka.common.utils.Utils;
 import org.slf4j.Logger;
@@ -41,25 +44,27 @@ import org.slf4j.LoggerFactory;
 
 public class SSLTransportLayer implements TransportLayer {
     private static final Logger log = LoggerFactory.getLogger(SSLTransportLayer.class);
-    SocketChannel socketChannel;
-    SSLEngine sslEngine;
-    HandshakeStatus handshakeStatus = null;
-    SSLEngineResult handshakeResult = null;
-    boolean handshakeComplete = false;
-    boolean closed = false;
-    boolean closing = false;
-    ByteBuffer netInBuffer = null;
-    ByteBuffer netOutBuffer = null;
-    ByteBuffer appReadBuffer = null;
-    ByteBuffer appWriteBuffer = null;
-    ByteBuffer emptyBuf = ByteBuffer.allocate(0);
-    DataInputStream inStream = null;
-    DataOutputStream outStream = null;
-
-
-    public SSLTransportLayer(SocketChannel socketChannel, SSLEngine sslEngine) throws IOException {
+    protected SSLEngine sslEngine;
+
+    private SocketChannel socketChannel;
+    private HandshakeStatus handshakeStatus;
+    private SSLEngineResult handshakeResult;
+    private boolean handshakeComplete = false;
+    private boolean closed = false;
+    private boolean closing = false;
+    private ByteBuffer netInBuffer;
+    private ByteBuffer netOutBuffer;
+    private ByteBuffer appReadBuffer;
+    private ByteBuffer appWriteBuffer;
+    private ByteBuffer emptyBuf = ByteBuffer.allocate(0);
+    private DataInputStream inStream;
+    private DataOutputStream outStream;
+    private ExecutorService executorService;
+
+    public SSLTransportLayer(SocketChannel socketChannel, SSLEngine sslEngine, ExecutorService executorService) throws IOException {
         this.socketChannel = socketChannel;
         this.sslEngine = sslEngine;
+        this.executorService = executorService;
         this.netInBuffer = ByteBuffer.allocateDirect(sslEngine.getSession().getPacketBufferSize());
         this.netOutBuffer = ByteBuffer.allocateDirect(sslEngine.getSession().getPacketBufferSize());
         this.appWriteBuffer = ByteBuffer.allocateDirect(sslEngine.getSession().getApplicationBufferSize());
@@ -116,56 +121,60 @@ public class SSLTransportLayer implements TransportLayer {
         if (handshakeComplete) return 0; //we have done our initial handshake
 
         if (!flush(netOutBuffer)) return SelectionKey.OP_WRITE;
-
-        switch(handshakeStatus) {
-            case NOT_HANDSHAKING:
-                // SSLEnginge.getHandshakeStatus is transient and it doesn't record FINISHED status properly
-                if (handshakeResult.getHandshakeStatus() == HandshakeStatus.FINISHED) {
+        try {
+            switch(handshakeStatus) {
+                case NOT_HANDSHAKING:
+                    // SSLEnginge.getHandshakeStatus is transient and it doesn't record FINISHED status properly
+                    if (handshakeResult.getHandshakeStatus() == HandshakeStatus.FINISHED) {
+                        handshakeComplete = !netOutBuffer.hasRemaining();
+                        if (handshakeComplete)
+                            return 0;
+                        else
+                            return SelectionKey.OP_WRITE;
+                    } else {
+                        throw new IOException("NOT_HANDSHAKING during handshake");
+                    }
+                case FINISHED:
+                    //we are complete if we have delivered the last package
                     handshakeComplete = !netOutBuffer.hasRemaining();
-                    if (handshakeComplete)
-                        return 0;
-                    else
+                    //return 0 if we are complete, otherwise we still have data to write
+                    if (handshakeComplete) return 0;
+                    else return SelectionKey.OP_WRITE;
+                case NEED_WRAP:
+                    handshakeResult = handshakeWrap(write);
+                    if (handshakeResult.getStatus() == Status.OK) {
+                        if (handshakeStatus == HandshakeStatus.NEED_TASK)
+                            handshakeStatus = tasks();
+                    } else {
+                        //wrap should always work with our buffers
+                        throw new IOException("Unexpected status [" + handshakeResult.getStatus() + "] during handshake WRAP.");
+                    }
+                    if (handshakeStatus != HandshakeStatus.NEED_UNWRAP || (!flush(netOutBuffer)))
                         return SelectionKey.OP_WRITE;
-                } else {
-                    //should never happen
-                    throw new IOException("NOT_HANDSHAKING during handshake");
-                }
-            case FINISHED:
-                //we are complete if we have delivered the last package
-                handshakeComplete = !netOutBuffer.hasRemaining();
-                //return 0 if we are complete, otherwise we still have data to write
-                if (handshakeComplete) return 0;
-                else return SelectionKey.OP_WRITE;
-            case NEED_WRAP:
-                handshakeResult = handshakeWrap(write);
-                if (handshakeResult.getStatus() == Status.OK) {
-                    if (handshakeStatus == HandshakeStatus.NEED_TASK)
-                        handshakeStatus = tasks();
-                } else {
-                    //wrap should always work with our buffers
-                    throw new IOException("Unexpected status [" + handshakeResult.getStatus() + "] during handshake WRAP.");
-                }
-                if (handshakeStatus != HandshakeStatus.NEED_UNWRAP || (!flush(netOutBuffer)))
-                    return SelectionKey.OP_WRITE;
-                //fall down to NEED_UNWRAP on the same call, will result in a
-                //BUFFER_UNDERFLOW if it needs data
-            case NEED_UNWRAP:
-                handshakeResult = handshakeUnwrap(read);
-                if (handshakeResult.getStatus() == Status.OK) {
-                    if (handshakeStatus == HandshakeStatus.NEED_TASK)
-                        handshakeStatus = tasks();
-                } else if (handshakeResult.getStatus() == Status.BUFFER_UNDERFLOW) {
-                    return SelectionKey.OP_READ;
-                } else {
-                    throw new IOException(String.format("Unexpected status [%s] during handshake UNWRAP", handshakeStatus));
-                }
-                break;
-            case NEED_TASK:
-                handshakeStatus = tasks();
-                break;
-            default:
-                throw new IllegalStateException(String.format("Unexpected status [%s]", handshakeStatus));
+                    //fall down to NEED_UNWRAP on the same call, will result in a
+                    //BUFFER_UNDERFLOW if it needs data
+                case NEED_UNWRAP:
+                    handshakeResult = handshakeUnwrap(read);
+                    if (handshakeResult.getStatus() == Status.OK) {
+                        if (handshakeStatus == HandshakeStatus.NEED_TASK)
+                            handshakeStatus = tasks();
+                    } else if (handshakeResult.getStatus() == Status.BUFFER_UNDERFLOW) {
+                        return SelectionKey.OP_READ;
+                    } else {
+                        throw new IOException(String.format("Unexpected status [%s] during handshake UNWRAP", handshakeStatus));
+                    }
+                    break;
+                case NEED_TASK:
+                    handshakeStatus = tasks();
+                    break;
+                default:
+                    throw new IllegalStateException(String.format("Unexpected status [%s]", handshakeStatus));
+            }
+        } catch (SSLException e) {
+            handshakeFailure();
+            throw e;
         }
+
         //return 0 if we are complete, otherwise re-register for any activity that
         //would cause this method to be called again.
         if (handshakeComplete) return 0;
@@ -173,12 +182,22 @@ public class SSLTransportLayer implements TransportLayer {
     }
 
     /**
-     * Executes all the tasks needed on the same thread.
+     * Executes all the tasks needed on the executorservice thread.
      * @return HandshakeStatus
      */
     private HandshakeStatus tasks() {
-        Runnable r = null;
-        while ((r = sslEngine.getDelegatedTask()) != null) r.run();
+        for (;;) {
+            final Runnable task = sslEngine.getDelegatedTask();
+            if (task == null)
+                break;
+
+            executorService.submit(new Runnable() {
+                    @Override
+                    public void run() {
+                        task.run();
+                    }
+                });
+        }
         return sslEngine.getHandshakeStatus();
     }
 
@@ -237,10 +256,6 @@ public class SSLTransportLayer implements TransportLayer {
     }
 
 
-    public int getOutboundRemaining() {
-        return netOutBuffer.remaining();
-    }
-
     /**
     * Sends a SSL close message, will not physically close the connection here.
    
     * @throws IOException if an I/O error occurs
@@ -283,7 +298,7 @@ public class SSLTransportLayer implements TransportLayer {
     * @param dst The buffer into which bytes are to be transferred
     * @return The number of bytes read, possible zero or -1 if the channel has reached end-of-stream
     * @throws IOException if some other I/O error occurs
-    * @throws IllegalStateException if the destination buffer is different than appBufHandler.getReadBuffer()
+    * @throws IllegalStateException if handshake is not complete.
     */
     public int read(ByteBuffer dst) throws IOException {
         if (closing || closed) return -1;
@@ -305,16 +320,10 @@ public class SSLTransportLayer implements TransportLayer {
                 if (unwrap.getHandshakeStatus() == HandshakeStatus.NEED_TASK) tasks();
                 //if we need more network data, than return for now.
                 if (unwrap.getStatus() == Status.BUFFER_UNDERFLOW) return readFromAppBuffer(dst);
-            } else if (unwrap.getStatus() == Status.BUFFER_OVERFLOW && read > 0) {
+            } else if (unwrap.getStatus() == Status.BUFFER_OVERFLOW) {
                 appReadBuffer = Utils.ensureCapacity(appReadBuffer, applicationBufferSize());
-                //buffer overflow can happen, if we have read data, then
                 //empty out the dst buffer before we do another read
                 return readFromAppBuffer(dst);
-            } else {
-                //here we should trap BUFFER_OVERFLOW and call expand on the buffer
-                // for now, throw an exception, as we initialized the buffers
-                // in constructor
-                throw new IOException(String.format("Unable to unwrap data, invalid status [%s]", unwrap.getStatus()));
             }
         } while(netInBuffer.position() != 0);
         return readFromAppBuffer(dst);
@@ -335,7 +344,6 @@ public class SSLTransportLayer implements TransportLayer {
         return totalRead;
     }
 
-
     /**
     * Writes a sequence of bytes to this channel from the given buffer.
     *
@@ -346,24 +354,20 @@ public class SSLTransportLayer implements TransportLayer {
 
     public int write(ByteBuffer src) throws IOException {
         int written = 0;
-        if (src == this.netOutBuffer)
-            written = socketChannel.write(src);
-        else {
-            if (closing || closed) throw new IOException("Channel is in closing state");
-            if (!flush(netOutBuffer))
-                return written;
-            netOutBuffer.clear();
-            SSLEngineResult result = sslEngine.wrap(src, netOutBuffer);
-            written = result.bytesConsumed();
-            netOutBuffer.flip();
-            if (result.getStatus() == Status.OK) {
-                if (result.getHandshakeStatus() == HandshakeStatus.NEED_TASK)
-                    tasks();
-            } else {
-                throw new IOException(String.format("Unable to wrap data, invalid status %s", result.getStatus()));
-            }
-            flush(netOutBuffer);
+        if (closing || closed) throw new IOException("Channel is in closing state");
+        if (!flush(netOutBuffer))
+            return written;
+        netOutBuffer.clear();
+        SSLEngineResult result = sslEngine.wrap(src, netOutBuffer);
+        written = result.bytesConsumed();
+        netOutBuffer.flip();
+        if (result.getStatus() == Status.OK) {
+            if (result.getHandshakeStatus() == HandshakeStatus.NEED_TASK)
+                tasks();
+        } else {
+            throw new IOException(String.format("Unable to wrap data, invalid status %s", result.getStatus()));
         }
+        flush(netOutBuffer);
         return written;
     }
 
@@ -396,9 +400,12 @@ public class SSLTransportLayer implements TransportLayer {
         return outStream;
     }
 
-    public Principal getPeerPrincipal() {
-        //return sslEngine.getSession().getPeerPrincipal();
-        return null;
+    public Principal getPeerPrincipal() throws IOException {
+        try {
+            return sslEngine.getSession().getPeerPrincipal();
+        } catch (SSLPeerUnverifiedException se) {
+            throw new IOException(String.format("Unable to retrieve getPeerPrincipal due to %s", se));
+        }
     }
 
     private int readFromAppBuffer(ByteBuffer dst) {
@@ -427,4 +434,14 @@ public class SSLTransportLayer implements TransportLayer {
     private int applicationBufferSize() {
         return sslEngine.getSession().getApplicationBufferSize();
     }
+
+    private void handshakeFailure() {
+        //Release all resources such as internal buffers that SSLEngine is managing
+        sslEngine.closeOutbound();
+        try {
+            sslEngine.closeInbound();
+        } catch (SSLException e) {
+            log.debug("SSLEngine.closeInBound() raised an exception.",  e);
+        }
+    }
 }
diff --git a/clients/src/main/java/org/apache/kafka/common/network/Selector.java b/clients/src/main/java/org/apache/kafka/common/network/Selector.java
index 0068143..90e2cee 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/Selector.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/Selector.java
@@ -29,9 +29,10 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.TimeUnit;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
 
 import org.apache.kafka.common.KafkaException;
-import org.apache.kafka.common.config.SecurityConfig;
 import org.apache.kafka.common.metrics.Measurable;
 import org.apache.kafka.common.metrics.MetricConfig;
 import org.apache.kafka.common.MetricName;
@@ -43,6 +44,7 @@ import org.apache.kafka.common.metrics.stats.Max;
 import org.apache.kafka.common.metrics.stats.Rate;
 import org.apache.kafka.common.protocol.SecurityProtocol;
 import org.apache.kafka.common.utils.Time;
+import org.apache.kafka.clients.CommonClientConfigs;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -90,14 +92,14 @@ public class Selector implements Selectable {
     private final SelectorMetrics sensors;
     private final String metricGrpPrefix;
     private final Map metricTags;
-    private final SecurityConfig securityConfig;
     private final SecurityProtocol securityProtocol;
     private SSLFactory sslFactory = null;
+    private ExecutorService executorService = null;
 
     /**
      * Create a new selector
      */
-    public Selector(Metrics metrics, Time time, String metricGrpPrefix, Map metricTags, SecurityConfig securityConfig) {
+    public Selector(Metrics metrics, Time time, String metricGrpPrefix, Map metricTags, Map configs) {
         try {
             this.selector = java.nio.channels.Selector.open();
         } catch (IOException e) {
@@ -114,17 +116,13 @@ public class Selector implements Selectable {
         this.disconnected = new ArrayList();
         this.failedSends = new ArrayList();
         this.sensors = new SelectorMetrics(metrics);
-        this.securityConfig = securityConfig;
-        this.securityProtocol = SecurityProtocol.valueOf(securityConfig.getString(SecurityConfig.SECURITY_PROTOCOL_CONFIG));
-        try {
-            if (securityProtocol == SecurityProtocol.SSL) {
-                this.sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT);
-                this.sslFactory.init(this.securityConfig);
-            }
-        } catch (Exception e) {
-            throw new KafkaException(e);
+        this.securityProtocol = configs.containsKey(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG) ?
+            SecurityProtocol.valueOf((String) configs.get(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG)) : SecurityProtocol.PLAINTEXT;
+        if (securityProtocol == SecurityProtocol.SSL) {
+            this.executorService = Executors.newScheduledThreadPool(1);
+            this.sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT);
+            this.sslFactory.configure(configs);
         }
-
     }
 
     /**
@@ -166,7 +164,8 @@ public class Selector implements Selectable {
         if (securityProtocol == SecurityProtocol.SSL) {
             transportLayer = new SSLTransportLayer(socketChannel,
                                                     sslFactory.createSSLEngine(socket.getInetAddress().getHostName(),
-                                                                               socket.getPort()));
+                                                                               socket.getPort()),
+                                                   executorService);
         } else {
             transportLayer = new PlainTextTransportLayer(socketChannel);
         }
@@ -206,8 +205,12 @@ public class Selector implements Selectable {
             close(key);
         try {
             this.selector.close();
+            if (this.executorService != null)
+                this.executorService.shutdown();
         } catch (IOException e) {
             log.error("Exception closing selector:", e);
+        } catch (SecurityException se) {
+            log.error("Exception closing selector:", se);
         }
     }
 
@@ -463,7 +466,7 @@ public class Selector implements Selectable {
     }
 
     /**
-     * Get the socket channel associated with this selection key
+     * Get the Channel associated with this selection key
      */
     private Channel channel(SelectionKey key) {
         return this.channels.get(key);
diff --git a/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java
index 6ce013b..ae10f7c 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java
@@ -82,5 +82,5 @@ public interface TransportLayer {
 
     boolean flush(ByteBuffer buffer) throws IOException;
 
-    Principal getPeerPrincipal();
+    Principal getPeerPrincipal() throws IOException;
 }
diff --git a/clients/src/test/java/org/apache/kafka/common/network/EchoServer.java b/clients/src/test/java/org/apache/kafka/common/network/EchoServer.java
index 47dda69..7f34738 100644
--- a/clients/src/test/java/org/apache/kafka/common/network/EchoServer.java
+++ b/clients/src/test/java/org/apache/kafka/common/network/EchoServer.java
@@ -12,7 +12,7 @@
  */
 package org.apache.kafka.common.network;
 
-import org.apache.kafka.common.config.SecurityConfig;
+import org.apache.kafka.clients.CommonClientConfigs;
 import org.apache.kafka.common.protocol.SecurityProtocol;
 
 import java.io.DataInputStream;
@@ -22,8 +22,9 @@ import java.net.ServerSocket;
 import java.net.Socket;
 import java.util.ArrayList;
 import java.util.Collections;
+import java.util.Map;
 import java.util.List;
-import java.util.concurrent.atomic.AtomicBoolean;
+
 
 
 /**
@@ -34,17 +35,16 @@ class EchoServer extends Thread {
     private final ServerSocket serverSocket;
     private final List threads;
     private final List sockets;
-    private SecurityProtocol protocol;
+    private SecurityProtocol protocol = SecurityProtocol.PLAINTEXT;
     private SSLFactory sslFactory;
-    private final AtomicBoolean startHandshake = new AtomicBoolean();
 
-    public EchoServer(SecurityConfig securityConfig) throws Exception {
-        this.protocol =  SecurityProtocol.valueOf(securityConfig.getString(SecurityConfig.SECURITY_PROTOCOL_CONFIG));
+    public EchoServer(Map configs) throws Exception {
+        this.protocol =  configs.containsKey(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG) ?
+            SecurityProtocol.valueOf((String) configs.get(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG)) : SecurityProtocol.PLAINTEXT;
         if (protocol == SecurityProtocol.SSL) {
             this.sslFactory = new SSLFactory(SSLFactory.Mode.SERVER);
-            this.sslFactory.init(securityConfig);
+            this.sslFactory.configure(configs);
             this.serverSocket = sslFactory.createSSLServerSocketFactory().createServerSocket(0);
-            this.startHandshake.set(true);
         } else {
             this.serverSocket = new ServerSocket(0);
         }
@@ -105,4 +105,4 @@ class EchoServer extends Thread {
             t.join();
         join();
     }
-}
\ No newline at end of file
+}
diff --git a/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java b/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java
index f3c6153..c5f8ecf 100644
--- a/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java
+++ b/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java
@@ -14,12 +14,12 @@ package org.apache.kafka.common.network;
 
 import static org.junit.Assert.assertEquals;
 
+import java.util.Map;
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.nio.ByteBuffer;
 import java.util.LinkedHashMap;
 
-import org.apache.kafka.common.config.SecurityConfig;
 import org.apache.kafka.common.metrics.Metrics;
 import org.apache.kafka.common.utils.MockTime;
 import org.apache.kafka.test.TestSSLUtils;
@@ -42,12 +42,10 @@ public class SSLSelectorTest {
 
     @Before
     public void setup() throws Exception {
-        SecurityConfig serverSecurityConfig = TestSSLUtils.createSSLConfigFile(SSLFactory.Mode.SERVER, null);
-        this.server = new EchoServer(serverSecurityConfig);
+        Map> sslConfigs = TestSSLUtils.createSSLConfigs(false, true);
+        this.server = new EchoServer(sslConfigs.get(SSLFactory.Mode.SERVER));
         this.server.start();
-        String trustStoreServer = serverSecurityConfig.getString(SecurityConfig.SSL_TRUSTSTORE_LOCATION_CONFIG);
-        SecurityConfig clientSecurityConfig = TestSSLUtils.createSSLConfigFile(SSLFactory.Mode.CLIENT, trustStoreServer);
-        this.selector = new Selector(new Metrics(), new MockTime(), "MetricGroup", new LinkedHashMap(), clientSecurityConfig);
+        this.selector = new Selector(new Metrics(), new MockTime(), "MetricGroup", new LinkedHashMap(), sslConfigs.get(SSLFactory.Mode.CLIENT));
     }
 
     @After
@@ -68,6 +66,44 @@ public class SSLSelectorTest {
         assertEquals(big, blockingRequest(node, big));
     }
 
+
+    /**
+     * Validate that when the server disconnects, a client send ends up with that node in the disconnected list.
+     */
+    @Test
+    public void testServerDisconnect() throws Exception {
+        int node = 0;
+        // connect and do a simple request
+        blockingConnect(node);
+        assertEquals("hello", blockingRequest(node, "hello"));
+
+        // disconnect
+        this.server.closeConnections();
+        while (!selector.disconnected().contains(node))
+            selector.poll(1000L);
+
+        // reconnect and do another request
+        blockingConnect(node);
+        assertEquals("hello", blockingRequest(node, "hello"));
+    }
+
+
+     /**
+     * Tests wrap BUFFER_OVERFLOW  and unwrap BUFFER_UNDERFLOW
+     * @throws Exception
+     */
+    @Test
+    public void testLargeMessageSequence() throws Exception {
+        int bufferSize = 512 * 1024;
+        int node = 0;
+        int reqs = 50;
+        InetSocketAddress addr = new InetSocketAddress("localhost", server.port);
+        selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);
+        String requestPrefix = TestUtils.randomString(bufferSize);
+        sendAndReceive(node, requestPrefix, 0, reqs);
+    }
+
+
     private String blockingRequest(int node, String s) throws IOException {
         selector.send(createSend(node, s));
         selector.poll(1000L);
@@ -94,4 +130,26 @@ public class SSLSelectorTest {
             selector.poll(10000L);
     }
 
-}
\ No newline at end of file
+
+    private void sendAndReceive(int node, String requestPrefix, int startIndex, int endIndex) throws Exception {
+        int requests = startIndex;
+        int responses = startIndex;
+        selector.send(createSend(node, requestPrefix + "-" + startIndex));
+        requests++;
+        while (responses < endIndex) {
+            // do the i/o
+            selector.poll(0L);
+            assertEquals("No disconnects should have occurred.", 0, selector.disconnected().size());
+
+            // handle requests and responses of the fast node
+            for (NetworkReceive receive : selector.completedReceives()) {
+                assertEquals(requestPrefix + "-" + responses, asString(receive));
+                responses++;
+            }
+
+            for (int i = 0; i < selector.completedSends().size() && requests < endIndex; i++, requests++) {
+                selector.send(createSend(node, requestPrefix + "-" + requests));
+            }
+        }
+    }
+}
diff --git a/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java b/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java
index e4100d3..3fd8fe2 100644
--- a/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java
+++ b/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java
@@ -3,9 +3,9 @@
  * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file
  * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the
  * License. You may obtain a copy of the License at
- * 
+ *
  * http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
  * specific language governing permissions and limitations under the License.
@@ -15,14 +15,14 @@ package org.apache.kafka.common.network;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 
+import java.util.HashMap;
+import java.util.Map;
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.net.ServerSocket;
 import java.nio.ByteBuffer;
 import java.util.LinkedHashMap;
 
-import org.apache.kafka.clients.ClientUtils;
-import org.apache.kafka.common.config.SecurityConfig;
 import org.apache.kafka.common.metrics.Metrics;
 import org.apache.kafka.common.utils.MockTime;
 import org.apache.kafka.common.utils.Utils;
@@ -43,10 +43,10 @@ public class SelectorTest {
 
     @Before
     public void setup() throws Exception {
-        SecurityConfig securityConfig = ClientUtils.parseSecurityConfig("");
-        this.server = new EchoServer(securityConfig);
+        Map configs = new HashMap();
+        this.server = new EchoServer(configs);
         this.server.start();
-        this.selector = new Selector(new Metrics(), new MockTime() , "MetricGroup", new LinkedHashMap(), securityConfig);
+        this.selector = new Selector(new Metrics(), new MockTime() , "MetricGroup", new LinkedHashMap(), configs);
     }
 
     @After
diff --git a/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java b/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java
index c811096..bfb52ef 100644
--- a/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java
+++ b/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java
@@ -17,19 +17,8 @@
 
 package org.apache.kafka.test;
 
-import org.apache.kafka.common.config.SecurityConfig;
+import org.apache.kafka.clients.CommonClientConfigs;
 import org.apache.kafka.common.network.SSLFactory;
-import sun.security.x509.AlgorithmId;
-import sun.security.x509.CertificateAlgorithmId;
-import sun.security.x509.CertificateIssuerName;
-import sun.security.x509.CertificateSerialNumber;
-import sun.security.x509.CertificateSubjectName;
-import sun.security.x509.CertificateValidity;
-import sun.security.x509.CertificateVersion;
-import sun.security.x509.CertificateX509Key;
-import sun.security.x509.X500Name;
-import sun.security.x509.X509CertImpl;
-import sun.security.x509.X509CertInfo;
 
 import java.io.File;
 import java.io.FileOutputStream;
@@ -41,14 +30,19 @@ import java.security.KeyPair;
 import java.security.KeyPairGenerator;
 import java.security.KeyStore;
 import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
 import java.security.SecureRandom;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
+import java.security.InvalidKeyException;
+import java.security.NoSuchProviderException;
+import java.security.SignatureException;
+import java.security.cert.CertificateEncodingException;
+import javax.security.auth.x500.X500Principal;
+import org.bouncycastle.x509.X509V1CertificateGenerator;
+
 import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
-import java.util.Properties;
 
 
 public class TestSSLUtils {
@@ -66,36 +60,24 @@ public class TestSSLUtils {
      * @throws GeneralSecurityException thrown if an Security error ocurred.
      */
     public static X509Certificate generateCertificate(String dn, KeyPair pair,
-                                                      int days, String algorithm) throws GeneralSecurityException, IOException {
-        PrivateKey privkey = pair.getPrivate();
-        X509CertInfo info = new X509CertInfo();
+                                                      int days, String algorithm)
+        throws CertificateEncodingException, InvalidKeyException, IllegalStateException,
+               NoSuchProviderException, NoSuchAlgorithmException, SignatureException {
         Date from = new Date();
         Date to = new Date(from.getTime() + days * 86400000L);
-        CertificateValidity interval = new CertificateValidity(from, to);
         BigInteger sn = new BigInteger(64, new SecureRandom());
-        X500Name owner = new X500Name(dn);
-
-        info.set(X509CertInfo.VALIDITY, interval);
-        info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
-        info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
-        info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
-        info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
-        info
-                .set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
-        AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
-        info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));
-
-        // Sign the cert to identify the algorithm that's used.
-        X509CertImpl cert = new X509CertImpl(info);
-        cert.sign(privkey, algorithm);
-
-        // Update the algorith, and resign.
-        algo = (AlgorithmId) cert.get(X509CertImpl.SIG_ALG);
-        info
-                .set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM,
-                        algo);
-        cert = new X509CertImpl(info);
-        cert.sign(privkey, algorithm);
+        KeyPair keyPair = pair;
+        X509V1CertificateGenerator certGen = new X509V1CertificateGenerator();
+        X500Principal  dnName = new X500Principal(dn);
+
+        certGen.setSerialNumber(sn);
+        certGen.setIssuerDN(dnName);
+        certGen.setNotBefore(from);
+        certGen.setNotAfter(to);
+        certGen.setSubjectDN(dnName);
+        certGen.setPublicKey(keyPair.getPublic());
+        certGen.setSignatureAlgorithm(algorithm);
+        X509Certificate cert = certGen.generate(pair.getPrivate());
         return cert;
     }
 
@@ -168,41 +150,72 @@ public class TestSSLUtils {
         saveKeyStore(ks, filename, password);
     }
 
-    public static SecurityConfig createSSLConfigFile(SSLFactory.Mode mode, String trustStoreFileClient) throws IOException, GeneralSecurityException {
-        Properties securityConfigProps = new Properties();
+    public static Map createX509Certificates(KeyPair keyPair)
+        throws GeneralSecurityException {
         Map certs = new HashMap();
-        KeyPair keyPair = generateKeyPair("RSA");
         X509Certificate cert = generateCertificate("CN=localhost, O=localhost", keyPair, 30, "SHA1withRSA");
-        String password = "test";
-
-        if (mode == SSLFactory.Mode.SERVER) {
-            File keyStoreFile = File.createTempFile("keystore", ".jks");
-            createKeyStore(keyStoreFile.getPath(), password, password, "localhost", keyPair.getPrivate(), cert);
-            certs.put("localhost", cert);
-            securityConfigProps.put(SecurityConfig.SSL_KEYSTORE_LOCATION_CONFIG, keyStoreFile.getPath());
-            securityConfigProps.put(SecurityConfig.SSL_KEYSTORE_TYPE_CONFIG, "JKS");
-            securityConfigProps.put(SecurityConfig.SSL_KEYMANAGER_ALGORITHM_CONFIG, "SunX509");
-            securityConfigProps.put(SecurityConfig.SSL_KEYSTORE_PASSWORD_CONFIG, password);
-            securityConfigProps.put(SecurityConfig.SSL_KEY_PASSWORD_CONFIG, password);
-
-            File trustStoreFile = File.createTempFile("truststore", ".jks");
-            createTrustStore(trustStoreFile.getPath(), password, certs);
-
-            securityConfigProps.put(SecurityConfig.SECURITY_PROTOCOL_CONFIG, "SSL");
-            securityConfigProps.put(SecurityConfig.SSL_CLIENT_REQUIRE_CERT_CONFIG, "false");
-            securityConfigProps.put(SecurityConfig.SSL_TRUSTSTORE_LOCATION_CONFIG, trustStoreFile.getPath());
-            securityConfigProps.put(SecurityConfig.SSL_TRUSTSTORE_PASSWORD_CONFIG, password);
-            securityConfigProps.put(SecurityConfig.SSL_TRUSTSTORE_TYPE_CONFIG, "JKS");
-        } else {
-            securityConfigProps.put(SecurityConfig.SECURITY_PROTOCOL_CONFIG, "SSL");
-            securityConfigProps.put(SecurityConfig.SSL_CLIENT_REQUIRE_CERT_CONFIG, "false");
-            securityConfigProps.put(SecurityConfig.SSL_TRUSTSTORE_LOCATION_CONFIG, trustStoreFileClient);
-            securityConfigProps.put(SecurityConfig.SSL_TRUSTSTORE_PASSWORD_CONFIG, password);
-            securityConfigProps.put(SecurityConfig.SSL_TRUSTSTORE_TYPE_CONFIG, "JKS");
+        certs.put("localhost", cert);
+        return certs;
+    }
+
+    public static Map createSSLConfig(SSLFactory.Mode mode, File keyStoreFile, String password, String keyPassword,
+                                                      File trustStoreFile, String trustStorePassword, boolean useClientCert) {
+        Map sslConfigs = new HashMap();
+        sslConfigs.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SSL"); // kafka security protocol
+        sslConfigs.put(CommonClientConfigs.SSL_PROTOCOL_CONFIG, "TLS"); // protocol to create SSLContext
+
+        if (mode == SSLFactory.Mode.SERVER || (mode == SSLFactory.Mode.CLIENT && keyStoreFile != null)) {
+            sslConfigs.put(CommonClientConfigs.SSL_KEYSTORE_LOCATION_CONFIG, keyStoreFile.getPath());
+            sslConfigs.put(CommonClientConfigs.SSL_KEYSTORE_TYPE_CONFIG, "JKS");
+            sslConfigs.put(CommonClientConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG, "SunX509");
+            sslConfigs.put(CommonClientConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, password);
+            sslConfigs.put(CommonClientConfigs.SSL_KEY_PASSWORD_CONFIG, keyPassword);
+        }
+
+        sslConfigs.put(CommonClientConfigs.SSL_CLIENT_REQUIRE_CERT_CONFIG, useClientCert);
+        sslConfigs.put(CommonClientConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, trustStoreFile.getPath());
+        sslConfigs.put(CommonClientConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, trustStorePassword);
+        sslConfigs.put(CommonClientConfigs.SSL_TRUSTSTORE_TYPE_CONFIG, "JKS");
+        sslConfigs.put(CommonClientConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG, "SunX509");
+        return sslConfigs;
+    }
+
+    public static Map> createSSLConfigs(boolean useClientCert, boolean trustStore)
+        throws IOException, GeneralSecurityException {
+        Map> sslConfigs = new HashMap>();
+        Map certs = new HashMap();
+        File trustStoreFile = File.createTempFile("truststore", ".jks");
+        File clientKeyStoreFile = null;
+        File serverKeyStoreFile = File.createTempFile("serverKS", ".jks");
+        String clientPassword = "ClientPassword";
+        String serverPassword = "ServerPassword";
+        String trustStorePassword = "TrustStorePassword";
+
+        if (useClientCert) {
+            clientKeyStoreFile = File.createTempFile("clientKS", ".jks");
+            KeyPair cKP = generateKeyPair("RSA");
+            X509Certificate cCert = generateCertificate("CN=localhost, O=client", cKP, 30, "SHA1withRSA");
+            createKeyStore(clientKeyStoreFile.getPath(), clientPassword, "client", cKP.getPrivate(), cCert);
+            certs.put("client", cCert);
+        }
+
+        KeyPair sKP = generateKeyPair("RSA");
+        X509Certificate sCert = generateCertificate("CN=localhost, O=server", sKP, 30,
+                                                    "SHA1withRSA");
+        createKeyStore(serverKeyStoreFile.getPath(), serverPassword, serverPassword, "server", sKP.getPrivate(), sCert);
+        certs.put("server", sCert);
+
+        if (trustStore) {
+            createTrustStore(trustStoreFile.getPath(), trustStorePassword, certs);
         }
 
-        securityConfigProps.put(SecurityConfig.SSL_TRUSTMANAGER_ALGORITHM_CONFIG, "SunX509");
-        return new SecurityConfig(securityConfigProps);
+        Map clientSSLConfig = createSSLConfig(SSLFactory.Mode.CLIENT, clientKeyStoreFile, clientPassword,
+                                                              clientPassword, trustStoreFile, trustStorePassword, useClientCert);
+        Map serverSSLConfig = createSSLConfig(SSLFactory.Mode.SERVER, serverKeyStoreFile, serverPassword,
+                                                              serverPassword, trustStoreFile, trustStorePassword, useClientCert);
+        sslConfigs.put(SSLFactory.Mode.CLIENT, clientSSLConfig);
+        sslConfigs.put(SSLFactory.Mode.SERVER, serverSSLConfig);
+        return sslConfigs;
     }
 
 }
-- 
2.4.4


From 98a90ae9d80ea8f5ab4780569d1c4e301dd16c4e Mon Sep 17 00:00:00 2001
From: Sriharsha Chintalapani 
Date: Sun, 10 May 2015 23:18:13 -0700
Subject: [PATCH 03/19] KAFKA-1690. new java producer needs ssl support as a
 client.

---
 .../src/main/java/org/apache/kafka/clients/ClientUtils.java   | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/clients/src/main/java/org/apache/kafka/clients/ClientUtils.java b/clients/src/main/java/org/apache/kafka/clients/ClientUtils.java
index 3657279..748576b 100644
--- a/clients/src/main/java/org/apache/kafka/clients/ClientUtils.java
+++ b/clients/src/main/java/org/apache/kafka/clients/ClientUtils.java
@@ -13,21 +13,17 @@
 package org.apache.kafka.clients;
 
 import java.io.Closeable;
-import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.util.ArrayList;
 import java.util.List;
-import java.util.Properties;
 import java.util.concurrent.atomic.AtomicReference;
 
 import org.apache.kafka.common.config.ConfigException;
-import org.apache.kafka.common.config.SecurityConfig;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import static org.apache.kafka.common.utils.Utils.getHost;
 import static org.apache.kafka.common.utils.Utils.getPort;
-import static org.apache.kafka.common.utils.Utils.loadProps;
 
 
 public class ClientUtils {
@@ -67,11 +63,4 @@ public class ClientUtils {
         }
     }
 
-    public static SecurityConfig parseSecurityConfig(String securityConfigFile) throws IOException {
-        Properties securityProps = new Properties();
-        if (securityConfigFile != null && securityConfigFile != "") {
-            securityProps = loadProps(securityConfigFile);
-        }
-        return new SecurityConfig(securityProps);
-    }
 }
-- 
2.4.4


From 804da7a015be2f98a1bb867ee5d42aa8009a37dd Mon Sep 17 00:00:00 2001
From: Sriharsha Chintalapani 
Date: Sun, 10 May 2015 23:31:25 -0700
Subject: [PATCH 04/19] KAFKA-1690. new java producer needs ssl support as a
 client.

---
 .../main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java  | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java b/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java
index 4ccd423..85fdc09 100644
--- a/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java
+++ b/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java
@@ -157,11 +157,6 @@ public class ConsumerConfig extends AbstractConfig {
     public static final String VALUE_DESERIALIZER_CLASS_CONFIG = "value.deserializer";
     private static final String VALUE_DESERIALIZER_CLASS_DOC = "Deserializer class for value that implements the Deserializer interface.";
 
-    /** security.config.file  */
-    public static final String SECURITY_CONFIG_FILE_CONFIG = CommonClientConfigs.SECURITY_CONFIG_FILE_CONFIG;
-    private static final String SECURITY_CONFIG_FILE_DOC = CommonClientConfigs.SECURITY_CONFIG_FILE_DOC;
-
-
     static {
         CONFIG = new ConfigDef().define(BOOTSTRAP_SERVERS_CONFIG,
                                         Type.LIST,
-- 
2.4.4


From ee16e8e6f92ac2baf0e41d3019b7f8aef39b1506 Mon Sep 17 00:00:00 2001
From: Sriharsha Chintalapani 
Date: Mon, 11 May 2015 16:09:01 -0700
Subject: [PATCH 05/19] KAFKA-1690. new java producer needs ssl support as a
 client. SSLFactory tests.

---
 .../kafka/clients/consumer/ConsumerConfig.java     |  2 +-
 .../kafka/clients/producer/ProducerConfig.java     |  2 +-
 .../apache/kafka/common/network/SSLFactory.java    | 16 +++++--
 .../kafka/common/network/SSLFactoryTest.java       | 56 ++++++++++++++++++++++
 .../java/org/apache/kafka/test/TestSSLUtils.java   |  7 +++
 5 files changed, 76 insertions(+), 7 deletions(-)
 create mode 100644 clients/src/test/java/org/apache/kafka/common/network/SSLFactoryTest.java

diff --git a/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java b/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java
index 85fdc09..95f3a46 100644
--- a/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java
+++ b/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java
@@ -280,7 +280,7 @@ public class ConsumerConfig extends AbstractConfig {
                                         VALUE_DESERIALIZER_CLASS_DOC)
                                 .define(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, Type.STRING, SecurityProtocol.PLAINTEXT.toString(), Importance.MEDIUM, CommonClientConfigs.SECURITY_PROTOCOL_DOC)
                                 .define(CommonClientConfigs.SSL_PROTOCOL_CONFIG, Type.STRING, "TLS", Importance.MEDIUM, CommonClientConfigs.SSL_PROTOCOL_DOC)
-                                .define(CommonClientConfigs.SSL_CIPHER_SUITES_CONFIG, Type.LIST, "", Importance.LOW, CommonClientConfigs.SSL_CIPHER_SUITES_DOC)
+                                .define(CommonClientConfigs.SSL_CIPHER_SUITES_CONFIG, Type.LIST, Importance.LOW, CommonClientConfigs.SSL_CIPHER_SUITES_DOC, false)
                                 .define(CommonClientConfigs.SSL_ENABLED_PROTOCOLS_CONFIG, Type.LIST, "TLSv1.2, TLSv1.1, TLSv1", Importance.MEDIUM, CommonClientConfigs.SSL_ENABLED_PROTOCOLS_DOC)
                                 .define(CommonClientConfigs.SSL_KEYSTORE_TYPE_CONFIG, Type.STRING, "JKS", Importance.MEDIUM, CommonClientConfigs.SSL_KEYSTORE_TYPE_DOC)
                                 .define(CommonClientConfigs.SSL_KEYSTORE_LOCATION_CONFIG, Type.STRING, Importance.HIGH, CommonClientConfigs.SSL_KEYSTORE_LOCATION_DOC, false)
diff --git a/clients/src/main/java/org/apache/kafka/clients/producer/ProducerConfig.java b/clients/src/main/java/org/apache/kafka/clients/producer/ProducerConfig.java
index 69563ee..552cafb 100644
--- a/clients/src/main/java/org/apache/kafka/clients/producer/ProducerConfig.java
+++ b/clients/src/main/java/org/apache/kafka/clients/producer/ProducerConfig.java
@@ -223,7 +223,7 @@ public class ProducerConfig extends AbstractConfig {
                                 .define(VALUE_SERIALIZER_CLASS_CONFIG, Type.CLASS, Importance.HIGH, VALUE_SERIALIZER_CLASS_DOC)
                                 .define(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, Type.STRING, SecurityProtocol.PLAINTEXT.toString(), Importance.MEDIUM, CommonClientConfigs.SECURITY_PROTOCOL_DOC)
                                 .define(CommonClientConfigs.SSL_PROTOCOL_CONFIG, Type.STRING, "TLS", Importance.MEDIUM, CommonClientConfigs.SSL_PROTOCOL_DOC)
-                                .define(CommonClientConfigs.SSL_CIPHER_SUITES_CONFIG, Type.LIST, "", Importance.LOW, CommonClientConfigs.SSL_CIPHER_SUITES_DOC)
+                                .define(CommonClientConfigs.SSL_CIPHER_SUITES_CONFIG, Type.LIST, Importance.LOW, CommonClientConfigs.SSL_CIPHER_SUITES_DOC, false)
                                 .define(CommonClientConfigs.SSL_ENABLED_PROTOCOLS_CONFIG, Type.LIST, "TLSv1.2, TLSv1.1, TLSv1", Importance.MEDIUM, CommonClientConfigs.SSL_ENABLED_PROTOCOLS_DOC)
                                 .define(CommonClientConfigs.SSL_KEYSTORE_TYPE_CONFIG, Type.STRING, "JKS", Importance.MEDIUM, CommonClientConfigs.SSL_KEYSTORE_TYPE_DOC)
                                 .define(CommonClientConfigs.SSL_KEYSTORE_LOCATION_CONFIG, Type.STRING, Importance.HIGH, CommonClientConfigs.SSL_KEYSTORE_LOCATION_DOC, false)
diff --git a/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java b/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java
index 73f976b..7fbb9d7 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java
@@ -54,10 +54,17 @@ public class SSLFactory implements Configurable {
     @Override
     public void configure(Map configs) throws KafkaException {
         this.protocol =  (String) configs.get(CommonClientConfigs.SSL_PROTOCOL_CONFIG);
-        if (configs.get(CommonClientConfigs.SSL_CIPHER_SUITES_CONFIG) != null)
-            this.cipherSuites = (String[]) ((List) configs.get(CommonClientConfigs.SSL_CIPHER_SUITES_CONFIG)).toArray();
-        if (configs.get(CommonClientConfigs.SSL_ENABLED_PROTOCOLS_CONFIG) != null)
-            this.enabledProtocols = (String[]) ((List) configs.get(CommonClientConfigs.SSL_ENABLED_PROTOCOLS_CONFIG)).toArray();
+
+        if (configs.get(CommonClientConfigs.SSL_CIPHER_SUITES_CONFIG) != null) {
+            List cipherSuitesList = (List) configs.get(CommonClientConfigs.SSL_CIPHER_SUITES_CONFIG);
+            this.cipherSuites = (String[]) cipherSuitesList.toArray(new String[cipherSuitesList.size()]);
+        }
+
+        if (configs.get(CommonClientConfigs.SSL_ENABLED_PROTOCOLS_CONFIG) != null) {
+            List enabledProtocolsList = (List) configs.get(CommonClientConfigs.SSL_ENABLED_PROTOCOLS_CONFIG);
+            this.enabledProtocols =  (String[]) enabledProtocolsList.toArray(new String[enabledProtocolsList.size()]);
+        }
+
         this.requireClientCert = (Boolean) configs.get(CommonClientConfigs.SSL_CLIENT_REQUIRE_CERT_CONFIG);
         this.kmfAlgorithm = (String) configs.get(CommonClientConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG);
         this.tmfAlgorithm = (String) configs.get(CommonClientConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG);
@@ -73,7 +80,6 @@ public class SSLFactory implements Configurable {
         try {
             this.sslContext = createSSLContext();
         } catch (Exception e) {
-            e.printStackTrace();
             throw new KafkaException(e);
         }
     }
diff --git a/clients/src/test/java/org/apache/kafka/common/network/SSLFactoryTest.java b/clients/src/test/java/org/apache/kafka/common/network/SSLFactoryTest.java
new file mode 100644
index 0000000..02a3eff
--- /dev/null
+++ b/clients/src/test/java/org/apache/kafka/common/network/SSLFactoryTest.java
@@ -0,0 +1,56 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE
+ * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file
+ * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the
+ * License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package org.apache.kafka.common.network;
+
+import javax.net.ssl.*;
+
+import java.util.Map;
+
+import org.apache.kafka.test.TestSSLUtils;
+
+import org.junit.Test;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+
+/**
+ * A set of tests for the selector over ssl. These use a test harness that runs a simple socket server that echos back responses.
+ */
+
+public class SSLFactoryTest {
+
+    @Test
+    public void testSSLFactoryConfiguration() throws Exception {
+        Map> sslConfigs = TestSSLUtils.createSSLConfigs(false, true);
+        Map serverSSLConfig = sslConfigs.get(SSLFactory.Mode.SERVER);
+        SSLFactory sslFactory = new SSLFactory(SSLFactory.Mode.SERVER);
+        sslFactory.configure(serverSSLConfig);
+        SSLEngine engine = sslFactory.createSSLEngine("localhost", 9093);
+        assertNotNull(engine);
+        String[] expectedProtocols = {"TLSv1.2"};
+        assertEquals(expectedProtocols, engine.getEnabledProtocols());
+        assertEquals(false, engine.getUseClientMode());
+    }
+
+    @Test
+    public void testClientMode() throws Exception {
+        Map> sslConfigs = TestSSLUtils.createSSLConfigs(false, true);
+        Map clientSSLConfig = sslConfigs.get(SSLFactory.Mode.CLIENT);
+        SSLFactory sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT);
+        sslFactory.configure(clientSSLConfig);
+        SSLEngine engine = sslFactory.createSSLEngine("localhost", 9093);
+        assertTrue(engine.getUseClientMode());
+    }
+
+}
diff --git a/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java b/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java
index bfb52ef..590f1f5 100644
--- a/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java
+++ b/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java
@@ -43,6 +43,8 @@ import org.bouncycastle.x509.X509V1CertificateGenerator;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.List;
+import java.util.ArrayList;
 
 
 public class TestSSLUtils {
@@ -177,6 +179,11 @@ public class TestSSLUtils {
         sslConfigs.put(CommonClientConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, trustStorePassword);
         sslConfigs.put(CommonClientConfigs.SSL_TRUSTSTORE_TYPE_CONFIG, "JKS");
         sslConfigs.put(CommonClientConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG, "SunX509");
+
+        List enabledProtocols  = new ArrayList();
+        enabledProtocols.add("TLSv1.2");
+        sslConfigs.put(CommonClientConfigs.SSL_ENABLED_PROTOCOLS_CONFIG, enabledProtocols);
+
         return sslConfigs;
     }
 
-- 
2.4.4


From 2dd826be4a6ebe7064cb19ff21fe23950a1bafc2 Mon Sep 17 00:00:00 2001
From: Sriharsha Chintalapani 
Date: Tue, 12 May 2015 16:09:38 -0700
Subject: [PATCH 06/19] KAFKA-1690. new java producer needs ssl support as a
 client. Added PrincipalBuilder.

---
 checkstyle/checkstyle.xml                          | 25 +++++-----
 checkstyle/import-control.xml                      | 17 ++++---
 .../apache/kafka/common/network/Authenticator.java | 18 +++-----
 .../org/apache/kafka/common/network/Channel.java   |  7 ++-
 .../kafka/common/network/DefaultAuthenticator.java | 21 ++++++---
 .../common/network/PlainTextTransportLayer.java    | 17 ++++---
 .../kafka/common/network/SSLTransportLayer.java    | 11 ++++-
 .../org/apache/kafka/common/network/Selector.java  |  5 +-
 .../kafka/common/network/TransportLayer.java       | 15 +++++-
 .../security/auth/DefaultPrincipalBuilder.java     | 37 +++++++++++++++
 .../kafka/common/security/auth/KafkaPrincipal.java | 54 ++++++++++++++++++++++
 .../common/security/auth/PrincipalBuilder.java     | 38 +++++++++++++++
 12 files changed, 212 insertions(+), 53 deletions(-)
 create mode 100644 clients/src/main/java/org/apache/kafka/common/security/auth/DefaultPrincipalBuilder.java
 create mode 100644 clients/src/main/java/org/apache/kafka/common/security/auth/KafkaPrincipal.java
 create mode 100644 clients/src/main/java/org/apache/kafka/common/security/auth/PrincipalBuilder.java

diff --git a/checkstyle/checkstyle.xml b/checkstyle/checkstyle.xml
index 5fbf562..5031415 100644
--- a/checkstyle/checkstyle.xml
+++ b/checkstyle/checkstyle.xml
@@ -1,6 +1,6 @@
 
 
  
+-->
 
   
-  
+
   
-  
+
   
   
     
   
-  
+
   
-    
+
     
     
     
+    
     
     
     
     
     
-    
+
     
     
     
@@ -59,12 +60,12 @@
     
     
     
-    
+
     
     
       
     
-    
+
     
     
     
@@ -79,4 +80,4 @@
     
     
   
-
\ No newline at end of file
+
diff --git a/checkstyle/import-control.xml b/checkstyle/import-control.xml
index 339c620..a921757 100644
--- a/checkstyle/import-control.xml
+++ b/checkstyle/import-control.xml
@@ -26,7 +26,6 @@
 	
 	
 	
-	
 	
 	
 
@@ -41,13 +40,9 @@
 		
 		
 		
-		
-		
 
 		
 			
-			
-			
 			
 			
 		
@@ -57,12 +52,17 @@
 		
 
 		
+      
+      
+      
+      
 			
-			
-			
-			
 		
 
+    
+      
+    
+
 		
 			
 			
@@ -91,7 +91,6 @@
 		
 		
 		
-		
 
 		
 			
diff --git a/clients/src/main/java/org/apache/kafka/common/network/Authenticator.java b/clients/src/main/java/org/apache/kafka/common/network/Authenticator.java
index 1b6b32a..920ed88 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/Authenticator.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/Authenticator.java
@@ -22,39 +22,33 @@ package org.apache.kafka.common.network;
  */
 
 import java.io.IOException;
-import com.sun.security.auth.UserPrincipal;
+import java.security.Principal;
 
+import org.apache.kafka.common.KafkaException;
 
 public interface Authenticator {
 
     /**
-     * Closes this channel
+     * Closes this Authenticator
      *
      * @throws IOException if any I/O error occurs
      */
     void close() throws IOException;
 
     /**
-     *
-     * @throws IOException
-     */
-    void init() throws IOException;
-
-    /**
-     * Returns UserPrincipal after authentication is established
+     * Returns Principal after authentication is established
      */
-    UserPrincipal userPrincipal() throws IOException;
-
+    Principal principal() throws KafkaException;
 
     /**
      * Does authentication and returns SelectionKey.OP if further communication needed
+     * If no further authentication needs to be done return 0.
      */
     int authenticate(boolean read, boolean write) throws IOException;
 
     /**
      * returns true if authentication is complete otherwise returns false;
      */
-
     boolean isComplete();
 
 }
diff --git a/clients/src/main/java/org/apache/kafka/common/network/Channel.java b/clients/src/main/java/org/apache/kafka/common/network/Channel.java
index d9d1192..7b2489e 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/Channel.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/Channel.java
@@ -27,7 +27,7 @@ import java.nio.channels.ScatteringByteChannel;
 import java.nio.channels.GatheringByteChannel;
 import java.nio.channels.SocketChannel;
 
-import com.sun.security.auth.UserPrincipal;
+import java.security.Principal;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -45,7 +45,6 @@ public class Channel implements ScatteringByteChannel, GatheringByteChannel {
     public Channel(TransportLayer transportLayer, Authenticator authenticator) throws IOException {
         this.transportLayer = transportLayer;
         this.authenticator = authenticator;
-        this.authenticator.init();
     }
 
     public void close() throws IOException {
@@ -58,8 +57,8 @@ public class Channel implements ScatteringByteChannel, GatheringByteChannel {
      * Incase of PLAINTEXT and No Authentication returns ANONYMOUS as the userPrincipal
      * If SSL used without any SASL Authentication returns SSLSession.peerPrincipal
      */
-    public UserPrincipal userPrincipal() throws IOException {
-        return authenticator.userPrincipal();
+    public Principal principal() throws IOException {
+        return authenticator.principal();
     }
 
     public int connect(boolean read, boolean write) throws IOException {
diff --git a/clients/src/main/java/org/apache/kafka/common/network/DefaultAuthenticator.java b/clients/src/main/java/org/apache/kafka/common/network/DefaultAuthenticator.java
index 97b1135..3a66e7b 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/DefaultAuthenticator.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/DefaultAuthenticator.java
@@ -17,25 +17,34 @@
 
 package org.apache.kafka.common.network;
 
-import com.sun.security.auth.UserPrincipal;
+import java.security.Principal;
 import java.io.IOException;
 
+import org.apache.kafka.common.security.auth.PrincipalBuilder;
+import org.apache.kafka.common.KafkaException;
+
 public class DefaultAuthenticator implements Authenticator {
 
     TransportLayer transportLayer;
+    PrincipalBuilder principalBuilder;
+    Principal principal;
 
-    public DefaultAuthenticator(TransportLayer transportLayer) {
+    public DefaultAuthenticator(TransportLayer transportLayer, PrincipalBuilder principalBuilder) {
         this.transportLayer = transportLayer;
+        this.principalBuilder = principalBuilder;
     }
 
-    public void init() {}
-
+    /*
+     * No-Op for default authenticator
+     */
     public int authenticate(boolean read, boolean write) throws IOException {
         return 0;
     }
 
-    public UserPrincipal userPrincipal() throws IOException {
-        return new UserPrincipal(transportLayer.getPeerPrincipal().toString());
+    public Principal principal() throws KafkaException {
+        if (principal != null)
+            principal = principalBuilder.buildPrincipal(transportLayer, this);
+        return principal;
     }
 
     public void close() throws IOException {}
diff --git a/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java
index dbf0a30..17b014f 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java
@@ -22,14 +22,15 @@ package org.apache.kafka.common.network;
  */
 
 import java.io.IOException;
-import java.nio.ByteBuffer;
-import java.nio.channels.SocketChannel;
-
 import java.io.DataInputStream;
 import java.io.DataOutputStream;
+import java.nio.ByteBuffer;
+import java.nio.channels.SocketChannel;
 
+import javax.net.ssl.SSLSession;
 import java.security.Principal;
-import com.sun.security.auth.UserPrincipal;
+
+import org.apache.kafka.common.security.auth.KafkaPrincipal;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -140,8 +141,12 @@ public class PlainTextTransportLayer implements TransportLayer {
         return outStream;
     }
 
-    public Principal getPeerPrincipal() throws IOException {
-        return new UserPrincipal("ANONYMOUS");
+    public Principal peerPrincipal() throws IOException {
+        return new KafkaPrincipal("ANONYMOUS");
+    }
+
+    public SSLSession sslSession() throws IllegalStateException, UnsupportedOperationException {
+        throw new UnsupportedOperationException("sslSession not supported for PlainTextTransportLayer");
     }
 
 }
diff --git a/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
index 2d6a519..0267e85 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
@@ -28,6 +28,7 @@ import javax.net.ssl.SSLEngineResult;
 import javax.net.ssl.SSLEngineResult.HandshakeStatus;
 import javax.net.ssl.SSLEngineResult.Status;
 import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLPeerUnverifiedException;
 
 import java.io.DataInputStream;
@@ -267,7 +268,7 @@ public class SSLTransportLayer implements TransportLayer {
         sslEngine.closeOutbound();
 
         if (!flush(netOutBuffer)) {
-            throw new IOException("Remaining data in the network buffer, can't send SSL close message, force a close with close(true) instead");
+            throw new IOException("Remaining data in the network buffer, can't send SSL close message.");
         }
         //prep the buffer for the close message
         netOutBuffer.clear();
@@ -400,7 +401,7 @@ public class SSLTransportLayer implements TransportLayer {
         return outStream;
     }
 
-    public Principal getPeerPrincipal() throws IOException {
+    public Principal peerPrincipal() throws IOException {
         try {
             return sslEngine.getSession().getPeerPrincipal();
         } catch (SSLPeerUnverifiedException se) {
@@ -408,6 +409,12 @@ public class SSLTransportLayer implements TransportLayer {
         }
     }
 
+    public SSLSession sslSession() throws IllegalStateException, UnsupportedOperationException {
+        if (!handshakeComplete)
+            throw new IllegalStateException("Handshake incomplete.");
+        return sslEngine.getSession();
+    }
+
     private int readFromAppBuffer(ByteBuffer dst) {
         appReadBuffer.flip();
         try {
diff --git a/clients/src/main/java/org/apache/kafka/common/network/Selector.java b/clients/src/main/java/org/apache/kafka/common/network/Selector.java
index 90e2cee..ea95858 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/Selector.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/Selector.java
@@ -43,6 +43,8 @@ import org.apache.kafka.common.metrics.stats.Count;
 import org.apache.kafka.common.metrics.stats.Max;
 import org.apache.kafka.common.metrics.stats.Rate;
 import org.apache.kafka.common.protocol.SecurityProtocol;
+import org.apache.kafka.common.security.auth.PrincipalBuilder;
+import org.apache.kafka.common.security.auth.DefaultPrincipalBuilder;
 import org.apache.kafka.common.utils.Time;
 import org.apache.kafka.clients.CommonClientConfigs;
 import org.slf4j.Logger;
@@ -169,7 +171,8 @@ public class Selector implements Selectable {
         } else {
             transportLayer = new PlainTextTransportLayer(socketChannel);
         }
-        Authenticator authenticator = new DefaultAuthenticator(transportLayer);
+        PrincipalBuilder principalBuilder = new DefaultPrincipalBuilder();
+        Authenticator authenticator = new DefaultAuthenticator(transportLayer, principalBuilder);
         Channel channel = new Channel(transportLayer, authenticator);
         SelectionKey key = socketChannel.register(this.selector, SelectionKey.OP_CONNECT);
         key.attach(new Transmissions(id));
diff --git a/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java
index ae10f7c..0531d6f 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java
@@ -27,6 +27,7 @@ import java.nio.channels.SocketChannel;
 import java.io.DataInputStream;
 import java.io.DataOutputStream;
 
+import javax.net.ssl.SSLSession;
 import java.security.Principal;
 
 
@@ -82,5 +83,17 @@ public interface TransportLayer {
 
     boolean flush(ByteBuffer buffer) throws IOException;
 
-    Principal getPeerPrincipal() throws IOException;
+
+    /**
+     * returns SSLSession.getPeerPrinicpal if SSLTransportLayer used
+     * for non-secure returns a "ANONYMOUS" as the peerPrincipal
+     */
+    Principal peerPrincipal() throws IOException;
+
+    /**
+     * returns a SSL Session after the handshake is established
+     * throws IlleagalStateException if the handshake is not established
+     * throws UnsupportedOperationException for non-secure implementation
+     */
+    SSLSession sslSession() throws IllegalStateException, UnsupportedOperationException;
 }
diff --git a/clients/src/main/java/org/apache/kafka/common/security/auth/DefaultPrincipalBuilder.java b/clients/src/main/java/org/apache/kafka/common/security/auth/DefaultPrincipalBuilder.java
new file mode 100644
index 0000000..d594e4d
--- /dev/null
+++ b/clients/src/main/java/org/apache/kafka/common/security/auth/DefaultPrincipalBuilder.java
@@ -0,0 +1,37 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kafka.common.security.auth;
+
+import java.security.Principal;
+
+import org.apache.kafka.common.network.TransportLayer;
+import org.apache.kafka.common.network.Authenticator;
+import org.apache.kafka.common.KafkaException;
+
+
+public class DefaultPrincipalBuilder implements PrincipalBuilder {
+
+    public Principal buildPrincipal(TransportLayer transportLayer, Authenticator authenticator) throws KafkaException {
+        try {
+            return transportLayer.peerPrincipal();
+        } catch (Exception e) {
+            throw new KafkaException("Failed to build principal due to: ", e);
+        }
+    }
+
+}
diff --git a/clients/src/main/java/org/apache/kafka/common/security/auth/KafkaPrincipal.java b/clients/src/main/java/org/apache/kafka/common/security/auth/KafkaPrincipal.java
new file mode 100644
index 0000000..4a7ace8
--- /dev/null
+++ b/clients/src/main/java/org/apache/kafka/common/security/auth/KafkaPrincipal.java
@@ -0,0 +1,54 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kafka.common.security.auth;
+
+import java.security.Principal;
+
+public class KafkaPrincipal implements Principal {
+    private final String name;
+
+    public KafkaPrincipal(String name) {
+        if (name == null)
+            throw new IllegalArgumentException("name is null");
+        this.name = name;
+    }
+
+    public boolean equals(Object object) {
+        if (this == object)
+            return true;
+
+        if (object instanceof KafkaPrincipal) {
+            return name.equals(((KafkaPrincipal) object).getName());
+        }
+
+        return false;
+    }
+
+    public int hashCode() {
+        return name.hashCode();
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public String toString() {
+        return name;
+    }
+
+}
diff --git a/clients/src/main/java/org/apache/kafka/common/security/auth/PrincipalBuilder.java b/clients/src/main/java/org/apache/kafka/common/security/auth/PrincipalBuilder.java
new file mode 100644
index 0000000..5b39222
--- /dev/null
+++ b/clients/src/main/java/org/apache/kafka/common/security/auth/PrincipalBuilder.java
@@ -0,0 +1,38 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kafka.common.security.auth;
+
+/*
+ * PrincipalBuilder for Authenticator
+ */
+import org.apache.kafka.common.network.TransportLayer;
+import org.apache.kafka.common.network.Authenticator;
+import org.apache.kafka.common.KafkaException;
+
+import java.security.Principal;
+
+public interface PrincipalBuilder {
+
+    /**
+     * Returns Principal
+     * @param TransportLayer
+     * @param Authenticator
+     */
+    Principal buildPrincipal(TransportLayer transportLayer, Authenticator authenticator) throws KafkaException;
+
+}
-- 
2.4.4


From 2cddad80f6a4a961b6932879448e532dab4e637e Mon Sep 17 00:00:00 2001
From: Sriharsha Chintalapani 
Date: Fri, 15 May 2015 07:17:37 -0700
Subject: [PATCH 07/19] KAFKA-1690. new java producer needs ssl support as a
 client. Addressing reviews.

---
 build.gradle                                       |   4 +-
 checkstyle/import-control.xml                      |  15 +-
 .../java/org/apache/kafka/clients/ClientUtils.java |  25 ++
 .../apache/kafka/clients/CommonClientConfigs.java  |  55 ---
 .../kafka/clients/consumer/ConsumerConfig.java     |  33 +-
 .../kafka/clients/consumer/KafkaConsumer.java      |   5 +-
 .../kafka/clients/producer/KafkaProducer.java      |   7 +-
 .../kafka/clients/producer/ProducerConfig.java     |  32 +-
 .../kafka/common/config/SecurityConfigs.java       | 106 ++++++
 .../apache/kafka/common/network/Authenticator.java |   8 +-
 .../org/apache/kafka/common/network/Channel.java   |  48 ++-
 .../kafka/common/network/ChannelBuilder.java       |  43 +++
 .../kafka/common/network/DefaultAuthenticator.java |  24 +-
 .../common/network/PlainTextChannelBuilder.java    |  57 +++
 .../common/network/PlainTextTransportLayer.java    |  63 ++--
 .../kafka/common/network/SSLChannelBuilder.java    |  67 ++++
 .../apache/kafka/common/network/SSLFactory.java    |  95 ++---
 .../kafka/common/network/SSLTransportLayer.java    | 401 +++++++++++++--------
 .../org/apache/kafka/common/network/Selector.java  |  91 ++---
 .../kafka/common/network/TransportLayer.java       |  51 +--
 .../kafka/common/protocol/SecurityProtocol.java    |   4 +-
 .../security/auth/DefaultPrincipalBuilder.java     |   6 +
 .../kafka/common/security/auth/KafkaPrincipal.java |   4 +
 .../common/security/auth/PrincipalBuilder.java     |  15 +-
 .../java/org/apache/kafka/common/utils/Utils.java  |  42 ++-
 .../apache/kafka/common/network/EchoServer.java    |  21 +-
 .../kafka/common/network/SSLFactoryTest.java       |  17 +-
 .../kafka/common/network/SSLSelectorTest.java      | 240 +++++++++++-
 .../apache/kafka/common/network/SelectorTest.java  |  42 ++-
 .../java/org/apache/kafka/test/TestSSLUtils.java   | 106 +++---
 30 files changed, 1208 insertions(+), 519 deletions(-)
 create mode 100644 clients/src/main/java/org/apache/kafka/common/config/SecurityConfigs.java
 create mode 100644 clients/src/main/java/org/apache/kafka/common/network/ChannelBuilder.java
 create mode 100644 clients/src/main/java/org/apache/kafka/common/network/PlainTextChannelBuilder.java
 create mode 100644 clients/src/main/java/org/apache/kafka/common/network/SSLChannelBuilder.java

diff --git a/build.gradle b/build.gradle
index 4e83d7d..3633152 100644
--- a/build.gradle
+++ b/build.gradle
@@ -354,8 +354,8 @@ project(':clients') {
     compile "org.slf4j:slf4j-api:1.7.6"
     compile 'org.xerial.snappy:snappy-java:1.1.1.6'
     compile 'net.jpountz.lz4:lz4:1.2.0'
-    compile 'org.bouncycastle:bcprov-jdk16:1.46'
 
+    testCompile 'org.bouncycastle:bcpkix-jdk15on:1.52'
     testCompile 'com.novocode:junit-interface:0.9'
     testRuntime "$slf4jlog4j"
   }
@@ -385,7 +385,7 @@ project(':clients') {
   }
 
   checkstyle {
-     configFile = new File(rootDir, "checkstyle/checkstyle.xml")
+    configFile = new File(rootDir, "checkstyle/checkstyle.xml")
   }
   test.dependsOn('checkstyleMain', 'checkstyleTest')
 }
diff --git a/checkstyle/import-control.xml b/checkstyle/import-control.xml
index a921757..1ebe211 100644
--- a/checkstyle/import-control.xml
+++ b/checkstyle/import-control.xml
@@ -52,16 +52,15 @@
 		
 
 		
-      
-      
-      
-      
+      		
+      		
+      		
 			
 		
 
-    
-      
-    
+    	
+      		
+    	
 
 		
 			
@@ -108,7 +107,7 @@
 
 	
 		
-    
+    	
 	
 
 
diff --git a/clients/src/main/java/org/apache/kafka/clients/ClientUtils.java b/clients/src/main/java/org/apache/kafka/clients/ClientUtils.java
index 748576b..3e92d6d 100644
--- a/clients/src/main/java/org/apache/kafka/clients/ClientUtils.java
+++ b/clients/src/main/java/org/apache/kafka/clients/ClientUtils.java
@@ -16,8 +16,14 @@ import java.io.Closeable;
 import java.net.InetSocketAddress;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Map;
 import java.util.concurrent.atomic.AtomicReference;
 
+import org.apache.kafka.common.protocol.SecurityProtocol;
+import org.apache.kafka.common.network.ChannelBuilder;
+import org.apache.kafka.common.network.SSLChannelBuilder;
+import org.apache.kafka.common.network.PlainTextChannelBuilder;
+import org.apache.kafka.common.config.SecurityConfigs;
 import org.apache.kafka.common.config.ConfigException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -63,4 +69,23 @@ public class ClientUtils {
         }
     }
 
+    /**
+     * @param configs client/server configs
+     * returns ChannelBuilder configured channelBuilder based on the configs.
+     */
+    public static ChannelBuilder createChannelBuilder(Map configs) {
+        ChannelBuilder channelBuilder = null;
+        SecurityProtocol securityProtocol = configs.containsKey(SecurityConfigs.SECURITY_PROTOCOL_CONFIG) ?
+            SecurityProtocol.valueOf((String) configs.get(SecurityConfigs.SECURITY_PROTOCOL_CONFIG)) : SecurityProtocol.PLAINTEXT;
+
+        if (securityProtocol == SecurityProtocol.SSL) {
+            channelBuilder = new SSLChannelBuilder();
+        } else {
+            channelBuilder = new PlainTextChannelBuilder();
+        }
+
+        channelBuilder.configure(configs);
+        return channelBuilder;
+    }
+
 }
diff --git a/clients/src/main/java/org/apache/kafka/clients/CommonClientConfigs.java b/clients/src/main/java/org/apache/kafka/clients/CommonClientConfigs.java
index ead3826..16507c7 100644
--- a/clients/src/main/java/org/apache/kafka/clients/CommonClientConfigs.java
+++ b/clients/src/main/java/org/apache/kafka/clients/CommonClientConfigs.java
@@ -55,59 +55,4 @@ public class CommonClientConfigs {
     public static final String METRIC_REPORTER_CLASSES_CONFIG = "metric.reporters";
     public static final String METRIC_REPORTER_CLASSES_DOC = "A list of classes to use as metrics reporters. Implementing the MetricReporter interface allows plugging in classes that will be notified of new metric creation. The JmxReporter is always included to register JMX statistics.";
 
-    public static final String SECURITY_CONFIG_FILE_CONFIG = "security.config.file";
-    public static final String SECURITY_CONFIG_FILE_DOC = "Kafka client security related config file.";
-
-    public static final String SECURITY_PROTOCOL_CONFIG = "security.protocol";
-    public static final String SECURITY_PROTOCOL_DOC = "Protocol used to communicate with brokers. Currently only PLAINTEXT and SSL are supported.";
-
-    public static final String SSL_PROTOCOL_CONFIG = "ssl.protocol";
-    public static final String SSL_PROTOCOL_DOC = "The ssl protocol used to generate SSLContext."
-            + "Default setting is TLS. Allowed values are SSL, SSLv2, SSLv3, TLS, TLSv1.1, TLSv1.2";
-
-    public static final String SSL_CIPHER_SUITES_CONFIG = "ssl.cipher.suites";
-    public static final String SSL_CIPHER_SUITES_DOC = "A cipher suite is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS or SSL network protocol."
-            + "By default all the available cipher suites are supported.";
-
-    public static final String SSL_ENABLED_PROTOCOLS_CONFIG = "ssl.enabled.protocols";
-    public static final String SSL_ENABLED_PROTOCOLS_DOC = "The list of protocols enabled for SSL connections. "
-            + "All versions of TLS is enabled by default.";
-
-    public static final String SSL_KEYSTORE_TYPE_CONFIG = "ssl.keystore.type";
-    public static final String SSL_KEYSTORE_TYPE_DOC = "The file format of the key store file. "
-            + "This is optional for client. Default value is JKS";
-
-    public static final String SSL_KEYSTORE_LOCATION_CONFIG = "ssl.keystore.location";
-    public static final String SSL_KEYSTORE_LOCATION_DOC = "The location of the key store file. "
-            + "This is optional for Client and can be used for two-way authentication for client.";
-
-    public static final String SSL_KEYSTORE_PASSWORD_CONFIG = "ssl.keystore.password";
-    public static final String SSL_KEYSTORE_PASSWORD_DOC = "The store password for the key store file. ";
-
-    public static final String SSL_KEY_PASSWORD_CONFIG = "ssl.key.password";
-    public static final String SSL_KEY_PASSWORD_DOC = "The password of the private key in the key store file. "
-            + "This is optional for client.";
-
-    public static final String SSL_TRUSTSTORE_TYPE_CONFIG = "ssl.truststore.type";
-    public static final String SSL_TRUSTSTORE_TYPE_DOC = "The file format of the trust store file. "
-            + "Default value is JKS.";
-
-    public static final String SSL_TRUSTSTORE_LOCATION_CONFIG = "ssl.truststore.location";
-    public static final String SSL_TRUSTSTORE_LOCATION_DOC = "The location of the trust store file. ";
-
-    public static final String SSL_TRUSTSTORE_PASSWORD_CONFIG = "ssl.truststore.password";
-    public static final String SSL_TRUSTSTORE_PASSWORD_DOC = "The password for the trust store file. ";
-
-    public static final String SSL_CLIENT_REQUIRE_CERT_CONFIG = "ssl.client.require.cert";
-    public static final String SSL_CLIENT_REQUIRE_CERT_DOC = "This is to enforce two-way authentication between client and server."
-            + "Default value is false. If set to true client need to prover Keystrore releated config";
-
-    public static final String SSL_KEYMANAGER_ALGORITHM_CONFIG = "ssl.keymanager.algorithm";
-    public static final String SSL_KEYMANAGER_ALGORITHM_DOC = "The algorithm used by key manager factory for SSL connections. "
-            + "Default value is the key manager factory algorithm configured for the Java Virtual Machine.";
-
-    public static final String SSL_TRUSTMANAGER_ALGORITHM_CONFIG = "ssl.trustmanager.algorithm";
-    public static final String SSL_TRUSTMANAGER_ALGORITHM_DOC = "The algorithm used by trust manager factory for SSL connections. "
-            + "Default value is the trust manager factory algorithm configured for the Java Virtual Machine.";
-
 }
diff --git a/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java b/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java
index 95f3a46..dff4258 100644
--- a/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java
+++ b/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java
@@ -19,7 +19,7 @@ import org.apache.kafka.common.config.ConfigDef;
 import org.apache.kafka.common.config.ConfigDef.Importance;
 import org.apache.kafka.common.config.ConfigDef.Type;
 import org.apache.kafka.common.serialization.Deserializer;
-import org.apache.kafka.common.protocol.SecurityProtocol;
+import org.apache.kafka.common.config.SecurityConfigs;
 
 import java.util.HashMap;
 import java.util.Map;
@@ -278,20 +278,23 @@ public class ConsumerConfig extends AbstractConfig {
                                         Type.CLASS,
                                         Importance.HIGH,
                                         VALUE_DESERIALIZER_CLASS_DOC)
-                                .define(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, Type.STRING, SecurityProtocol.PLAINTEXT.toString(), Importance.MEDIUM, CommonClientConfigs.SECURITY_PROTOCOL_DOC)
-                                .define(CommonClientConfigs.SSL_PROTOCOL_CONFIG, Type.STRING, "TLS", Importance.MEDIUM, CommonClientConfigs.SSL_PROTOCOL_DOC)
-                                .define(CommonClientConfigs.SSL_CIPHER_SUITES_CONFIG, Type.LIST, Importance.LOW, CommonClientConfigs.SSL_CIPHER_SUITES_DOC, false)
-                                .define(CommonClientConfigs.SSL_ENABLED_PROTOCOLS_CONFIG, Type.LIST, "TLSv1.2, TLSv1.1, TLSv1", Importance.MEDIUM, CommonClientConfigs.SSL_ENABLED_PROTOCOLS_DOC)
-                                .define(CommonClientConfigs.SSL_KEYSTORE_TYPE_CONFIG, Type.STRING, "JKS", Importance.MEDIUM, CommonClientConfigs.SSL_KEYSTORE_TYPE_DOC)
-                                .define(CommonClientConfigs.SSL_KEYSTORE_LOCATION_CONFIG, Type.STRING, Importance.HIGH, CommonClientConfigs.SSL_KEYSTORE_LOCATION_DOC, false)
-                                .define(CommonClientConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, Type.STRING, Importance.HIGH, CommonClientConfigs.SSL_KEYSTORE_PASSWORD_DOC, false)
-                                .define(CommonClientConfigs.SSL_KEY_PASSWORD_CONFIG, Type.STRING, Importance.HIGH, CommonClientConfigs.SSL_KEY_PASSWORD_DOC, false)
-                                .define(CommonClientConfigs.SSL_TRUSTSTORE_TYPE_CONFIG, Type.STRING, "JKS", Importance.MEDIUM, CommonClientConfigs.SSL_TRUSTSTORE_TYPE_DOC)
-                                .define(CommonClientConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, Type.STRING, Importance.HIGH, CommonClientConfigs.SSL_TRUSTSTORE_LOCATION_DOC, false)
-                                .define(CommonClientConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, Type.STRING, Importance.HIGH, CommonClientConfigs.SSL_TRUSTSTORE_PASSWORD_DOC, false)
-                                .define(CommonClientConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG, Type.STRING, "SunX509", Importance.LOW, CommonClientConfigs.SSL_KEYMANAGER_ALGORITHM_DOC)
-                                .define(CommonClientConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG, Type.STRING, "SunX509", Importance.LOW, CommonClientConfigs.SSL_TRUSTMANAGER_ALGORITHM_DOC)
-                                .define(CommonClientConfigs.SSL_CLIENT_REQUIRE_CERT_CONFIG, Type.BOOLEAN, false, Importance.MEDIUM, CommonClientConfigs.SSL_CLIENT_REQUIRE_CERT_DOC);
+                                .define(SecurityConfigs.SECURITY_PROTOCOL_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_SECURITY_PROTOCOL, Importance.MEDIUM, SecurityConfigs.SECURITY_PROTOCOL_DOC)
+                                .define(SecurityConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Type.CLASS, SecurityConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS, Importance.LOW, SecurityConfigs.PRINCIPAL_BUILDER_CLASS_DOC)
+                                .define(SecurityConfigs.SSL_PROTOCOL_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_SSL_PROTOCOL, Importance.MEDIUM, SecurityConfigs.SSL_PROTOCOL_DOC)
+                                .define(SecurityConfigs.SSL_PROVIDER_CONFIG, Type.STRING, Importance.MEDIUM, SecurityConfigs.SSL_PROVIDER_DOC, false)
+                                .define(SecurityConfigs.SSL_CIPHER_SUITES_CONFIG, Type.LIST, Importance.LOW, SecurityConfigs.SSL_CIPHER_SUITES_DOC, false)
+                                .define(SecurityConfigs.SSL_ENABLED_PROTOCOLS_CONFIG, Type.LIST, SecurityConfigs.DEFAULT_ENABLED_PROTOCOLS, Importance.MEDIUM, SecurityConfigs.SSL_ENABLED_PROTOCOLS_DOC)
+                                .define(SecurityConfigs.SSL_KEYSTORE_TYPE_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_SSL_KEYSTORE_TYPE, Importance.MEDIUM, SecurityConfigs.SSL_KEYSTORE_TYPE_DOC)
+                                .define(SecurityConfigs.SSL_KEYSTORE_LOCATION_CONFIG, Type.STRING, Importance.HIGH, SecurityConfigs.SSL_KEYSTORE_LOCATION_DOC, false)
+                                .define(SecurityConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, Type.STRING, Importance.HIGH, SecurityConfigs.SSL_KEYSTORE_PASSWORD_DOC, false)
+                                .define(SecurityConfigs.SSL_KEY_PASSWORD_CONFIG, Type.STRING, Importance.HIGH, SecurityConfigs.SSL_KEY_PASSWORD_DOC, false)
+                                .define(SecurityConfigs.SSL_TRUSTSTORE_TYPE_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_SSL_TRUSTSTORE_TYPE, Importance.MEDIUM, SecurityConfigs.SSL_TRUSTSTORE_TYPE_DOC)
+                                .define(SecurityConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_TRUSTSTORE_LOCATION, Importance.HIGH, SecurityConfigs.SSL_TRUSTSTORE_LOCATION_DOC)
+                                .define(SecurityConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_TRUSTSTORE_PASSWORD, Importance.HIGH, SecurityConfigs.SSL_TRUSTSTORE_PASSWORD_DOC)
+                                .define(SecurityConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_SSL_KEYMANGER_ALGORITHM, Importance.LOW, SecurityConfigs.SSL_KEYMANAGER_ALGORITHM_DOC)
+                                .define(SecurityConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_SSL_TRUSTMANAGER_ALGORITHM, Importance.LOW, SecurityConfigs.SSL_TRUSTMANAGER_ALGORITHM_DOC)
+                                .define(SecurityConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG, Type.STRING, Importance.LOW, SecurityConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_DOC, false);
+
     }
 
     public static Map addDeserializerToConfig(Map configs,
diff --git a/clients/src/main/java/org/apache/kafka/clients/consumer/KafkaConsumer.java b/clients/src/main/java/org/apache/kafka/clients/consumer/KafkaConsumer.java
index 375669f..55902ff 100644
--- a/clients/src/main/java/org/apache/kafka/clients/consumer/KafkaConsumer.java
+++ b/clients/src/main/java/org/apache/kafka/clients/consumer/KafkaConsumer.java
@@ -44,6 +44,7 @@ import org.apache.kafka.common.metrics.Metrics;
 import org.apache.kafka.common.metrics.MetricsReporter;
 import org.apache.kafka.common.serialization.Deserializer;
 import org.apache.kafka.common.network.Selector;
+import org.apache.kafka.common.network.ChannelBuilder;
 import org.apache.kafka.common.utils.SystemTime;
 import org.apache.kafka.common.utils.Time;
 import org.apache.kafka.common.utils.Utils;
@@ -471,8 +472,8 @@ public class KafkaConsumer implements Consumer {
             String metricGrpPrefix = "consumer";
             Map metricsTags = new LinkedHashMap();
             metricsTags.put("client-id", clientId);
-
-            this.client = new NetworkClient(new Selector(metrics, time, metricGrpPrefix, metricsTags, config.values()),
+            ChannelBuilder channelBuilder = ClientUtils.createChannelBuilder(config.values());
+            this.client = new NetworkClient(new Selector(metrics, time, metricGrpPrefix, metricsTags, channelBuilder),
                     this.metadata,
                     clientId,
                     100, // a fixed large enough value will suffice
diff --git a/clients/src/main/java/org/apache/kafka/clients/producer/KafkaProducer.java b/clients/src/main/java/org/apache/kafka/clients/producer/KafkaProducer.java
index 1650d85..85a317c 100644
--- a/clients/src/main/java/org/apache/kafka/clients/producer/KafkaProducer.java
+++ b/clients/src/main/java/org/apache/kafka/clients/producer/KafkaProducer.java
@@ -44,6 +44,7 @@ import org.apache.kafka.common.metrics.Metrics;
 import org.apache.kafka.common.metrics.MetricsReporter;
 import org.apache.kafka.common.metrics.Sensor;
 import org.apache.kafka.common.network.Selector;
+import org.apache.kafka.common.network.ChannelBuilder;
 import org.apache.kafka.common.record.CompressionType;
 import org.apache.kafka.common.record.Record;
 import org.apache.kafka.common.record.Records;
@@ -227,8 +228,8 @@ public class KafkaProducer implements Producer {
                     metricTags);
             List addresses = ClientUtils.parseAndValidateAddresses(config.getList(ProducerConfig.BOOTSTRAP_SERVERS_CONFIG));
             this.metadata.update(Cluster.bootstrap(addresses), time.milliseconds());
-
-            NetworkClient client = new NetworkClient(new Selector(this.metrics, time, "producer", metricTags, config.values()),
+            ChannelBuilder channelBuilder = ClientUtils.createChannelBuilder(config.values());
+            NetworkClient client = new NetworkClient(new Selector(this.metrics, time, "producer", metricTags, channelBuilder),
                     this.metadata,
                     clientId,
                     config.getInt(ProducerConfig.MAX_IN_FLIGHT_REQUESTS_PER_CONNECTION),
@@ -550,7 +551,7 @@ public class KafkaProducer implements Producer {
     public void close(long timeout, TimeUnit timeUnit) {
         close(timeout, timeUnit, false);
     }
-    
+
     private void close(long timeout, TimeUnit timeUnit, boolean swallowException) {
         if (timeout < 0)
             throw new IllegalArgumentException("The timeout cannot be negative.");
diff --git a/clients/src/main/java/org/apache/kafka/clients/producer/ProducerConfig.java b/clients/src/main/java/org/apache/kafka/clients/producer/ProducerConfig.java
index 552cafb..baa3d41 100644
--- a/clients/src/main/java/org/apache/kafka/clients/producer/ProducerConfig.java
+++ b/clients/src/main/java/org/apache/kafka/clients/producer/ProducerConfig.java
@@ -22,11 +22,11 @@ import java.util.Properties;
 
 import org.apache.kafka.clients.CommonClientConfigs;
 import org.apache.kafka.common.config.AbstractConfig;
+import org.apache.kafka.common.config.SecurityConfigs;
 import org.apache.kafka.common.config.ConfigDef;
 import org.apache.kafka.common.config.ConfigDef.Importance;
 import org.apache.kafka.common.config.ConfigDef.Type;
 import org.apache.kafka.common.serialization.Serializer;
-import org.apache.kafka.common.protocol.SecurityProtocol;
 
 /**
  * Configuration for the Kafka Producer. Documentation for these configurations can be found in the      addSerializerToConfig(Map configs,
diff --git a/clients/src/main/java/org/apache/kafka/common/config/SecurityConfigs.java b/clients/src/main/java/org/apache/kafka/common/config/SecurityConfigs.java
new file mode 100644
index 0000000..1855399
--- /dev/null
+++ b/clients/src/main/java/org/apache/kafka/common/config/SecurityConfigs.java
@@ -0,0 +1,106 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE
+ * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file
+ * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the
+ * License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+
+package org.apache.kafka.common.config;
+
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.KeyManagerFactory;
+
+public class SecurityConfigs {
+    /*
+     * NOTE: DO NOT CHANGE EITHER CONFIG NAMES AS THESE ARE PART OF THE PUBLIC API AND CHANGE WILL BREAK USER CODE.
+     */
+
+    public static final String SECURITY_PROTOCOL_CONFIG = "security.protocol";
+    public static final String SECURITY_PROTOCOL_DOC = "Protocol used to communicate with brokers. Currently only PLAINTEXT and SSL are supported.";
+    public static final String DEFAULT_SECURITY_PROTOCOL = "PLAINTEXT";
+
+    public static final String PRINCIPAL_BUILDER_CLASS_CONFIG = "principal.builder.class";
+    public static final String PRINCIPAL_BUILDER_CLASS_DOC = "principal builder to generate a java Principal. This config is optional for client.";
+    public static final String DEFAULT_PRINCIPAL_BUILDER_CLASS = "org.apache.kafka.common.security.auth.DefaultPrincipalBuilder";
+
+    public static final String SSL_PROTOCOL_CONFIG = "ssl.protocol";
+    public static final String SSL_PROTOCOL_DOC = "The ssl protocol used to generate SSLContext."
+            + "Default setting is TLS. Allowed values are SSL, SSLv2, SSLv3, TLS, TLSv1.1, TLSv1.2";
+    public static final String DEFAULT_SSL_PROTOCOL = "TLS";
+
+    public static final String SSL_PROVIDER_CONFIG = "ssl.provider";
+    public static final String SSL_PROVIDER_DOC = "The name of the security provider used for SSL connections. Default value is the default security provider of the JVM.";
+
+    public static final String SSL_CIPHER_SUITES_CONFIG = "ssl.cipher.suites";
+    public static final String SSL_CIPHER_SUITES_DOC = "A cipher suite is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS or SSL network protocol."
+            + "By default all the available cipher suites are supported.";
+
+    public static final String SSL_ENABLED_PROTOCOLS_CONFIG = "ssl.enabled.protocols";
+    public static final String SSL_ENABLED_PROTOCOLS_DOC = "The list of protocols enabled for SSL connections. "
+            + "All versions of TLS is enabled by default.";
+    public static final String DEFAULT_ENABLED_PROTOCOLS = "TLSv1.2,TLSv1.1,TLSv1";
+
+    public static final String SSL_KEYSTORE_TYPE_CONFIG = "ssl.keystore.type";
+    public static final String SSL_KEYSTORE_TYPE_DOC = "The file format of the key store file. "
+            + "This is optional for client. Default value is JKS";
+    public static final String DEFAULT_SSL_KEYSTORE_TYPE = "JKS";
+
+    public static final String SSL_KEYSTORE_LOCATION_CONFIG = "ssl.keystore.location";
+    public static final String SSL_KEYSTORE_LOCATION_DOC = "The location of the key store file. "
+        + "This is optional for Client and can be used for two-way authentication for client.";
+
+    public static final String SSL_KEYSTORE_PASSWORD_CONFIG = "ssl.keystore.password";
+    public static final String SSL_KEYSTORE_PASSWORD_DOC = "The store password for the key store file."
+        + "This is optional for client and only needed if the ssl.keystore.location configured. ";
+
+    public static final String SSL_KEY_PASSWORD_CONFIG = "ssl.key.password";
+    public static final String SSL_KEY_PASSWORD_DOC = "The password of the private key in the key store file. "
+            + "This is optional for client.";
+
+    public static final String SSL_TRUSTSTORE_TYPE_CONFIG = "ssl.truststore.type";
+    public static final String SSL_TRUSTSTORE_TYPE_DOC = "The file format of the trust store file. "
+            + "Default value is JKS.";
+    public static final String DEFAULT_SSL_TRUSTSTORE_TYPE = "JKS";
+
+    public static final String SSL_TRUSTSTORE_LOCATION_CONFIG = "ssl.truststore.location";
+    public static final String SSL_TRUSTSTORE_LOCATION_DOC = "The location of the trust store file. ";
+    public static final String DEFAULT_TRUSTSTORE_LOCATION = "/tmp/ssl.truststore.jks";
+
+    public static final String SSL_TRUSTSTORE_PASSWORD_CONFIG = "ssl.truststore.password";
+    public static final String SSL_TRUSTSTORE_PASSWORD_DOC = "The password for the trust store file. ";
+    public static final String DEFAULT_TRUSTSTORE_PASSWORD = "truststore_password";
+
+    public static final String SSL_CLIENT_REQUIRE_CERT_CONFIG = "ssl.client.require.cert";
+    public static final String SSL_CLIENT_REQUIRE_CERT_DOC = "This is to enforce two-way authentication between client and server."
+            + "Default value is false. If set to true client needs to provide Keystore related config";
+    public static final Boolean DEFAULT_SSL_CLIENT_REQUIRE_CERT = false;
+
+    public static final String SSL_KEYMANAGER_ALGORITHM_CONFIG = "ssl.keymanager.algorithm";
+    public static final String SSL_KEYMANAGER_ALGORITHM_DOC = "The algorithm used by key manager factory for SSL connections. "
+            + "Default value is the key manager factory algorithm configured for the Java Virtual Machine.";
+    public static final String DEFAULT_SSL_KEYMANGER_ALGORITHM = KeyManagerFactory.getDefaultAlgorithm();
+
+    public static final String SSL_TRUSTMANAGER_ALGORITHM_CONFIG = "ssl.trustmanager.algorithm";
+    public static final String SSL_TRUSTMANAGER_ALGORITHM_DOC = "The algorithm used by trust manager factory for SSL connections. "
+            + "Default value is the trust manager factory algorithm configured for the Java Virtual Machine.";
+    public static final String DEFAULT_SSL_TRUSTMANAGER_ALGORITHM = TrustManagerFactory.getDefaultAlgorithm();
+
+    public static final String SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG = "ssl.endpoint.identification.algorithm";
+    public static final String SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_DOC = "The endpoint identification algorithm to validate server hostname using server certificate. ";
+
+    public static final String SSL_NEED_CLIENT_AUTH_CONFIG = "ssl.need.client.auth";
+    public static final String SSL_NEED_CLIENT_AUTH_CONFIG_DOC = "If set to true kafka broker requires all the ssl client connecting to provide client authentication. "
+        + "Default value is false";
+    public static final Boolean DEFAULT_SSL_NEED_CLIENT_AUTH = false;
+
+    public static final String SSL_WANT_CLIENT_AUTH_CONFIG = "ssl.want.client.auth";
+    public static final String SSL_WANT_CLIENT_AUTH_CONFIG_DOC = "If set to true kafka broker requests for client authentication. Clients without any certificates can still be able to connect using SSL.";
+    public static final Boolean DEFAULT_SSL_WANT_CLIENT_AUTH = false;
+
+}
diff --git a/clients/src/main/java/org/apache/kafka/common/network/Authenticator.java b/clients/src/main/java/org/apache/kafka/common/network/Authenticator.java
index 920ed88..8ab004f 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/Authenticator.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/Authenticator.java
@@ -17,7 +17,7 @@
 
 package org.apache.kafka.common.network;
 
-/*
+/**
  * Authentication for Channel
  */
 
@@ -41,10 +41,10 @@ public interface Authenticator {
     Principal principal() throws KafkaException;
 
     /**
-     * Does authentication and returns SelectionKey.OP if further communication needed
-     * If no further authentication needs to be done return 0.
+     * Implements any authentication mechanism. Use transportLayer to read or write tokens.
+     * If no further authentication needs to be done returns.
      */
-    int authenticate(boolean read, boolean write) throws IOException;
+    void authenticate() throws IOException;
 
     /**
      * returns true if authentication is complete otherwise returns false;
diff --git a/clients/src/main/java/org/apache/kafka/common/network/Channel.java b/clients/src/main/java/org/apache/kafka/common/network/Channel.java
index 7b2489e..f7dda3e 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/Channel.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/Channel.java
@@ -26,15 +26,13 @@ import java.nio.ByteBuffer;
 import java.nio.channels.ScatteringByteChannel;
 import java.nio.channels.GatheringByteChannel;
 import java.nio.channels.SocketChannel;
+import java.nio.channels.SelectionKey;
 
 import java.security.Principal;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-/**
- *
- */
 
 public class Channel implements ScatteringByteChannel, GatheringByteChannel {
     private static final Logger log = LoggerFactory.getLogger(Channel.class);
@@ -54,33 +52,39 @@ public class Channel implements ScatteringByteChannel, GatheringByteChannel {
 
     /**
      * returns user principal for the session
-     * Incase of PLAINTEXT and No Authentication returns ANONYMOUS as the userPrincipal
+     * In case of PLAINTEXT and No Authentication returns ANONYMOUS as the userPrincipal
+     * If SSL used than
      * If SSL used without any SASL Authentication returns SSLSession.peerPrincipal
      */
     public Principal principal() throws IOException {
         return authenticator.principal();
     }
 
-    public int connect(boolean read, boolean write) throws IOException {
+    public void connect() throws IOException {
         if (transportLayer.isReady() && authenticator.isComplete())
-            return 0;
-        int status = 0;
+            return;
         if (!transportLayer.isReady())
-            status = transportLayer.handshake(read, write);
-        if (status == 0 && !authenticator.isComplete())
-            status = authenticator.authenticate(read, write);
-        return status;
+            transportLayer.handshake();
+        if (transportLayer.isReady() && !authenticator.isComplete())
+            authenticator.authenticate();
     }
 
+    public void disconnect() {
+        transportLayer.disconnect();
+    }
 
     public boolean isOpen() {
-        return transportLayer.isOpen();
+        return transportLayer.socketChannel().isOpen();
     }
 
     public SocketChannel socketChannel() {
         return transportLayer.socketChannel();
     }
 
+    public TransportLayer transportLayer() {
+        return transportLayer;
+    }
+
     /**
      * Writes a sequence of bytes to this channel from the given buffer.
      */
@@ -114,8 +118,24 @@ public class Channel implements ScatteringByteChannel, GatheringByteChannel {
         return transportLayer.read(dsts, offset, length);
     }
 
-    public boolean finishConnect() throws IOException {
-        return transportLayer.finishConnect();
+    public void finishConnect() throws IOException {
+        transportLayer.finishConnect();
+    }
+
+    public void addInterestOps(int ops) {
+        transportLayer.addInterestOps(ops);
+    }
+
+    public void removeInterestOps(int ops) {
+        transportLayer.removeInterestOps(ops);
+    }
+
+    public void mute() {
+        transportLayer.removeInterestOps(SelectionKey.OP_READ);
+    }
+
+    public void unmute() {
+        transportLayer.addInterestOps(SelectionKey.OP_READ);
     }
 
     public boolean isReady() {
diff --git a/clients/src/main/java/org/apache/kafka/common/network/ChannelBuilder.java b/clients/src/main/java/org/apache/kafka/common/network/ChannelBuilder.java
new file mode 100644
index 0000000..5dd1aef
--- /dev/null
+++ b/clients/src/main/java/org/apache/kafka/common/network/ChannelBuilder.java
@@ -0,0 +1,43 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE
+ * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file
+ * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the
+ * License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package org.apache.kafka.common.network;
+
+import java.util.Map;
+import java.nio.channels.SelectionKey;
+
+import org.apache.kafka.common.KafkaException;
+
+/**
+ * A ChannelBuilder interface to build Channel based on configs
+ */
+public interface ChannelBuilder {
+
+    /**
+     * Configure this class with the given key-value pairs
+     */
+    public void configure(Map configs) throws KafkaException;
+
+
+    /**
+     * returns a Channel with TransportLayer and Authenticator configured.
+     * @param  socketChannel
+     */
+    public Channel buildChannel(SelectionKey key) throws KafkaException;
+
+
+    /**
+     * Closes ChannelBuilder
+     */
+    public void close();
+
+}
diff --git a/clients/src/main/java/org/apache/kafka/common/network/DefaultAuthenticator.java b/clients/src/main/java/org/apache/kafka/common/network/DefaultAuthenticator.java
index 3a66e7b..d5e24ad 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/DefaultAuthenticator.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/DefaultAuthenticator.java
@@ -25,31 +25,39 @@ import org.apache.kafka.common.KafkaException;
 
 public class DefaultAuthenticator implements Authenticator {
 
-    TransportLayer transportLayer;
-    PrincipalBuilder principalBuilder;
-    Principal principal;
+    private TransportLayer transportLayer;
+    private PrincipalBuilder principalBuilder;
+    private Principal principal;
 
     public DefaultAuthenticator(TransportLayer transportLayer, PrincipalBuilder principalBuilder) {
         this.transportLayer = transportLayer;
         this.principalBuilder = principalBuilder;
     }
 
-    /*
+    /**
      * No-Op for default authenticator
      */
-    public int authenticate(boolean read, boolean write) throws IOException {
-        return 0;
-    }
+    public void authenticate() throws IOException {}
 
+    /**
+     * Constructs Principal using configured principalBuilder.
+     * @return Principal
+     * @throws KafkaException
+     */
     public Principal principal() throws KafkaException {
-        if (principal != null)
+        if (principal == null)
             principal = principalBuilder.buildPrincipal(transportLayer, this);
         return principal;
     }
 
     public void close() throws IOException {}
 
+    /**
+     * DefaultAuthenticator doesn't implement any additional authentication.
+     * @returns true
+     */
     public boolean isComplete() {
         return true;
     }
+
 }
diff --git a/clients/src/main/java/org/apache/kafka/common/network/PlainTextChannelBuilder.java b/clients/src/main/java/org/apache/kafka/common/network/PlainTextChannelBuilder.java
new file mode 100644
index 0000000..51adce5
--- /dev/null
+++ b/clients/src/main/java/org/apache/kafka/common/network/PlainTextChannelBuilder.java
@@ -0,0 +1,57 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE
+ * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file
+ * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the
+ * License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package org.apache.kafka.common.network;
+
+import java.nio.channels.SelectionKey;
+import java.util.Map;
+
+import org.apache.kafka.common.security.auth.PrincipalBuilder;
+import org.apache.kafka.common.config.SecurityConfigs;
+import org.apache.kafka.common.utils.Utils;
+import org.apache.kafka.common.KafkaException;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+
+public class PlainTextChannelBuilder implements ChannelBuilder {
+    private static final Logger log = LoggerFactory.getLogger(PlainTextChannelBuilder.class);
+    private PrincipalBuilder principalBuilder;
+
+    public void configure(Map configs) throws KafkaException {
+        try {
+            this.principalBuilder = (PrincipalBuilder) Utils.newInstance((Class) configs.get(SecurityConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG));
+            this.principalBuilder.configure(configs);
+        } catch (Exception e) {
+            throw new KafkaException(e);
+        }
+    }
+
+    public Channel buildChannel(SelectionKey key) throws KafkaException {
+        Channel channel = null;
+        try {
+            PlainTextTransportLayer transportLayer = new PlainTextTransportLayer(key);
+            Authenticator authenticator = new DefaultAuthenticator(transportLayer, this.principalBuilder);
+            channel = new Channel(transportLayer, authenticator);
+        } catch (Exception e) {
+            log.warn("Failed to create channel due to ", e);
+            throw new KafkaException(e);
+        }
+        return channel;
+    }
+
+    public void close() {
+        this.principalBuilder.close();
+    }
+
+}
diff --git a/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java
index 17b014f..eb4504b 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java
@@ -26,8 +26,8 @@ import java.io.DataInputStream;
 import java.io.DataOutputStream;
 import java.nio.ByteBuffer;
 import java.nio.channels.SocketChannel;
+import java.nio.channels.SelectionKey;
 
-import javax.net.ssl.SSLSession;
 import java.security.Principal;
 
 import org.apache.kafka.common.security.auth.KafkaPrincipal;
@@ -37,15 +37,17 @@ import org.slf4j.LoggerFactory;
 
 public class PlainTextTransportLayer implements TransportLayer {
     private static final Logger log = LoggerFactory.getLogger(PlainTextTransportLayer.class);
-    SocketChannel socketChannel = null;
-    DataInputStream inStream = null;
-    DataOutputStream outStream = null;
+    private SelectionKey key;
+    private SocketChannel socketChannel;
+    private DataInputStream inStream;
+    private DataOutputStream outStream;
+    private final Principal principal = new KafkaPrincipal("ANONYMOUS");
 
-    public PlainTextTransportLayer(SocketChannel socketChannel) throws IOException {
-        this.socketChannel = socketChannel;
+    public PlainTextTransportLayer(SelectionKey key) throws IOException {
+        this.key = key;
+        this.socketChannel = (SocketChannel) key.channel();
     }
 
-
     /**
      * Closes this channel
      *
@@ -56,26 +58,8 @@ public class PlainTextTransportLayer implements TransportLayer {
         socketChannel.close();
     }
 
-    /**
-    * Flushes the buffer to the network, non blocking
-    * @param buf ByteBuffer
-    * @return boolean true if the buffer has been emptied out, false otherwise
-    * @throws IOException
-    */
-    public boolean flush(ByteBuffer buf) throws IOException {
-        int remaining = buf.remaining();
-        if (remaining > 0) {
-            int written = socketChannel.write(buf);
-            return written >= remaining;
-        }
-        return true;
-    }
-
-    /**
-     * Tells wheter or not this channel is open.
-     */
-    public boolean isOpen() {
-        return socketChannel.isOpen();
+    public void disconnect() {
+        key.cancel();
     }
 
     /**
@@ -113,21 +97,20 @@ public class PlainTextTransportLayer implements TransportLayer {
         return socketChannel;
     }
 
-    public boolean finishConnect() throws IOException {
-        return socketChannel.finishConnect();
+    public void finishConnect() throws IOException {
+        socketChannel.finishConnect();
+        int ops = key.interestOps();
+        ops &= ~SelectionKey.OP_CONNECT;
+        ops |= SelectionKey.OP_READ;
+        key.interestOps(ops);
     }
 
     /**
      * Performs SSL handshake hence is a no-op for the non-secure
      * implementation
-     * @param read Unused in non-secure implementation
-     * @param write Unused in non-secure implementation
-     * @return Always return 0
      * @throws IOException
     */
-    public int handshake(boolean read, boolean write) throws IOException {
-        return 0;
-    }
+    public void handshake() throws IOException {}
 
     public DataInputStream inStream() throws IOException {
         if (inStream == null)
@@ -142,11 +125,15 @@ public class PlainTextTransportLayer implements TransportLayer {
     }
 
     public Principal peerPrincipal() throws IOException {
-        return new KafkaPrincipal("ANONYMOUS");
+        return principal;
+    }
+
+    public void addInterestOps(int ops) {
+        key.interestOps(key.interestOps() | ops);
     }
 
-    public SSLSession sslSession() throws IllegalStateException, UnsupportedOperationException {
-        throw new UnsupportedOperationException("sslSession not supported for PlainTextTransportLayer");
+    public void removeInterestOps(int ops) {
+        key.interestOps(key.interestOps() & ~ops);
     }
 
 }
diff --git a/clients/src/main/java/org/apache/kafka/common/network/SSLChannelBuilder.java b/clients/src/main/java/org/apache/kafka/common/network/SSLChannelBuilder.java
new file mode 100644
index 0000000..22fec8b
--- /dev/null
+++ b/clients/src/main/java/org/apache/kafka/common/network/SSLChannelBuilder.java
@@ -0,0 +1,67 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE
+ * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file
+ * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the
+ * License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package org.apache.kafka.common.network;
+
+import java.nio.channels.SelectionKey;
+import java.nio.channels.SocketChannel;
+import java.util.Map;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+
+import org.apache.kafka.common.security.auth.PrincipalBuilder;
+import org.apache.kafka.common.config.SecurityConfigs;
+import org.apache.kafka.common.utils.Utils;
+import org.apache.kafka.common.KafkaException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class SSLChannelBuilder implements ChannelBuilder {
+    private static final Logger log = LoggerFactory.getLogger(SSLChannelBuilder.class);
+    private SSLFactory sslFactory;
+    private ExecutorService executorService;
+    private PrincipalBuilder principalBuilder;
+
+    public void configure(Map configs) throws KafkaException {
+        try {
+            this.executorService = Executors.newScheduledThreadPool(1);
+            this.sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT);
+            this.sslFactory.configure(configs);
+            this.principalBuilder = (PrincipalBuilder) Utils.newInstance((Class) configs.get(SecurityConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG));
+            this.principalBuilder.configure(configs);
+        } catch (Exception e) {
+            throw new KafkaException(e);
+        }
+    }
+
+    public Channel buildChannel(SelectionKey key) throws KafkaException {
+        Channel channel = null;
+        try {
+            SocketChannel socketChannel = (SocketChannel) key.channel();
+            SSLTransportLayer transportLayer = new SSLTransportLayer(key,
+                                                                     sslFactory.createSSLEngine(socketChannel.socket().getInetAddress().getHostName(),
+                                                                                                socketChannel.socket().getPort()),
+                                                                     executorService);
+            Authenticator authenticator = new DefaultAuthenticator(transportLayer, this.principalBuilder);
+            channel = new Channel(transportLayer, authenticator);
+        } catch (Exception e) {
+            log.info("Failed to create channel due to ", e);
+            throw new KafkaException(e);
+        }
+        return channel;
+    }
+
+    public void close()  {
+        this.executorService.shutdown();
+        this.principalBuilder.close();
+    }
+}
diff --git a/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java b/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java
index 7fbb9d7..557c5f9 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java
@@ -27,7 +27,7 @@ import javax.net.ssl.*;
 
 import org.apache.kafka.common.KafkaException;
 import org.apache.kafka.common.Configurable;
-import org.apache.kafka.clients.CommonClientConfigs;
+import org.apache.kafka.common.config.SecurityConfigs;
 
 
 public class SSLFactory implements Configurable {
@@ -42,8 +42,10 @@ public class SSLFactory implements Configurable {
     private SecurityStore truststore;
     private String[] cipherSuites;
     private String[] enabledProtocols;
+    private String endpointIdentification;
     private SSLContext sslContext;
-    private boolean requireClientCert;
+    private boolean needClientAuth;
+    private boolean wantClientAuth;
     private Mode mode;
 
 
@@ -53,30 +55,44 @@ public class SSLFactory implements Configurable {
 
     @Override
     public void configure(Map configs) throws KafkaException {
-        this.protocol =  (String) configs.get(CommonClientConfigs.SSL_PROTOCOL_CONFIG);
+        this.protocol =  (String) configs.get(SecurityConfigs.SSL_PROTOCOL_CONFIG);
+        this.provider = (String) configs.get(SecurityConfigs.SSL_PROVIDER_CONFIG);
 
-        if (configs.get(CommonClientConfigs.SSL_CIPHER_SUITES_CONFIG) != null) {
-            List cipherSuitesList = (List) configs.get(CommonClientConfigs.SSL_CIPHER_SUITES_CONFIG);
+        if (configs.get(SecurityConfigs.SSL_CIPHER_SUITES_CONFIG) != null) {
+            List cipherSuitesList = (List) configs.get(SecurityConfigs.SSL_CIPHER_SUITES_CONFIG);
             this.cipherSuites = (String[]) cipherSuitesList.toArray(new String[cipherSuitesList.size()]);
         }
 
-        if (configs.get(CommonClientConfigs.SSL_ENABLED_PROTOCOLS_CONFIG) != null) {
-            List enabledProtocolsList = (List) configs.get(CommonClientConfigs.SSL_ENABLED_PROTOCOLS_CONFIG);
+        if (configs.get(SecurityConfigs.SSL_ENABLED_PROTOCOLS_CONFIG) != null) {
+            List enabledProtocolsList = (List) configs.get(SecurityConfigs.SSL_ENABLED_PROTOCOLS_CONFIG);
             this.enabledProtocols =  (String[]) enabledProtocolsList.toArray(new String[enabledProtocolsList.size()]);
         }
 
-        this.requireClientCert = (Boolean) configs.get(CommonClientConfigs.SSL_CLIENT_REQUIRE_CERT_CONFIG);
-        this.kmfAlgorithm = (String) configs.get(CommonClientConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG);
-        this.tmfAlgorithm = (String) configs.get(CommonClientConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG);
-        if ((mode == Mode.CLIENT && requireClientCert) || (mode == Mode.SERVER)) {
-            createKeystore((String) configs.get(CommonClientConfigs.SSL_KEYSTORE_TYPE_CONFIG),
-                           (String) configs.get(CommonClientConfigs.SSL_KEYSTORE_LOCATION_CONFIG),
-                           (String) configs.get(CommonClientConfigs.SSL_KEYSTORE_PASSWORD_CONFIG),
-                           (String) configs.get(CommonClientConfigs.SSL_KEY_PASSWORD_CONFIG));
+        if (configs.containsKey(SecurityConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG)) {
+            this.endpointIdentification = (String) configs.get(SecurityConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG);
         }
-        createTruststore((String) configs.get(CommonClientConfigs.SSL_TRUSTSTORE_TYPE_CONFIG),
-                         (String) configs.get(CommonClientConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG),
-                         (String) configs.get(CommonClientConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG));
+
+        if (configs.containsKey(SecurityConfigs.SSL_NEED_CLIENT_AUTH_CONFIG)) {
+            this.needClientAuth = (Boolean) configs.get(SecurityConfigs.SSL_NEED_CLIENT_AUTH_CONFIG);
+        }
+
+        if (configs.containsKey(SecurityConfigs.SSL_WANT_CLIENT_AUTH_CONFIG)) {
+            this.wantClientAuth = (Boolean) configs.get(SecurityConfigs.SSL_WANT_CLIENT_AUTH_CONFIG);
+        }
+
+        this.kmfAlgorithm = (String) configs.get(SecurityConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG);
+        this.tmfAlgorithm = (String) configs.get(SecurityConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG);
+
+        if (checkKeyStoreConfigs(configs)) {
+            createKeystore((String) configs.get(SecurityConfigs.SSL_KEYSTORE_TYPE_CONFIG),
+                           (String) configs.get(SecurityConfigs.SSL_KEYSTORE_LOCATION_CONFIG),
+                           (String) configs.get(SecurityConfigs.SSL_KEYSTORE_PASSWORD_CONFIG),
+                           (String) configs.get(SecurityConfigs.SSL_KEY_PASSWORD_CONFIG));
+        }
+
+        createTruststore((String) configs.get(SecurityConfigs.SSL_TRUSTSTORE_TYPE_CONFIG),
+                         (String) configs.get(SecurityConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG),
+                         (String) configs.get(SecurityConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG));
         try {
             this.sslContext = createSSLContext();
         } catch (Exception e) {
@@ -114,42 +130,31 @@ public class SSLFactory implements Configurable {
     public SSLEngine createSSLEngine(String peerHost, int peerPort) {
         SSLEngine sslEngine = sslContext.createSSLEngine(peerHost, peerPort);
         if (cipherSuites != null) sslEngine.setEnabledCipherSuites(cipherSuites);
+        if (enabledProtocols != null) sslEngine.setEnabledProtocols(enabledProtocols);
+
         if (mode == Mode.SERVER) {
             sslEngine.setUseClientMode(false);
+            if (needClientAuth)
+                sslEngine.setNeedClientAuth(needClientAuth);
+            else if (wantClientAuth)
+                sslEngine.setNeedClientAuth(wantClientAuth);
         } else {
             sslEngine.setUseClientMode(true);
-            sslEngine.setNeedClientAuth(requireClientCert);
+            SSLParameters sslParams = sslEngine.getSSLParameters();
+            sslParams.setEndpointIdentificationAlgorithm(endpointIdentification);
+            sslEngine.setSSLParameters(sslParams);
         }
-        if (enabledProtocols != null) sslEngine.setEnabledProtocols(enabledProtocols);
         return sslEngine;
     }
 
     /**
-     * Returns a configured SSLServerSocketFactory.
-     *
-     * @return the configured SSLSocketFactory.
-     * @throws GeneralSecurityException thrown if the SSLSocketFactory could not
-     * be initialized.
-     * @throws IOException thrown if and IO error occurred while loading
-     * the server keystore.
+     * Returns a configured SSLContext.
+     * @return SSLContext.
      */
-    public SSLServerSocketFactory createSSLServerSocketFactory() throws GeneralSecurityException, IOException {
-        if (mode != Mode.SERVER) {
-            throw new IllegalStateException("Factory is in CLIENT mode");
-        }
-        return sslContext.getServerSocketFactory();
-    }
-
-    /**
-     * Returns if client certificates are required or not.
-     *
-     * @return if client certificates are required or not.
-     */
-    public boolean isClientCertRequired() {
-        return requireClientCert;
+    public SSLContext sslContext() {
+        return sslContext;
     }
 
-
     private void createKeystore(String type, String path, String password, String keyPassword) {
         if (path == null && password != null) {
             throw new KafkaException("SSL key store password is not specified.");
@@ -171,6 +176,12 @@ public class SSLFactory implements Configurable {
         }
     }
 
+    private boolean checkKeyStoreConfigs(Map configs) {
+        return  configs.containsKey(SecurityConfigs.SSL_KEYSTORE_TYPE_CONFIG) &&
+                configs.containsKey(SecurityConfigs.SSL_KEYSTORE_LOCATION_CONFIG) &&
+                configs.containsKey(SecurityConfigs.SSL_KEYSTORE_PASSWORD_CONFIG) &&
+                configs.containsKey(SecurityConfigs.SSL_KEY_PASSWORD_CONFIG);
+    }
 
     private class SecurityStore {
         private final String type;
diff --git a/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
index 0267e85..f25e537 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
@@ -18,9 +18,11 @@
 package org.apache.kafka.common.network;
 
 import java.io.IOException;
+import java.io.EOFException;
 import java.nio.ByteBuffer;
 import java.nio.channels.SocketChannel;
 import java.nio.channels.SelectionKey;
+import java.nio.channels.CancelledKeyException;
 
 import java.security.Principal;
 import javax.net.ssl.SSLEngine;
@@ -46,38 +48,37 @@ import org.slf4j.LoggerFactory;
 public class SSLTransportLayer implements TransportLayer {
     private static final Logger log = LoggerFactory.getLogger(SSLTransportLayer.class);
     protected SSLEngine sslEngine;
-
+    private SelectionKey key;
     private SocketChannel socketChannel;
     private HandshakeStatus handshakeStatus;
     private SSLEngineResult handshakeResult;
     private boolean handshakeComplete = false;
     private boolean closed = false;
     private boolean closing = false;
-    private ByteBuffer netInBuffer;
-    private ByteBuffer netOutBuffer;
+    private ByteBuffer netReadBuffer;
+    private ByteBuffer netWriteBuffer;
     private ByteBuffer appReadBuffer;
-    private ByteBuffer appWriteBuffer;
     private ByteBuffer emptyBuf = ByteBuffer.allocate(0);
     private DataInputStream inStream;
     private DataOutputStream outStream;
     private ExecutorService executorService;
+    private int interestOps;
 
-    public SSLTransportLayer(SocketChannel socketChannel, SSLEngine sslEngine, ExecutorService executorService) throws IOException {
-        this.socketChannel = socketChannel;
+    public SSLTransportLayer(SelectionKey key, SSLEngine sslEngine, ExecutorService executorService) throws IOException {
+        this.key = key;
+        this.socketChannel = (SocketChannel) key.channel();
         this.sslEngine = sslEngine;
         this.executorService = executorService;
-        this.netInBuffer = ByteBuffer.allocateDirect(sslEngine.getSession().getPacketBufferSize());
-        this.netOutBuffer = ByteBuffer.allocateDirect(sslEngine.getSession().getPacketBufferSize());
-        this.appWriteBuffer = ByteBuffer.allocateDirect(sslEngine.getSession().getApplicationBufferSize());
-        this.appReadBuffer = ByteBuffer.allocateDirect(sslEngine.getSession().getApplicationBufferSize());
-        startHandshake();
+        this.netReadBuffer = ByteBuffer.allocateDirect(packetBufferSize());
+        this.netWriteBuffer = ByteBuffer.allocateDirect(packetBufferSize());
+        this.appReadBuffer = ByteBuffer.allocateDirect(applicationBufferSize());
     }
 
-    public void startHandshake() throws IOException {
-        netOutBuffer.position(0);
-        netOutBuffer.limit(0);
-        netInBuffer.position(0);
-        netInBuffer.limit(0);
+    private void startHandshake() throws IOException {
+        netWriteBuffer.position(0);
+        netWriteBuffer.limit(0);
+        netReadBuffer.position(0);
+        netReadBuffer.limit(0);
         handshakeComplete = false;
         closed = false;
         closing = false;
@@ -90,8 +91,16 @@ public class SSLTransportLayer implements TransportLayer {
         return socketChannel;
     }
 
-    public boolean finishConnect() throws IOException {
-        return socketChannel.finishConnect();
+    public void finishConnect() throws IOException {
+        socketChannel.finishConnect();
+        removeInterestOps(SelectionKey.OP_CONNECT);
+        addInterestOps(SelectionKey.OP_READ);
+        key.interestOps(key.interestOps() & ~SelectionKey.OP_CONNECT);
+        startHandshake();
+    }
+
+    public void disconnect() {
+        key.cancel();
     }
 
     /**
@@ -100,7 +109,7 @@ public class SSLTransportLayer implements TransportLayer {
     * @return boolean true if the buffer has been emptied out, false otherwise
     * @throws IOException
     */
-    public boolean flush(ByteBuffer buf) throws IOException {
+    private boolean flush(ByteBuffer buf) throws IOException {
         int remaining = buf.remaining();
         if (remaining > 0) {
             int written = socketChannel.write(buf);
@@ -111,62 +120,74 @@ public class SSLTransportLayer implements TransportLayer {
 
     /**
     * Performs SSL handshake, non blocking.
-    * The return for this operation is 0 if the handshake is complete and a positive value if it is not complete.
-    * In the event of a positive value coming back, re-register the selection key for the return values interestOps.
-    * @param read boolean - true if the underlying channel is readable
-    * @param write boolean - true if the underlying channel is writable
-    * @return int - 0 if hand shake is complete, otherwise it returns a SelectionKey interestOps value
     * @throws IOException
     */
-    public int handshake(boolean read, boolean write) throws IOException {
-        if (handshakeComplete) return 0; //we have done our initial handshake
+    public void handshake() throws IOException {
+        boolean read = key.isReadable();
+        boolean write = key.isWritable();
+        handshakeComplete = false;
+        handshakeStatus = sslEngine.getHandshakeStatus();
 
-        if (!flush(netOutBuffer)) return SelectionKey.OP_WRITE;
+        if (!flush(netWriteBuffer)) {
+            key.interestOps(SelectionKey.OP_WRITE);
+            return;
+        }
         try {
             switch(handshakeStatus) {
-                case NOT_HANDSHAKING:
-                    // SSLEnginge.getHandshakeStatus is transient and it doesn't record FINISHED status properly
-                    if (handshakeResult.getHandshakeStatus() == HandshakeStatus.FINISHED) {
-                        handshakeComplete = !netOutBuffer.hasRemaining();
-                        if (handshakeComplete)
-                            return 0;
-                        else
-                            return SelectionKey.OP_WRITE;
-                    } else {
-                        throw new IOException("NOT_HANDSHAKING during handshake");
-                    }
-                case FINISHED:
-                    //we are complete if we have delivered the last package
-                    handshakeComplete = !netOutBuffer.hasRemaining();
-                    //return 0 if we are complete, otherwise we still have data to write
-                    if (handshakeComplete) return 0;
-                    else return SelectionKey.OP_WRITE;
+                case NEED_TASK:
+                    handshakeStatus = tasks();
+                    break;
                 case NEED_WRAP:
                     handshakeResult = handshakeWrap(write);
-                    if (handshakeResult.getStatus() == Status.OK) {
-                        if (handshakeStatus == HandshakeStatus.NEED_TASK)
-                            handshakeStatus = tasks();
-                    } else {
-                        //wrap should always work with our buffers
-                        throw new IOException("Unexpected status [" + handshakeResult.getStatus() + "] during handshake WRAP.");
+                    if (handshakeResult.getStatus() == Status.BUFFER_OVERFLOW) {
+                        int currentPacketBufferSize = packetBufferSize();
+                        netWriteBuffer = Utils.ensureCapacity(netWriteBuffer, currentPacketBufferSize);
+                        if (netWriteBuffer.position() > currentPacketBufferSize) {
+                            throw new IllegalStateException("Buffer overflow when available data (" + netWriteBuffer.position() +
+                                                            ") > network buffer size (" + currentPacketBufferSize + ")");
+                        }
+                    } else if (handshakeResult.getStatus() == Status.BUFFER_UNDERFLOW) {
+                        throw new IllegalStateException("Should not have received BUFFER_UNDERFLOW during handshake WRAP.");
+                    } else if (handshakeResult.getStatus() == Status.CLOSED) {
+                        throw new EOFException();
                     }
-                    if (handshakeStatus != HandshakeStatus.NEED_UNWRAP || (!flush(netOutBuffer)))
-                        return SelectionKey.OP_WRITE;
                     //fall down to NEED_UNWRAP on the same call, will result in a
                     //BUFFER_UNDERFLOW if it needs data
+                    if (handshakeStatus != HandshakeStatus.NEED_UNWRAP || !flush(netWriteBuffer)) {
+                        key.interestOps(SelectionKey.OP_WRITE);
+                        break;
+                    }
                 case NEED_UNWRAP:
                     handshakeResult = handshakeUnwrap(read);
-                    if (handshakeResult.getStatus() == Status.OK) {
-                        if (handshakeStatus == HandshakeStatus.NEED_TASK)
-                            handshakeStatus = tasks();
-                    } else if (handshakeResult.getStatus() == Status.BUFFER_UNDERFLOW) {
-                        return SelectionKey.OP_READ;
-                    } else {
-                        throw new IOException(String.format("Unexpected status [%s] during handshake UNWRAP", handshakeStatus));
+                    if (handshakeResult.getStatus() == Status.BUFFER_UNDERFLOW) {
+                        int currentPacketBufferSize = packetBufferSize();
+                        netReadBuffer = Utils.ensureCapacity(netReadBuffer, currentPacketBufferSize);
+                        if (netReadBuffer.position() >= currentPacketBufferSize) {
+                            throw new IllegalStateException("Buffer underflow when there is available data");
+                        }
+                        if (!read) key.interestOps(SelectionKey.OP_READ);
+                    } else if (handshakeResult.getStatus() == Status.BUFFER_OVERFLOW) {
+                        int currentAppBufferSize = applicationBufferSize();
+                        netReadBuffer = Utils.ensureCapacity(netReadBuffer, currentAppBufferSize);
+                        if (netReadBuffer.position() > currentAppBufferSize) {
+                            throw new IllegalStateException("Buffer underflow when available data (" + netReadBuffer.position() +
+                                                            ") > packet buffer size (" + currentAppBufferSize + ")");
+                        }
+
+                        if (!read) key.interestOps(SelectionKey.OP_READ);
+                    } else if (handshakeResult.getStatus() == Status.CLOSED) {
+                        throw new EOFException("SSL handshake status CLOSED during handshake UNWRAP");
                     }
+                    //if handshakeStatus completed than fall-through to finished status.
+                    //after handshake is finished there is no data left to read/write in socketChannel.
+                    //so the selector won't invoke this channel if we don't go through the handshakeFinished here.
+                    if (handshakeStatus != HandshakeStatus.FINISHED)
+                        break;
+                case FINISHED:
+                    handshakeFinished();
                     break;
-                case NEED_TASK:
-                    handshakeStatus = tasks();
+                case NOT_HANDSHAKING:
+                    handshakeFinished();
                     break;
                 default:
                     throw new IllegalStateException(String.format("Unexpected status [%s]", handshakeStatus));
@@ -175,27 +196,25 @@ public class SSLTransportLayer implements TransportLayer {
             handshakeFailure();
             throw e;
         }
-
-        //return 0 if we are complete, otherwise re-register for any activity that
-        //would cause this method to be called again.
-        if (handshakeComplete) return 0;
-        else return SelectionKey.OP_WRITE | SelectionKey.OP_READ;
     }
 
+
     /**
-     * Executes all the tasks needed on the executorservice thread.
+     * Executes the SSLEngine tasks needed on the executorservice thread.
      * @return HandshakeStatus
      */
     private HandshakeStatus tasks() {
-        for (;;) {
-            final Runnable task = sslEngine.getDelegatedTask();
-            if (task == null)
-                break;
+        final Runnable task = delegatedTask();
 
+        if (task != null) {
+            // un-register read/write ops while the delegated tasks are running.
+            key.interestOps(0);
             executorService.submit(new Runnable() {
                     @Override
                     public void run() {
                         task.run();
+                        // register read/write ops to continue handshake.
+                        key.interestOps(SelectionKey.OP_READ | SelectionKey.OP_WRITE);
                     }
                 });
         }
@@ -203,6 +222,27 @@ public class SSLTransportLayer implements TransportLayer {
     }
 
     /**
+     * Checks if the handshake status is finished
+     * Sets the interestOps for the selectionKey.
+     */
+    private void handshakeFinished() throws IOException {
+        // SSLEnginge.getHandshakeStatus is transient and it doesn't record FINISHED status properly.
+        // It can move from FINISHED status to NOT_HANDSHAKING after the handshake is completed.
+        // Hence we also need to check handshakeResult.getHandshakeStatus() if the handshake finished or not
+        if (handshakeResult.getHandshakeStatus() == HandshakeStatus.FINISHED) {
+            //we are complete if we have delivered the last package
+            handshakeComplete = !netWriteBuffer.hasRemaining();
+            //set interestOps if we are complete, otherwise we still have data to write
+            if (handshakeComplete)
+                key.interestOps(interestOps);
+            else
+                key.interestOps(SelectionKey.OP_WRITE);
+        } else {
+            throw new IOException("NOT_HANDSHAKING during handshake");
+        }
+    }
+
+    /**
     * Performs the WRAP function
     * @param doWrite boolean
     * @return SSLEngineResult
@@ -211,13 +251,13 @@ public class SSLTransportLayer implements TransportLayer {
     private SSLEngineResult  handshakeWrap(Boolean doWrite) throws IOException {
         //this should never be called with a network buffer that contains data
         //so we can clear it here.
-        netOutBuffer.clear();
-        SSLEngineResult result = sslEngine.wrap(appWriteBuffer, netOutBuffer);
+        netWriteBuffer.clear();
+        SSLEngineResult result = sslEngine.wrap(emptyBuf, netWriteBuffer);
         //prepare the results to be written
-        netOutBuffer.flip();
+        netWriteBuffer.flip();
         handshakeStatus = result.getHandshakeStatus();
         //optimization, if we do have a writable channel, write it now
-        if (doWrite) flush(netOutBuffer);
+        if (doWrite) flush(netWriteBuffer);
         return result;
     }
 
@@ -228,23 +268,22 @@ public class SSLTransportLayer implements TransportLayer {
     * @throws IOException
     */
     private SSLEngineResult handshakeUnwrap(Boolean doRead) throws IOException {
-        if (netInBuffer.position() == netInBuffer.limit()) {
+        if (netReadBuffer.position() == netReadBuffer.limit()) {
             //clear the buffer if we have emptied it out on data
-            netInBuffer.clear();
+            netReadBuffer.clear();
         }
 
         if (doRead)  {
-            int read = socketChannel.read(netInBuffer);
+            int read = socketChannel.read(netReadBuffer);
             if (read == -1) throw new IOException("EOF during handshake.");
         }
-
         SSLEngineResult result;
         boolean cont = false;
         do {
             //prepare the buffer with the incoming data
-            netInBuffer.flip();
-            result = sslEngine.unwrap(netInBuffer, appWriteBuffer);
-            netInBuffer.compact();
+            netReadBuffer.flip();
+            result = sslEngine.unwrap(netReadBuffer, appReadBuffer);
+            netReadBuffer.compact();
             handshakeStatus = result.getHandshakeStatus();
             if (result.getStatus() == SSLEngineResult.Status.OK &&
                  result.getHandshakeStatus() == HandshakeStatus.NEED_TASK) {
@@ -267,22 +306,22 @@ public class SSLTransportLayer implements TransportLayer {
         closing = true;
         sslEngine.closeOutbound();
 
-        if (!flush(netOutBuffer)) {
+        if (!flush(netWriteBuffer)) {
             throw new IOException("Remaining data in the network buffer, can't send SSL close message.");
         }
         //prep the buffer for the close message
-        netOutBuffer.clear();
+        netWriteBuffer.clear();
         //perform the close, since we called sslEngine.closeOutbound
-        SSLEngineResult handshake = sslEngine.wrap(emptyBuf, netOutBuffer);
+        SSLEngineResult handshake = sslEngine.wrap(emptyBuf, netWriteBuffer);
         //we should be in a close state
         if (handshake.getStatus() != SSLEngineResult.Status.CLOSED) {
             throw new IOException("Invalid close state, will not send network data.");
         }
-        netOutBuffer.flip();
-        flush(netOutBuffer);
+        netWriteBuffer.flip();
+        flush(netWriteBuffer);
         socketChannel.socket().close();
         socketChannel.close();
-        closed = !netOutBuffer.hasRemaining() && (handshake.getHandshakeStatus() != HandshakeStatus.NEED_WRAP);
+        closed = !netWriteBuffer.hasRemaining() && (handshake.getHandshakeStatus() != HandshakeStatus.NEED_WRAP);
     }
 
     public boolean isOpen() {
@@ -299,37 +338,63 @@ public class SSLTransportLayer implements TransportLayer {
     * @param dst The buffer into which bytes are to be transferred
     * @return The number of bytes read, possible zero or -1 if the channel has reached end-of-stream
     * @throws IOException if some other I/O error occurs
-    * @throws IllegalStateException if handshake is not complete.
     */
     public int read(ByteBuffer dst) throws IOException {
         if (closing || closed) return -1;
-        if (!handshakeComplete) throw new IllegalStateException("Handshake incomplete.");
-        netInBuffer = Utils.ensureCapacity(netInBuffer, packetBufferSize());
-        int netread = socketChannel.read(netInBuffer);
-        if (netread == -1) return -1;
         int read = 0;
-        SSLEngineResult unwrap = null;
 
-        do {
-            netInBuffer.flip();
-            unwrap = sslEngine.unwrap(netInBuffer, appReadBuffer);
-            //compact the buffer
-            netInBuffer.compact();
-            if (unwrap.getStatus() == Status.OK || unwrap.getStatus() == Status.BUFFER_UNDERFLOW) {
-                read += unwrap.bytesProduced();
-                // perform any task if needed
-                if (unwrap.getHandshakeStatus() == HandshakeStatus.NEED_TASK) tasks();
-                //if we need more network data, than return for now.
-                if (unwrap.getStatus() == Status.BUFFER_UNDERFLOW) return readFromAppBuffer(dst);
-            } else if (unwrap.getStatus() == Status.BUFFER_OVERFLOW) {
-                appReadBuffer = Utils.ensureCapacity(appReadBuffer, applicationBufferSize());
-                //empty out the dst buffer before we do another read
-                return readFromAppBuffer(dst);
-            }
-        } while(netInBuffer.position() != 0);
-        return readFromAppBuffer(dst);
+        //if we have unread decrypted data in appReadBuffer read that into dst buffer.
+        if (appReadBuffer.position() > 0) {
+            read = readFromAppBuffer(dst);
+        }
+
+        if (dst.remaining() > 0) {
+            boolean canRead = true;
+            do {
+                netReadBuffer = Utils.ensureCapacity(netReadBuffer, packetBufferSize());
+                if (canRead && netReadBuffer.remaining() > 0) {
+                    int netread = socketChannel.read(netReadBuffer);
+                    canRead = netread > 0;
+                }
+                netReadBuffer.flip();
+                SSLEngineResult unwrap = sslEngine.unwrap(netReadBuffer, appReadBuffer);
+                netReadBuffer.compact();
+
+                // handle ssl renegotiation.
+                if (unwrap.getHandshakeStatus() != HandshakeStatus.NOT_HANDSHAKING) {
+                    handshake();
+                    break;
+                }
+
+                if (unwrap.getStatus() == Status.OK) {
+                    read += readFromAppBuffer(dst);
+                } else if (unwrap.getStatus() == Status.BUFFER_OVERFLOW) {
+                    int currentApplicationBufferSize = applicationBufferSize();
+                    appReadBuffer = Utils.ensureCapacity(appReadBuffer, currentApplicationBufferSize);
+                    if (appReadBuffer.position() > 0) {
+                        break;
+                    } else if (appReadBuffer.position() >= currentApplicationBufferSize) {
+                        throw new IllegalStateException("Buffer overflow when available data (" + appReadBuffer.position() +
+                                                        ") > application buffer size (" + currentApplicationBufferSize + ")");
+                    }
+                } else if (unwrap.getStatus() == Status.BUFFER_UNDERFLOW) {
+                    int currentPacketBufferSize = packetBufferSize();
+                    netReadBuffer = Utils.ensureCapacity(netReadBuffer, currentPacketBufferSize);
+                    if (netReadBuffer.position() >= currentPacketBufferSize) {
+                        throw new IllegalStateException("Buffer underflow when available data (" + netReadBuffer.position() +
+                                                        ") > packet buffer size (" + currentPacketBufferSize + ")");
+                    }
+                    if (!canRead)
+                        break;
+                } else if (unwrap.getStatus() == Status.CLOSED) {
+                    throw new EOFException();
+                }
+            } while(netReadBuffer.position() != 0);
+        }
+        return read;
     }
 
+
     public long read(ByteBuffer[] dsts) throws IOException {
         return read(dsts, 0, dsts.length);
     }
@@ -352,23 +417,28 @@ public class SSLTransportLayer implements TransportLayer {
     * @return The number of bytes written, possibly zero
     * @throws IOException If some other I/O error occurs
     */
-
     public int write(ByteBuffer src) throws IOException {
         int written = 0;
         if (closing || closed) throw new IOException("Channel is in closing state");
-        if (!flush(netOutBuffer))
+
+        if (!flush(netWriteBuffer))
             return written;
-        netOutBuffer.clear();
-        SSLEngineResult result = sslEngine.wrap(src, netOutBuffer);
-        written = result.bytesConsumed();
-        netOutBuffer.flip();
-        if (result.getStatus() == Status.OK) {
-            if (result.getHandshakeStatus() == HandshakeStatus.NEED_TASK)
-                tasks();
-        } else {
-            throw new IOException(String.format("Unable to wrap data, invalid status %s", result.getStatus()));
+        netWriteBuffer.clear();
+        SSLEngineResult wrap = sslEngine.wrap(src, netWriteBuffer);
+        netWriteBuffer.flip();
+        if (wrap.getStatus() == Status.OK) {
+            written = wrap.bytesConsumed();
+            flush(netWriteBuffer);
+        } else if (wrap.getStatus() == Status.BUFFER_OVERFLOW) {
+            int currentPacketBufferSize = packetBufferSize();
+            netWriteBuffer = Utils.ensureCapacity(netReadBuffer, packetBufferSize());
+            if (netWriteBuffer.position() > currentPacketBufferSize)
+                throw new IllegalStateException("SSL BUFFER_OVERFLOW when available data (" + netWriteBuffer.position() + ") > network buffer size (" + currentPacketBufferSize + ")");
+        } else if (wrap.getStatus() == Status.BUFFER_UNDERFLOW) {
+            throw new IllegalStateException("SSL BUFFER_UNDERFLOW during write");
+        } else if (wrap.getStatus() == Status.CLOSED) {
+            throw new EOFException();
         }
-        flush(netOutBuffer);
         return written;
     }
 
@@ -389,18 +459,31 @@ public class SSLTransportLayer implements TransportLayer {
         return write(srcs, 0, srcs.length);
     }
 
+    /**
+     * socket's InputStream as DataInputStream
+     * @return DataInputStream
+     */
     public DataInputStream inStream() throws IOException {
         if (inStream == null)
             this.inStream = new DataInputStream(socketChannel.socket().getInputStream());
         return inStream;
     }
 
+
+    /**
+     * socket's OutputStream as DataOutputStream
+     * @return DataInputStream
+     */
     public DataOutputStream outStream() throws IOException {
         if (outStream == null)
             this.outStream = new DataOutputStream(socketChannel.socket().getOutputStream());
         return outStream;
     }
 
+    /**
+     * SSLSession's peerPrincipal for the remote host.
+     * @return Principal
+     */
     public Principal peerPrincipal() throws IOException {
         try {
             return sslEngine.getSession().getPeerPrincipal();
@@ -409,29 +492,65 @@ public class SSLTransportLayer implements TransportLayer {
         }
     }
 
-    public SSLSession sslSession() throws IllegalStateException, UnsupportedOperationException {
-        if (!handshakeComplete)
-            throw new IllegalStateException("Handshake incomplete.");
+    /**
+     * returns a SSL Session after the handshake is established
+     * throws IlleagalStateException if the handshake is not established
+     */
+    public SSLSession sslSession() throws IllegalStateException {
         return sslEngine.getSession();
     }
 
+    /**
+     * Adds interestOps to SelecitonKey of the TransportLayer
+     * @param ops SelectionKey interestOps
+     */
+    public void addInterestOps(int ops) {
+        interestOps |= ops;
+        // if handshake is not complete and key is cancelled.
+        // we should check for key.isValid.
+        if (handshakeComplete)
+            key.interestOps(interestOps);
+        else if (!key.isValid())
+            throw new CancelledKeyException();
+    }
+
+    /**
+     * removes interestOps to SelecitonKey of the TransportLayer
+     * @param ops SelectionKey interestOps
+     */
+    public void removeInterestOps(int ops) {
+        interestOps &= ~ops;
+        // if handshake is not complete and key is cancelled.
+        // we should check for key.isValid.
+        if (handshakeComplete)
+            key.interestOps(interestOps);
+        else if (!key.isValid())
+            throw new CancelledKeyException();
+    }
+
+
+    /**
+     * returns delegatedTask for the SSLEngine.
+     */
+    protected Runnable delegatedTask() {
+        return sslEngine.getDelegatedTask();
+    }
+
+    /**
+     * transfers appReadBuffer contents (decrypted data) into dst bytebuffer
+     * @param dst ByteBuffer
+     */
     private int readFromAppBuffer(ByteBuffer dst) {
         appReadBuffer.flip();
-        try {
-            int remaining = appReadBuffer.remaining();
-            if (remaining > 0) {
-                if (remaining > dst.remaining())
-                    remaining = dst.remaining();
-                int i = 0;
-                while (i < remaining) {
-                    dst.put(appReadBuffer.get());
-                    i++;
-                }
-            }
-            return remaining;
-        } finally {
-            appReadBuffer.compact();
+        int remaining = Math.min(appReadBuffer.remaining(), dst.remaining());
+        if (remaining > 0) {
+            int limit = appReadBuffer.limit();
+            appReadBuffer.limit(appReadBuffer.position() + remaining);
+            dst.put(appReadBuffer);
+            appReadBuffer.limit(limit);
         }
+        appReadBuffer.compact();
+        return remaining;
     }
 
     private int packetBufferSize() {
diff --git a/clients/src/main/java/org/apache/kafka/common/network/Selector.java b/clients/src/main/java/org/apache/kafka/common/network/Selector.java
index ea95858..024059e 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/Selector.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/Selector.java
@@ -29,8 +29,6 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.TimeUnit;
-import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
 
 import org.apache.kafka.common.KafkaException;
 import org.apache.kafka.common.metrics.Measurable;
@@ -42,11 +40,7 @@ import org.apache.kafka.common.metrics.stats.Avg;
 import org.apache.kafka.common.metrics.stats.Count;
 import org.apache.kafka.common.metrics.stats.Max;
 import org.apache.kafka.common.metrics.stats.Rate;
-import org.apache.kafka.common.protocol.SecurityProtocol;
-import org.apache.kafka.common.security.auth.PrincipalBuilder;
-import org.apache.kafka.common.security.auth.DefaultPrincipalBuilder;
 import org.apache.kafka.common.utils.Time;
-import org.apache.kafka.clients.CommonClientConfigs;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -94,14 +88,13 @@ public class Selector implements Selectable {
     private final SelectorMetrics sensors;
     private final String metricGrpPrefix;
     private final Map metricTags;
-    private final SecurityProtocol securityProtocol;
-    private SSLFactory sslFactory = null;
-    private ExecutorService executorService = null;
+    private final ChannelBuilder channelBuilder;
+
 
     /**
      * Create a new selector
      */
-    public Selector(Metrics metrics, Time time, String metricGrpPrefix, Map metricTags, Map configs) {
+    public Selector(Metrics metrics, Time time, String metricGrpPrefix, Map metricTags, ChannelBuilder channelBuilder) {
         try {
             this.selector = java.nio.channels.Selector.open();
         } catch (IOException e) {
@@ -118,13 +111,7 @@ public class Selector implements Selectable {
         this.disconnected = new ArrayList();
         this.failedSends = new ArrayList();
         this.sensors = new SelectorMetrics(metrics);
-        this.securityProtocol = configs.containsKey(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG) ?
-            SecurityProtocol.valueOf((String) configs.get(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG)) : SecurityProtocol.PLAINTEXT;
-        if (securityProtocol == SecurityProtocol.SSL) {
-            this.executorService = Executors.newScheduledThreadPool(1);
-            this.sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT);
-            this.sslFactory.configure(configs);
-        }
+        this.channelBuilder = channelBuilder;
     }
 
     /**
@@ -162,20 +149,9 @@ public class Selector implements Selectable {
             throw e;
         }
 
-        TransportLayer transportLayer;
-        if (securityProtocol == SecurityProtocol.SSL) {
-            transportLayer = new SSLTransportLayer(socketChannel,
-                                                    sslFactory.createSSLEngine(socket.getInetAddress().getHostName(),
-                                                                               socket.getPort()),
-                                                   executorService);
-        } else {
-            transportLayer = new PlainTextTransportLayer(socketChannel);
-        }
-        PrincipalBuilder principalBuilder = new DefaultPrincipalBuilder();
-        Authenticator authenticator = new DefaultAuthenticator(transportLayer, principalBuilder);
-        Channel channel = new Channel(transportLayer, authenticator);
         SelectionKey key = socketChannel.register(this.selector, SelectionKey.OP_CONNECT);
         key.attach(new Transmissions(id));
+        Channel channel = channelBuilder.buildChannel(key);
         this.keys.put(id, key);
         this.channels.put(key, channel);
     }
@@ -186,9 +162,9 @@ public class Selector implements Selectable {
      */
     @Override
     public void disconnect(int id) {
-        SelectionKey key = this.keys.get(id);
-        if (key != null)
-            key.cancel();
+        Channel channel = channelForId(id);
+        if (channel != null)
+            channel.disconnect();
     }
 
     /**
@@ -208,8 +184,6 @@ public class Selector implements Selectable {
             close(key);
         try {
             this.selector.close();
-            if (this.executorService != null)
-                this.executorService.shutdown();
         } catch (IOException e) {
             log.error("Exception closing selector:", e);
         } catch (SecurityException se) {
@@ -223,12 +197,13 @@ public class Selector implements Selectable {
      */
     public void send(NetworkSend send) {
         SelectionKey key = keyForId(send.destination());
+        Channel channel = channel(key);
         Transmissions transmissions = transmissions(key);
         if (transmissions.hasSend())
             throw new IllegalStateException("Attempt to begin a send operation with prior send operation still in progress.");
         transmissions.send = send;
         try {
-            key.interestOps(key.interestOps() | SelectionKey.OP_WRITE);
+            channel.addInterestOps(SelectionKey.OP_WRITE);
         } catch (CancelledKeyException e) {
             close(key);
             this.failedSends.add(send.destination());
@@ -275,52 +250,38 @@ public class Selector implements Selectable {
                     /* complete any connections that have finished their handshake */
                     if (key.isConnectable()) {
                         channel.finishConnect();
-                        key.interestOps(key.interestOps() & ~SelectionKey.OP_CONNECT | SelectionKey.OP_READ);
                         this.connected.add(transmissions.id);
                         this.sensors.connectionCreated.record();
-
                     }
 
-                    /* read from any connections that have readable data */
-                    if (key.isReadable()) {
-                        if (!channel.isReady()) {
-                            int status = channel.connect(key.isReadable(), key.isWritable());
-                            if (status == 0)
-                                key.interestOps(key.interestOps() & ~SelectionKey.OP_CONNECT | SelectionKey.OP_READ);
-                            else
-                                key.interestOps(status);
-                        } else {
+                    if (!channel.isReady()) {
+                        channel.connect();
+                    } else {
+                        /* read from any connections that have readable data */
+                        if (key.isReadable()) {
                             if (!transmissions.hasReceive())
                                 transmissions.receive = new NetworkReceive(transmissions.id);
-                            transmissions.receive.readFrom(channel);
-                            if (transmissions.receive.complete()) {
+                            while (transmissions.receive.readFrom(channel) > 0 && transmissions.receive.complete()) {
                                 transmissions.receive.payload().rewind();
                                 this.completedReceives.add(transmissions.receive);
                                 this.sensors.recordBytesReceived(transmissions.id, transmissions.receive.payload().limit());
                                 transmissions.clearReceive();
+                                if (!transmissions.hasReceive())
+                                    transmissions.receive = new NetworkReceive(transmissions.id);
                             }
                         }
-                    }
 
-                    /* write to any sockets that have space in their buffer and for which we have data */
-                    if (key.isWritable()) {
-                        if (!channel.isReady()) {
-                            int status = channel.connect(key.isReadable(), key.isWritable());
-                            if (status == 0)
-                                key.interestOps(key.interestOps() & ~SelectionKey.OP_CONNECT | SelectionKey.OP_READ);
-                            else
-                                key.interestOps(status);
-                        } else {
+                        /* write to any sockets that have space in their buffer and for which we have data */
+                        if (key.isWritable()) {
                             transmissions.send.writeTo(channel);
                             if (transmissions.send.remaining() <= 0) {
                                 this.completedSends.add(transmissions.send);
                                 this.sensors.recordBytesSent(transmissions.id, transmissions.send.size());
                                 transmissions.clearSend();
-                                key.interestOps(key.interestOps() & ~SelectionKey.OP_WRITE);
+                                channel.removeInterestOps(SelectionKey.OP_WRITE);
                             }
                         }
                     }
-
                     /* cancel any defunct sockets */
                     if (!key.isValid()) {
                         close(key);
@@ -377,7 +338,8 @@ public class Selector implements Selectable {
     }
 
     private void mute(SelectionKey key) {
-        key.interestOps(key.interestOps() & ~SelectionKey.OP_READ);
+        Channel channel = channel(key);
+        channel.mute();
     }
 
     @Override
@@ -386,7 +348,8 @@ public class Selector implements Selectable {
     }
 
     private void unmute(SelectionKey key) {
-        key.interestOps(key.interestOps() | SelectionKey.OP_READ);
+        Channel channel = channel(key);
+        channel.unmute();
     }
 
     @Override
@@ -475,6 +438,10 @@ public class Selector implements Selectable {
         return this.channels.get(key);
     }
 
+    protected Channel channelForId(int id) {
+        return channel(keyForId(id));
+    }
+
     /**
      * The id and in-progress send and receive associated with a connection
      */
diff --git a/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java
index 0531d6f..05750f4 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java
@@ -27,7 +27,6 @@ import java.nio.channels.SocketChannel;
 import java.io.DataInputStream;
 import java.io.DataOutputStream;
 
-import javax.net.ssl.SSLSession;
 import java.security.Principal;
 
 
@@ -40,12 +39,6 @@ public interface TransportLayer {
      */
     void close() throws IOException;
 
-
-    /**
-     * Tells wheather or not this channel is open.
-     */
-    boolean isOpen();
-
     /**
      * Writes a sequence of bytes to this channel from the given buffer.
      */
@@ -55,45 +48,61 @@ public interface TransportLayer {
 
     long write(ByteBuffer[] srcs, int offset, int length) throws IOException;
 
+    /**
+     * Reads sequence of bytes from the channel to the given buffer.
+     */
     int read(ByteBuffer dst) throws IOException;
 
     long read(ByteBuffer[] dsts) throws IOException;
 
     long read(ByteBuffer[] dsts, int offset, int length) throws IOException;
 
+
+    /**
+     * Returns true if the channel has handshake and authenticaiton done.
+     */
     boolean isReady();
 
-    boolean finishConnect() throws IOException;
+    /**
+     * Retruns true if socketChannel is open.
+     */
+    boolean isOpen();
+
+    /**
+     * calls internal socketChannel.finishConnect()
+     */
+    void finishConnect() throws IOException;
 
+    /**
+     * disconnect socketChannel
+     */
+    void disconnect();
+
+    /**
+     * returns underlying socketChannel
+     */
     SocketChannel socketChannel();
 
     /**
      * Performs SSL handshake hence is a no-op for the non-secure
      * implementation
-     * @param read Unused in non-secure implementation
-     * @param write Unused in non-secure implementation
-     * @return Always return 0
      * @throws IOException
     */
-    int handshake(boolean read, boolean write) throws IOException;
+    void handshake() throws IOException;
+
 
     DataInputStream inStream() throws IOException;
 
     DataOutputStream outStream() throws IOException;
 
-    boolean flush(ByteBuffer buffer) throws IOException;
-
-
     /**
      * returns SSLSession.getPeerPrinicpal if SSLTransportLayer used
      * for non-secure returns a "ANONYMOUS" as the peerPrincipal
      */
     Principal peerPrincipal() throws IOException;
 
-    /**
-     * returns a SSL Session after the handshake is established
-     * throws IlleagalStateException if the handshake is not established
-     * throws UnsupportedOperationException for non-secure implementation
-     */
-    SSLSession sslSession() throws IllegalStateException, UnsupportedOperationException;
+    void addInterestOps(int ops);
+
+    void removeInterestOps(int ops);
+
 }
diff --git a/clients/src/main/java/org/apache/kafka/common/protocol/SecurityProtocol.java b/clients/src/main/java/org/apache/kafka/common/protocol/SecurityProtocol.java
index d663f7a..a624741 100644
--- a/clients/src/main/java/org/apache/kafka/common/protocol/SecurityProtocol.java
+++ b/clients/src/main/java/org/apache/kafka/common/protocol/SecurityProtocol.java
@@ -24,8 +24,8 @@ import java.util.Map;
 public enum SecurityProtocol {
     /** Un-authenticated, non-encrypted channel */
     PLAINTEXT(0, "PLAINTEXT"),
-    /** SSL channe */
-    SSL(1, "PLAINTEXT"),
+    /** SSL channel */
+    SSL(1, "SSL"),
     /** Currently identical to PLAINTEXT and used for testing only. We may implement extra instrumentation when testing channel code. */
     TRACE(Short.MAX_VALUE, "TRACE");
 
diff --git a/clients/src/main/java/org/apache/kafka/common/security/auth/DefaultPrincipalBuilder.java b/clients/src/main/java/org/apache/kafka/common/security/auth/DefaultPrincipalBuilder.java
index d594e4d..fbbeb9e 100644
--- a/clients/src/main/java/org/apache/kafka/common/security/auth/DefaultPrincipalBuilder.java
+++ b/clients/src/main/java/org/apache/kafka/common/security/auth/DefaultPrincipalBuilder.java
@@ -17,15 +17,19 @@
 
 package org.apache.kafka.common.security.auth;
 
+import java.util.Map;
 import java.security.Principal;
 
 import org.apache.kafka.common.network.TransportLayer;
 import org.apache.kafka.common.network.Authenticator;
 import org.apache.kafka.common.KafkaException;
 
+/** DefaultPrincipalBuilder which return transportLayer's peer Principal **/
 
 public class DefaultPrincipalBuilder implements PrincipalBuilder {
 
+    public void configure(Map configs) {}
+
     public Principal buildPrincipal(TransportLayer transportLayer, Authenticator authenticator) throws KafkaException {
         try {
             return transportLayer.peerPrincipal();
@@ -34,4 +38,6 @@ public class DefaultPrincipalBuilder implements PrincipalBuilder {
         }
     }
 
+    public void close() throws KafkaException {}
+
 }
diff --git a/clients/src/main/java/org/apache/kafka/common/security/auth/KafkaPrincipal.java b/clients/src/main/java/org/apache/kafka/common/security/auth/KafkaPrincipal.java
index 4a7ace8..277b6ef 100644
--- a/clients/src/main/java/org/apache/kafka/common/security/auth/KafkaPrincipal.java
+++ b/clients/src/main/java/org/apache/kafka/common/security/auth/KafkaPrincipal.java
@@ -28,6 +28,7 @@ public class KafkaPrincipal implements Principal {
         this.name = name;
     }
 
+    @Override
     public boolean equals(Object object) {
         if (this == object)
             return true;
@@ -39,14 +40,17 @@ public class KafkaPrincipal implements Principal {
         return false;
     }
 
+    @Override
     public int hashCode() {
         return name.hashCode();
     }
 
+    @Override
     public String getName() {
         return name;
     }
 
+    @Override
     public String toString() {
         return name;
     }
diff --git a/clients/src/main/java/org/apache/kafka/common/security/auth/PrincipalBuilder.java b/clients/src/main/java/org/apache/kafka/common/security/auth/PrincipalBuilder.java
index 5b39222..b7cc378 100644
--- a/clients/src/main/java/org/apache/kafka/common/security/auth/PrincipalBuilder.java
+++ b/clients/src/main/java/org/apache/kafka/common/security/auth/PrincipalBuilder.java
@@ -20,13 +20,21 @@ package org.apache.kafka.common.security.auth;
 /*
  * PrincipalBuilder for Authenticator
  */
+
 import org.apache.kafka.common.network.TransportLayer;
 import org.apache.kafka.common.network.Authenticator;
 import org.apache.kafka.common.KafkaException;
+import org.apache.kafka.common.Configurable;
 
+import java.util.Map;
 import java.security.Principal;
 
-public interface PrincipalBuilder {
+public interface PrincipalBuilder extends Configurable {
+
+    /**
+     * configure this class with give key-value pair
+     */
+    public void configure(Map configs);
 
     /**
      * Returns Principal
@@ -35,4 +43,9 @@ public interface PrincipalBuilder {
      */
     Principal buildPrincipal(TransportLayer transportLayer, Authenticator authenticator) throws KafkaException;
 
+    /**
+     * Close this PrincipalBuilder
+     */
+    public void close() throws KafkaException;
+
 }
diff --git a/clients/src/main/java/org/apache/kafka/common/utils/Utils.java b/clients/src/main/java/org/apache/kafka/common/utils/Utils.java
index 9382060..5b21eac 100755
--- a/clients/src/main/java/org/apache/kafka/common/utils/Utils.java
+++ b/clients/src/main/java/org/apache/kafka/common/utils/Utils.java
@@ -3,9 +3,9 @@
  * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file
  * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the
  * License. You may obtain a copy of the License at
- * 
+ *
  * http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
  * specific language governing permissions and limitations under the License.
@@ -48,7 +48,7 @@ public class Utils {
 
     /**
      * Turn the given UTF8 byte array into a string
-     * 
+     *
      * @param bytes The byte array
      * @return The string
      */
@@ -62,7 +62,7 @@ public class Utils {
 
     /**
      * Turn a string into a utf8 byte[]
-     * 
+     *
      * @param string The string
      * @return The byte[]
      */
@@ -76,7 +76,7 @@ public class Utils {
 
     /**
      * Read an unsigned integer from the current position in the buffer, incrementing the position by 4 bytes
-     * 
+     *
      * @param buffer The buffer to read from
      * @return The integer read, as a long to avoid signedness
      */
@@ -86,7 +86,7 @@ public class Utils {
 
     /**
      * Read an unsigned integer from the given position without modifying the buffers position
-     * 
+     *
      * @param buffer the buffer to read from
      * @param index the index from which to read the integer
      * @return The integer read, as a long to avoid signedness
@@ -97,12 +97,12 @@ public class Utils {
 
     /**
      * Read an unsigned integer stored in little-endian format from the {@link InputStream}.
-     * 
+     *
      * @param in The stream to read from
      * @return The integer read (MUST BE TREATED WITH SPECIAL CARE TO AVOID SIGNEDNESS)
      */
     public static int readUnsignedIntLE(InputStream in) throws IOException {
-        return (in.read() << 8 * 0) 
+        return (in.read() << 8 * 0)
              | (in.read() << 8 * 1)
              | (in.read() << 8 * 2)
              | (in.read() << 8 * 3);
@@ -111,7 +111,7 @@ public class Utils {
     /**
      * Read an unsigned integer stored in little-endian format from a byte array
      * at a given offset.
-     * 
+     *
      * @param buffer The byte array to read from
      * @param offset The position in buffer to read from
      * @return The integer read (MUST BE TREATED WITH SPECIAL CARE TO AVOID SIGNEDNESS)
@@ -125,7 +125,7 @@ public class Utils {
 
     /**
      * Write the given long value as a 4 byte unsigned integer. Overflow is ignored.
-     * 
+     *
      * @param buffer The buffer to write to
      * @param value The value to write
      */
@@ -135,7 +135,7 @@ public class Utils {
 
     /**
      * Write the given long value as a 4 byte unsigned integer. Overflow is ignored.
-     * 
+     *
      * @param buffer The buffer to write to
      * @param index The position in the buffer at which to begin writing
      * @param value The value to write
@@ -146,7 +146,7 @@ public class Utils {
 
     /**
      * Write an unsigned integer in little-endian format to the {@link OutputStream}.
-     * 
+     *
      * @param out The stream to write to
      * @param value The value to write
      */
@@ -160,7 +160,7 @@ public class Utils {
     /**
      * Write an unsigned integer in little-endian format to a byte array
      * at a given offset.
-     * 
+     *
      * @param buffer The byte array to write to
      * @param offset The position in buffer to write to
      * @param value The value to write
@@ -183,7 +183,7 @@ public class Utils {
 
     /**
      * Get the length for UTF8-encoding a string without encoding it first
-     * 
+     *
      * @param s The string to calculate the length for
      * @return The length when serialized
      */
@@ -229,7 +229,7 @@ public class Utils {
 
     /**
      * Check that the parameter t is not null
-     * 
+     *
      * @param t The object to check
      * @return t if it isn't null
      * @throws NullPointerException if t is null.
@@ -353,7 +353,7 @@ public class Utils {
     public static  String join(T[] strs, String seperator) {
         return join(Arrays.asList(strs), seperator);
     }
-    
+
     /**
      * Create a string representation of a list joined by the given separator
      * @param list The list of items
@@ -366,7 +366,7 @@ public class Utils {
         while (iter.hasNext()) {
             sb.append(iter.next());
             if (iter.hasNext())
-                sb.append(seperator);  
+                sb.append(seperator);
         }
         return sb.toString();
     }
@@ -460,7 +460,7 @@ public class Utils {
 
     /**
      * Attempt to read a file as a string
-     * @throws IOException 
+     * @throws IOException
      */
     public static String readFileAsString(String path, Charset charset) throws IOException {
         if (charset == null) charset = Charset.defaultCharset();
@@ -480,6 +480,12 @@ public class Utils {
         return Utils.readFileAsString(path, Charset.defaultCharset());
     }
 
+    /**
+     * Check if the given ByteBuffer capacity
+     * @param existingBuffer ByteBuffer capacity to check
+     * @param newLength new length for the ByteBuffer.
+     * returns ByteBuffer
+     */
     public static ByteBuffer ensureCapacity(ByteBuffer existingBuffer, int newLength) {
         if (newLength > existingBuffer.capacity()) {
             ByteBuffer newBuffer = ByteBuffer.allocate(newLength);
diff --git a/clients/src/test/java/org/apache/kafka/common/network/EchoServer.java b/clients/src/test/java/org/apache/kafka/common/network/EchoServer.java
index 7f34738..ce4c201 100644
--- a/clients/src/test/java/org/apache/kafka/common/network/EchoServer.java
+++ b/clients/src/test/java/org/apache/kafka/common/network/EchoServer.java
@@ -12,9 +12,11 @@
  */
 package org.apache.kafka.common.network;
 
-import org.apache.kafka.clients.CommonClientConfigs;
+import org.apache.kafka.common.config.SecurityConfigs;
 import org.apache.kafka.common.protocol.SecurityProtocol;
 
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
 import java.io.DataInputStream;
 import java.io.DataOutputStream;
 import java.io.IOException;
@@ -24,7 +26,7 @@ import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Map;
 import java.util.List;
-
+import java.util.concurrent.atomic.AtomicBoolean;
 
 
 /**
@@ -37,14 +39,16 @@ class EchoServer extends Thread {
     private final List sockets;
     private SecurityProtocol protocol = SecurityProtocol.PLAINTEXT;
     private SSLFactory sslFactory;
+    private final AtomicBoolean renegotiate = new AtomicBoolean();
 
     public EchoServer(Map configs) throws Exception {
-        this.protocol =  configs.containsKey(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG) ?
-            SecurityProtocol.valueOf((String) configs.get(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG)) : SecurityProtocol.PLAINTEXT;
+        this.protocol =  configs.containsKey(SecurityConfigs.SECURITY_PROTOCOL_CONFIG) ?
+            SecurityProtocol.valueOf((String) configs.get(SecurityConfigs.SECURITY_PROTOCOL_CONFIG)) : SecurityProtocol.PLAINTEXT;
         if (protocol == SecurityProtocol.SSL) {
             this.sslFactory = new SSLFactory(SSLFactory.Mode.SERVER);
             this.sslFactory.configure(configs);
-            this.serverSocket = sslFactory.createSSLServerSocketFactory().createServerSocket(0);
+            SSLContext sslContext = this.sslFactory.sslContext();
+            this.serverSocket = sslContext.getServerSocketFactory().createServerSocket(0);
         } else {
             this.serverSocket = new ServerSocket(0);
         }
@@ -53,6 +57,9 @@ class EchoServer extends Thread {
         this.sockets = Collections.synchronizedList(new ArrayList());
     }
 
+    public void renegotiate() {
+        renegotiate.set(true);
+    }
 
     @Override
     public void run() {
@@ -68,6 +75,10 @@ class EchoServer extends Thread {
                             DataOutputStream output = new DataOutputStream(socket.getOutputStream());
                             while (socket.isConnected() && !socket.isClosed()) {
                                 int size = input.readInt();
+                                if (renegotiate.get()) {
+                                    renegotiate.set(false);
+                                    ((SSLSocket) socket).startHandshake();
+                                }
                                 byte[] bytes = new byte[size];
                                 input.readFully(bytes);
                                 output.writeInt(size);
diff --git a/clients/src/test/java/org/apache/kafka/common/network/SSLFactoryTest.java b/clients/src/test/java/org/apache/kafka/common/network/SSLFactoryTest.java
index 02a3eff..9e3926c 100644
--- a/clients/src/test/java/org/apache/kafka/common/network/SSLFactoryTest.java
+++ b/clients/src/test/java/org/apache/kafka/common/network/SSLFactoryTest.java
@@ -21,6 +21,7 @@ import org.apache.kafka.test.TestSSLUtils;
 import org.junit.Test;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertTrue;
 
 
@@ -32,24 +33,26 @@ public class SSLFactoryTest {
 
     @Test
     public void testSSLFactoryConfiguration() throws Exception {
-        Map> sslConfigs = TestSSLUtils.createSSLConfigs(false, true);
-        Map serverSSLConfig = sslConfigs.get(SSLFactory.Mode.SERVER);
+        Map> sslConfigs = TestSSLUtils.createSSLConfigs(false, true);
+        Map serverSSLConfig = sslConfigs.get(SSLFactory.Mode.SERVER);
         SSLFactory sslFactory = new SSLFactory(SSLFactory.Mode.SERVER);
         sslFactory.configure(serverSSLConfig);
-        SSLEngine engine = sslFactory.createSSLEngine("localhost", 9093);
+        //host and port are hints
+        SSLEngine engine = sslFactory.createSSLEngine("localhost", 0);
         assertNotNull(engine);
         String[] expectedProtocols = {"TLSv1.2"};
-        assertEquals(expectedProtocols, engine.getEnabledProtocols());
+        assertArrayEquals(expectedProtocols, engine.getEnabledProtocols());
         assertEquals(false, engine.getUseClientMode());
     }
 
     @Test
     public void testClientMode() throws Exception {
-        Map> sslConfigs = TestSSLUtils.createSSLConfigs(false, true);
-        Map clientSSLConfig = sslConfigs.get(SSLFactory.Mode.CLIENT);
+        Map> sslConfigs = TestSSLUtils.createSSLConfigs(false, true);
+        Map clientSSLConfig = sslConfigs.get(SSLFactory.Mode.CLIENT);
         SSLFactory sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT);
         sslFactory.configure(clientSSLConfig);
-        SSLEngine engine = sslFactory.createSSLEngine("localhost", 9093);
+        //host and port are hints
+        SSLEngine engine = sslFactory.createSSLEngine("localhost", 0);
         assertTrue(engine.getUseClientMode());
     }
 
diff --git a/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java b/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java
index c5f8ecf..ab9e6b9 100644
--- a/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java
+++ b/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java
@@ -13,17 +13,29 @@
 package org.apache.kafka.common.network;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
 
+import java.util.LinkedHashMap;
 import java.util.Map;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Semaphore;
+
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.nio.ByteBuffer;
-import java.util.LinkedHashMap;
+import java.nio.channels.SocketChannel;
+import java.nio.channels.SelectionKey;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLEngineResult;
 
+import org.apache.kafka.common.config.SecurityConfigs;
+import org.apache.kafka.common.KafkaException;
 import org.apache.kafka.common.metrics.Metrics;
+import org.apache.kafka.common.security.auth.PrincipalBuilder;
 import org.apache.kafka.common.utils.MockTime;
-import org.apache.kafka.test.TestSSLUtils;
 import org.apache.kafka.common.utils.Utils;
+import org.apache.kafka.test.TestSSLUtils;
 import org.apache.kafka.test.TestUtils;
 import org.junit.After;
 import org.junit.Before;
@@ -38,14 +50,22 @@ public class SSLSelectorTest {
     private static final int BUFFER_SIZE = 4 * 1024;
 
     private EchoServer server;
-    private Selectable selector;
+    private Selector selector;
+    private ChannelBuilder channelBuilder;
 
     @Before
     public void setup() throws Exception {
-        Map> sslConfigs = TestSSLUtils.createSSLConfigs(false, true);
-        this.server = new EchoServer(sslConfigs.get(SSLFactory.Mode.SERVER));
+        Map> sslConfigs = TestSSLUtils.createSSLConfigs(false, true);
+        Map sslServerConfigs = sslConfigs.get(SSLFactory.Mode.SERVER);
+        sslServerConfigs.put(SecurityConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Class.forName(SecurityConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS));
+        this.server = new EchoServer(sslServerConfigs);
         this.server.start();
-        this.selector = new Selector(new Metrics(), new MockTime(), "MetricGroup", new LinkedHashMap(), sslConfigs.get(SSLFactory.Mode.CLIENT));
+        Map sslClientConfigs = sslConfigs.get(SSLFactory.Mode.CLIENT);
+        sslClientConfigs.put(SecurityConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Class.forName(SecurityConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS));
+
+        this.channelBuilder = new MockSSLChannelBuilder();
+        this.channelBuilder.configure(sslClientConfigs);
+        this.selector = new Selector(new Metrics(), new MockTime(), "MetricGroup", new LinkedHashMap(), channelBuilder);
     }
 
     @After
@@ -88,6 +108,23 @@ public class SSLSelectorTest {
     }
 
 
+    /**
+     * Validate that the client can intentionally disconnect and reconnect
+     */
+    @Test
+    public void testClientDisconnect() throws Exception {
+        int node = 0;
+        blockingConnect(node);
+        selector.disconnect(node);
+        selector.send(createSend(node, "hello1"));
+        selector.poll(10L);
+        assertEquals("Request should not have succeeded", 0, selector.completedSends().size());
+        assertEquals("There should be a disconnect", 1, selector.disconnected().size());
+        assertTrue("The disconnect should be from our node", selector.disconnected().contains(node));
+        blockingConnect(node);
+        assertEquals("hello2", blockingRequest(node, "hello2"));
+    }
+
      /**
      * Tests wrap BUFFER_OVERFLOW  and unwrap BUFFER_UNDERFLOW
      * @throws Exception
@@ -103,10 +140,128 @@ public class SSLSelectorTest {
         sendAndReceive(node, requestPrefix, 0, reqs);
     }
 
+    /**
+     * Test sending an empty string
+     */
+    @Test
+    public void testEmptyRequest() throws Exception {
+        int node = 0;
+        blockingConnect(node);
+        assertEquals("", blockingRequest(node, ""));
+    }
+
+    @Test
+    public void testMute() throws Exception {
+        blockingConnect(0);
+        blockingConnect(1);
+
+        selector.send(createSend(0, "hello"));
+        selector.send(createSend(1, "hi"));
+        selector.mute(1);
+
+        while (selector.completedReceives().isEmpty())
+            selector.poll(5);
+        assertEquals("We should have only one response", 1, selector.completedReceives().size());
+        assertEquals("The response should not be from the muted node", 0, selector.completedReceives().get(0).source());
+        selector.unmute(1);
+        do {
+            selector.poll(5);
+        } while (selector.completedReceives().isEmpty());
+        assertEquals("We should have only one response", 1, selector.completedReceives().size());
+        assertEquals("The response should be from the previously muted node", 1, selector.completedReceives().get(0).source());
+    }
+
+    /**
+     * Tests that SSL renegotiation initiated by the server are handled correctly by the client
+     * @throws Exception
+     */
+    @Test
+    public void testRenegotiation() throws Exception {
+        int reqs = 500;
+        int node = 0;
+
+        // create connections
+        InetSocketAddress addr = new InetSocketAddress("localhost", server.port);
+        selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);
+
+        // send echo requests and receive responses
+        int requests = 0;
+        int responses = 0;
+        int renegotiates = 0;
+        selector.send(createSend(node, node + "-" + 0));
+        requests++;
+
+        // loop until we complete all requests
+        while (responses < reqs) {
+            selector.poll(0L);
+            if (responses >= 100 && renegotiates == 0) {
+                renegotiates++;
+                server.renegotiate();
+            }
+            assertEquals("No disconnects should have occurred.", 0, selector.disconnected().size());
+
+            // handle any responses we may have gotten
+            for (NetworkReceive receive : selector.completedReceives()) {
+                String[] pieces = asString(receive).split("-");
+                assertEquals("Receive text should be in the form 'conn-counter'", 2, pieces.length);
+                assertEquals("Check the source", receive.source(), Integer.parseInt(pieces[0]));
+                assertEquals("Receive ByteBuffer position should be at 0", 0, receive.payload().position());
+                assertEquals("Check the request counter", responses, Integer.parseInt(pieces[1]));
+                responses++;
+            }
+
+            // prepare new sends for the next round
+            for (int i = 0; i < selector.completedSends().size() && requests < reqs; i++, requests++) {
+                selector.send(createSend(node, node + "-" + requests));
+            }
+        }
+    }
+
+    @Test
+    public void testLongDeferredTasks() throws Exception {
+        final int fastNode = 0;
+        final int slowNode = 1;
+
+        // create connections
+        InetSocketAddress addr = new InetSocketAddress("localhost", server.port);
+        selector.connect(fastNode, addr, BUFFER_SIZE, BUFFER_SIZE);
+        selector.connect(slowNode, addr, BUFFER_SIZE, BUFFER_SIZE);
+
+        sendAndReceive(fastNode, String.valueOf(fastNode), 0, 10);
+        sendAndReceive(slowNode, String.valueOf(slowNode), 0, 10);
+
+        Semaphore delegatedTaskSemaphore = new Semaphore(0);
+        Channel channel = selector.channelForId(slowNode);
+        MockSSLTransportLayer sslTransportLayer = (MockSSLTransportLayer) channel.transportLayer();
+
+        sslTransportLayer.delegatedTaskSemaphore = delegatedTaskSemaphore;
+        // set renegotiate flag and send a message to trigger renegotiation on the slow channel
+        server.renegotiate();
+        selector.send(createSend(slowNode, String.valueOf(slowNode) + "-" + 11));
+        while (sslTransportLayer.engine.getHandshakeStatus() != SSLEngineResult.HandshakeStatus.NEED_TASK) {
+            selector.poll(1L);
+        }
+
+        // Slow channel is now blocked on the delegated task. Check that fast channel is able to make progress
+        sendAndReceive(fastNode, String.valueOf(fastNode), 10, 20);
+
+        // Allow slow channel to continue and check that it works as expected
+        delegatedTaskSemaphore.release(10);
+        selector.send(createSend(slowNode, String.valueOf(slowNode) + "-" + 12));
+        int responses = 11;
+        while (responses <= 12) {
+            selector.poll(0L);
+            for (NetworkReceive receive : selector.completedReceives()) {
+                assertEquals(slowNode + "-" + responses, asString(receive));
+                responses++;
+            }
+        }
+    }
+
+
 
     private String blockingRequest(int node, String s) throws IOException {
         selector.send(createSend(node, s));
-        selector.poll(1000L);
         while (true) {
             selector.poll(1000L);
             for (NetworkReceive receive : selector.completedReceives())
@@ -152,4 +307,75 @@ public class SSLSelectorTest {
             }
         }
     }
+
+    // Channel builder with MockSSLTransportLayer.
+    private static class MockSSLChannelBuilder implements ChannelBuilder {
+        private SSLFactory sslFactory;
+        private ExecutorService executorService;
+        private PrincipalBuilder principalBuilder;
+
+        public void configure(Map configs) throws KafkaException {
+            try {
+                this.executorService = Executors.newScheduledThreadPool(1);
+                this.sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT);
+                this.sslFactory.configure(configs);
+                this.principalBuilder = (PrincipalBuilder) Utils.newInstance((Class) configs.get(SecurityConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG));
+                this.principalBuilder.configure(configs);
+            } catch (Exception e) {
+                throw new KafkaException(e);
+            }
+        }
+
+
+        @Override
+        public Channel buildChannel(SelectionKey key) throws KafkaException {
+            Channel channel = null;
+            try {
+                SocketChannel socketChannel = (SocketChannel) key.channel();
+                MockSSLTransportLayer transportLayer = new MockSSLTransportLayer(key,
+                                                                                 sslFactory.createSSLEngine(socketChannel.socket().getInetAddress().getHostName(),
+                                                                                                    socketChannel.socket().getPort()),
+                                                                                 executorService);
+                Authenticator authenticator = new DefaultAuthenticator(transportLayer, this.principalBuilder);
+                channel = new Channel(transportLayer, authenticator);
+            } catch (Exception e) {
+                throw new KafkaException(e);
+            }
+            return channel;
+        }
+
+        public void close()  {
+            this.executorService.shutdown();
+            this.principalBuilder.close();
+        }
+    }
+
+    private static class MockSSLTransportLayer extends SSLTransportLayer {
+        private final SSLEngine engine;
+        private boolean engineClosed;
+        private Semaphore delegatedTaskSemaphore;
+
+        public MockSSLTransportLayer(SelectionKey key, SSLEngine engine, ExecutorService executorService) throws IOException {
+            super(key, engine, executorService);
+            this.engine = engine;
+        }
+
+        @Override
+        protected Runnable delegatedTask() {
+            final Runnable task = super.delegatedTask();
+            return task == null ? null : new Runnable() {
+                @Override
+                public void run() {
+                    if (delegatedTaskSemaphore != null) {
+                        try {
+                            delegatedTaskSemaphore.acquire();
+                        } catch (InterruptedException e) {
+                        }
+                    }
+                    task.run();
+                }
+            };
+        }
+    }
+
 }
diff --git a/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java b/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java
index 3fd8fe2..4bb95f0 100644
--- a/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java
+++ b/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java
@@ -24,6 +24,7 @@ import java.nio.ByteBuffer;
 import java.util.LinkedHashMap;
 
 import org.apache.kafka.common.metrics.Metrics;
+import org.apache.kafka.common.config.SecurityConfigs;
 import org.apache.kafka.common.utils.MockTime;
 import org.apache.kafka.common.utils.Utils;
 import org.apache.kafka.test.TestUtils;
@@ -40,13 +41,17 @@ public class SelectorTest {
 
     private EchoServer server;
     private Selectable selector;
+    private ChannelBuilder channelBuilder;
 
     @Before
     public void setup() throws Exception {
-        Map configs = new HashMap();
+        Map configs = new HashMap();
+        configs.put(SecurityConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Class.forName(SecurityConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS));
         this.server = new EchoServer(configs);
         this.server.start();
-        this.selector = new Selector(new Metrics(), new MockTime() , "MetricGroup", new LinkedHashMap(), configs);
+        this.channelBuilder = new PlainTextChannelBuilder();
+        this.channelBuilder.configure(configs);
+        this.selector = new Selector(new Metrics(), new MockTime() , "MetricGroup", new LinkedHashMap(), channelBuilder);
     }
 
     @After
@@ -196,6 +201,17 @@ public class SelectorTest {
         assertEquals(big, blockingRequest(node, big));
     }
 
+    @Test
+    public void testShortMessageSequence() throws Exception {
+        int bufferSize = 512 * 1024;
+        int node = 0;
+        int reqs = 50;
+        InetSocketAddress addr = new InetSocketAddress("localhost", server.port);
+        selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);
+        String requestPrefix = "hello-wordl";
+        sendAndReceive(node, requestPrefix, 0, reqs);
+    }
+
     /**
      * Test sending an empty string
      */
@@ -261,5 +277,27 @@ public class SelectorTest {
         return new String(Utils.toArray(receive.payload()));
     }
 
+    private void sendAndReceive(int node, String requestPrefix, int startIndex, int endIndex) throws Exception {
+        int requests = startIndex;
+        int responses = startIndex;
+        selector.send(createSend(node, requestPrefix + "-" + startIndex));
+        requests++;
+        while (responses < endIndex) {
+            // do the i/o
+            selector.poll(0L);
+            assertEquals("No disconnects should have occurred.", 0, selector.disconnected().size());
+
+            // handle requests and responses of the fast node
+            for (NetworkReceive receive : selector.completedReceives()) {
+                assertEquals(requestPrefix + "-" + responses, asString(receive));
+                responses++;
+            }
+
+            for (int i = 0; i < selector.completedSends().size() && requests < endIndex; i++, requests++) {
+                selector.send(createSend(node, requestPrefix + "-" + requests));
+            }
+        }
+    }
+
 
 }
diff --git a/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java b/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java
index 590f1f5..b34d085 100644
--- a/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java
+++ b/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java
@@ -17,28 +17,36 @@
 
 package org.apache.kafka.test;
 
-import org.apache.kafka.clients.CommonClientConfigs;
+import org.apache.kafka.common.config.SecurityConfigs;
 import org.apache.kafka.common.network.SSLFactory;
 
 import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.math.BigInteger;
-import java.security.GeneralSecurityException;
-import java.security.Key;
-import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.security.KeyStore;
-import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
+import javax.net.ssl.TrustManagerFactory;
+import java.security.*;
 import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
-import java.security.InvalidKeyException;
-import java.security.NoSuchProviderException;
-import java.security.SignatureException;
-import java.security.cert.CertificateEncodingException;
-import javax.security.auth.x500.X500Principal;
-import org.bouncycastle.x509.X509V1CertificateGenerator;
+
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.X509v1CertificateBuilder;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
+import org.bouncycastle.crypto.util.PrivateKeyFactory;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
+import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
+import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder;
+
+
+
+
 
 import java.util.Date;
 import java.util.HashMap;
@@ -63,24 +71,28 @@ public class TestSSLUtils {
      */
     public static X509Certificate generateCertificate(String dn, KeyPair pair,
                                                       int days, String algorithm)
-        throws CertificateEncodingException, InvalidKeyException, IllegalStateException,
-               NoSuchProviderException, NoSuchAlgorithmException, SignatureException {
-        Date from = new Date();
-        Date to = new Date(from.getTime() + days * 86400000L);
-        BigInteger sn = new BigInteger(64, new SecureRandom());
-        KeyPair keyPair = pair;
-        X509V1CertificateGenerator certGen = new X509V1CertificateGenerator();
-        X500Principal  dnName = new X500Principal(dn);
-
-        certGen.setSerialNumber(sn);
-        certGen.setIssuerDN(dnName);
-        certGen.setNotBefore(from);
-        certGen.setNotAfter(to);
-        certGen.setSubjectDN(dnName);
-        certGen.setPublicKey(keyPair.getPublic());
-        certGen.setSignatureAlgorithm(algorithm);
-        X509Certificate cert = certGen.generate(pair.getPrivate());
-        return cert;
+        throws  CertificateException {
+
+        try {
+            Security.addProvider(new BouncyCastleProvider());
+            AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(algorithm);
+            AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
+            AsymmetricKeyParameter privateKeyAsymKeyParam = PrivateKeyFactory.createKey(pair.getPrivate().getEncoded());
+            SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(pair.getPublic().getEncoded());
+            ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(privateKeyAsymKeyParam);
+            X500Name name = new X500Name(dn);
+            Date from = new Date();
+            Date to = new Date(from.getTime() + days * 86400000L);
+            BigInteger sn = new BigInteger(64, new SecureRandom());
+
+            X509v1CertificateBuilder v1CertGen = new X509v1CertificateBuilder(name, sn, from, to, name, subPubKeyInfo);
+            X509CertificateHolder certificateHolder = v1CertGen.build(sigGen);
+            return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certificateHolder);
+        } catch (CertificateException ce) {
+            throw ce;
+        } catch (Exception e) {
+            throw new CertificateException(e);
+        }
     }
 
     public static KeyPair generateKeyPair(String algorithm) throws NoSuchAlgorithmException {
@@ -163,33 +175,33 @@ public class TestSSLUtils {
     public static Map createSSLConfig(SSLFactory.Mode mode, File keyStoreFile, String password, String keyPassword,
                                                       File trustStoreFile, String trustStorePassword, boolean useClientCert) {
         Map sslConfigs = new HashMap();
-        sslConfigs.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SSL"); // kafka security protocol
-        sslConfigs.put(CommonClientConfigs.SSL_PROTOCOL_CONFIG, "TLS"); // protocol to create SSLContext
+        sslConfigs.put(SecurityConfigs.SECURITY_PROTOCOL_CONFIG, "SSL"); // kafka security protocol
+        sslConfigs.put(SecurityConfigs.SSL_PROTOCOL_CONFIG, "TLSv1.2"); // protocol to create SSLContext
 
         if (mode == SSLFactory.Mode.SERVER || (mode == SSLFactory.Mode.CLIENT && keyStoreFile != null)) {
-            sslConfigs.put(CommonClientConfigs.SSL_KEYSTORE_LOCATION_CONFIG, keyStoreFile.getPath());
-            sslConfigs.put(CommonClientConfigs.SSL_KEYSTORE_TYPE_CONFIG, "JKS");
-            sslConfigs.put(CommonClientConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG, "SunX509");
-            sslConfigs.put(CommonClientConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, password);
-            sslConfigs.put(CommonClientConfigs.SSL_KEY_PASSWORD_CONFIG, keyPassword);
+            sslConfigs.put(SecurityConfigs.SSL_KEYSTORE_LOCATION_CONFIG, keyStoreFile.getPath());
+            sslConfigs.put(SecurityConfigs.SSL_KEYSTORE_TYPE_CONFIG, "JKS");
+            sslConfigs.put(SecurityConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG, TrustManagerFactory.getDefaultAlgorithm());
+            sslConfigs.put(SecurityConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, password);
+            sslConfigs.put(SecurityConfigs.SSL_KEY_PASSWORD_CONFIG, keyPassword);
         }
 
-        sslConfigs.put(CommonClientConfigs.SSL_CLIENT_REQUIRE_CERT_CONFIG, useClientCert);
-        sslConfigs.put(CommonClientConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, trustStoreFile.getPath());
-        sslConfigs.put(CommonClientConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, trustStorePassword);
-        sslConfigs.put(CommonClientConfigs.SSL_TRUSTSTORE_TYPE_CONFIG, "JKS");
-        sslConfigs.put(CommonClientConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG, "SunX509");
+        sslConfigs.put(SecurityConfigs.SSL_CLIENT_REQUIRE_CERT_CONFIG, useClientCert);
+        sslConfigs.put(SecurityConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, trustStoreFile.getPath());
+        sslConfigs.put(SecurityConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, trustStorePassword);
+        sslConfigs.put(SecurityConfigs.SSL_TRUSTSTORE_TYPE_CONFIG, "JKS");
+        sslConfigs.put(SecurityConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG, TrustManagerFactory.getDefaultAlgorithm());
 
         List enabledProtocols  = new ArrayList();
         enabledProtocols.add("TLSv1.2");
-        sslConfigs.put(CommonClientConfigs.SSL_ENABLED_PROTOCOLS_CONFIG, enabledProtocols);
+        sslConfigs.put(SecurityConfigs.SSL_ENABLED_PROTOCOLS_CONFIG, enabledProtocols);
 
         return sslConfigs;
     }
 
-    public static Map> createSSLConfigs(boolean useClientCert, boolean trustStore)
+    public static Map> createSSLConfigs(boolean useClientCert, boolean trustStore)
         throws IOException, GeneralSecurityException {
-        Map> sslConfigs = new HashMap>();
+        Map> sslConfigs = new HashMap>();
         Map certs = new HashMap();
         File trustStoreFile = File.createTempFile("truststore", ".jks");
         File clientKeyStoreFile = null;
-- 
2.4.4


From ca0456dc01def337ee1711cabd9c4e9df4af61ee Mon Sep 17 00:00:00 2001
From: Sriharsha Chintalapani 
Date: Wed, 20 May 2015 14:23:29 -0700
Subject: [PATCH 08/19] KAFKA-1690. new java producer needs ssl support as a
 client. Addressing reviews.

---
 .../main/java/org/apache/kafka/common/network/SSLTransportLayer.java | 4 ----
 .../main/java/org/apache/kafka/common/network/TransportLayer.java    | 5 -----
 2 files changed, 9 deletions(-)

diff --git a/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
index f25e537..770f4ae 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
@@ -324,10 +324,6 @@ public class SSLTransportLayer implements TransportLayer {
         closed = !netWriteBuffer.hasRemaining() && (handshake.getHandshakeStatus() != HandshakeStatus.NEED_WRAP);
     }
 
-    public boolean isOpen() {
-        return socketChannel.isOpen();
-    }
-
     public boolean isReady() {
         return handshakeComplete;
     }
diff --git a/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java
index 05750f4..002a695 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java
@@ -64,11 +64,6 @@ public interface TransportLayer {
     boolean isReady();
 
     /**
-     * Retruns true if socketChannel is open.
-     */
-    boolean isOpen();
-
-    /**
      * calls internal socketChannel.finishConnect()
      */
     void finishConnect() throws IOException;
-- 
2.4.4


From 7e3a4cfc58932aab4288677111af52f94c9012b6 Mon Sep 17 00:00:00 2001
From: Sriharsha Chintalapani 
Date: Wed, 20 May 2015 14:37:52 -0700
Subject: [PATCH 09/19] KAFKA-1690. new java producer needs ssl support as a
 client. Addressing reviews.

---
 clients/src/main/java/org/apache/kafka/common/network/Channel.java | 1 -
 1 file changed, 1 deletion(-)

diff --git a/clients/src/main/java/org/apache/kafka/common/network/Channel.java b/clients/src/main/java/org/apache/kafka/common/network/Channel.java
index f7dda3e..11873a3 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/Channel.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/Channel.java
@@ -53,7 +53,6 @@ public class Channel implements ScatteringByteChannel, GatheringByteChannel {
     /**
      * returns user principal for the session
      * In case of PLAINTEXT and No Authentication returns ANONYMOUS as the userPrincipal
-     * If SSL used than
      * If SSL used without any SASL Authentication returns SSLSession.peerPrincipal
      */
     public Principal principal() throws IOException {
-- 
2.4.4


From 9bdc0000eb24f8682184f7fb39578f239a7b6dde Mon Sep 17 00:00:00 2001
From: Sriharsha Chintalapani 
Date: Thu, 21 May 2015 09:50:52 -0700
Subject: [PATCH 10/19] KAFKA-1690. new java producer needs ssl support as a
 client. Fixed minor issues with the patch.

---
 checkstyle/checkstyle.xml                          | 24 +++++++++++-----------
 checkstyle/import-control.xml                      | 21 ++++++++-----------
 .../apache/kafka/clients/CommonClientConfigs.java  | 14 ++++++-------
 .../java/org/apache/kafka/test/TestSSLUtils.java   |  3 +--
 4 files changed, 28 insertions(+), 34 deletions(-)

diff --git a/checkstyle/checkstyle.xml b/checkstyle/checkstyle.xml
index 5031415..a215ff3 100644
--- a/checkstyle/checkstyle.xml
+++ b/checkstyle/checkstyle.xml
@@ -1,6 +1,6 @@
 
 
 
+--> 
 
   
-
+  
   
-
+  
   
   
     
   
-
+  
   
-
+    
     
     
     
@@ -39,7 +39,7 @@
     
     
     
-
+    
     
     
     
@@ -60,12 +60,12 @@
     
     
     
-
+    
     
     
       
     
-
+    
     
     
     
@@ -80,4 +80,4 @@
     
     
   
-
+
\ No newline at end of file
diff --git a/checkstyle/import-control.xml b/checkstyle/import-control.xml
index 1ebe211..9145d87 100644
--- a/checkstyle/import-control.xml
+++ b/checkstyle/import-control.xml
@@ -1,6 +1,6 @@
 
+"-//Puppy Crawl//DTD Import Control 1.1//EN"
+"http://www.puppycrawl.com/dtds/import_control_1_1.dtd">
 
+
 
 
 	
@@ -26,8 +27,7 @@
 	
 	
 	
-	
-	
+  
 
 	
 	
@@ -52,16 +52,12 @@
 		
 
 		
-      		
-      		
-      		
+      
+		  
+		  
 			
 		
 
-    	
-      		
-    	
-
 		
 			
 			
@@ -82,7 +78,6 @@
 		
 			
 		
-
 	
 
 	
@@ -107,7 +102,7 @@
 
 	
 		
-    	
+    
 	
 
 
diff --git a/clients/src/main/java/org/apache/kafka/clients/CommonClientConfigs.java b/clients/src/main/java/org/apache/kafka/clients/CommonClientConfigs.java
index 16507c7..cf32e4e 100644
--- a/clients/src/main/java/org/apache/kafka/clients/CommonClientConfigs.java
+++ b/clients/src/main/java/org/apache/kafka/clients/CommonClientConfigs.java
@@ -3,9 +3,9 @@
  * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file
  * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the
  * License. You may obtain a copy of the License at
- *
+ * 
  * http://www.apache.org/licenses/LICENSE-2.0
- *
+ * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
  * specific language governing permissions and limitations under the License.
@@ -17,7 +17,7 @@ package org.apache.kafka.clients;
  * Some configurations shared by both producer and consumer
  */
 public class CommonClientConfigs {
-
+    
     /*
      * NOTE: DO NOT CHANGE EITHER CONFIG NAMES AS THESE ARE PART OF THE PUBLIC API AND CHANGE WILL BREAK USER CODE.
      */
@@ -27,10 +27,10 @@ public class CommonClientConfigs {
                                                        + "host1:port1,host2:port2,.... Since these servers are just used for the initial connection to "
                                                        + "discover the full cluster membership (which may change dynamically), this list need not contain the full set of "
                                                        + "servers (you may want more than one, though, in case a server is down).";
-
+    
     public static final String METADATA_MAX_AGE_CONFIG = "metadata.max.age.ms";
     public static final String METADATA_MAX_AGE_DOC = "The period of time in milliseconds after which we force a refresh of metadata even if we haven't seen any partition leadership changes to proactively discover any new brokers or partitions.";
-
+    
     public static final String SEND_BUFFER_CONFIG = "send.buffer.bytes";
     public static final String SEND_BUFFER_DOC = "The size of the TCP send buffer (SO_SNDBUF) to use when sending data.";
 
@@ -45,7 +45,7 @@ public class CommonClientConfigs {
 
     public static final String RETRY_BACKOFF_MS_CONFIG = "retry.backoff.ms";
     public static final String RETRY_BACKOFF_MS_DOC = "The amount of time to wait before attempting to retry a failed fetch request to a given topic partition. This avoids repeated fetching-and-failing in a tight loop.";
-
+    
     public static final String METRICS_SAMPLE_WINDOW_MS_CONFIG = "metrics.sample.window.ms";
     public static final String METRICS_SAMPLE_WINDOW_MS_DOC = "The number of samples maintained to compute metrics.";
 
@@ -55,4 +55,4 @@ public class CommonClientConfigs {
     public static final String METRIC_REPORTER_CLASSES_CONFIG = "metric.reporters";
     public static final String METRIC_REPORTER_CLASSES_DOC = "A list of classes to use as metrics reporters. Implementing the MetricReporter interface allows plugging in classes that will be notified of new metric creation. The JmxReporter is always included to register JMX statistics.";
 
-}
+}
\ No newline at end of file
diff --git a/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java b/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java
index b34d085..093f33b 100644
--- a/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java
+++ b/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java
@@ -66,8 +66,7 @@ public class TestSSLUtils {
      * @param days how many days from now the Certificate is valid for
      * @param algorithm the signing algorithm, eg "SHA1withRSA"
      * @return the self-signed certificate
-     * @throws IOException thrown if an IO error ocurred.
-     * @throws GeneralSecurityException thrown if an Security error ocurred.
+     * @throws CertificateException thrown if a security error or an IO error ocurred.
      */
     public static X509Certificate generateCertificate(String dn, KeyPair pair,
                                                       int days, String algorithm)
-- 
2.4.4


From 65396b5cabeaf61579c6e6422848877fc7a896a9 Mon Sep 17 00:00:00 2001
From: Sriharsha Chintalapani 
Date: Thu, 21 May 2015 10:27:11 -0700
Subject: [PATCH 11/19] KAFKA-1690. new java producer needs ssl support as a
 client. Fixed minor issues with the patch.

---
 checkstyle/import-control.xml | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/checkstyle/import-control.xml b/checkstyle/import-control.xml
index 9145d87..3f7c71d 100644
--- a/checkstyle/import-control.xml
+++ b/checkstyle/import-control.xml
@@ -27,7 +27,7 @@
 	
 	
 	
-  
+	
 
 	
 	
@@ -52,12 +52,16 @@
 		
 
 		
-      
-		  
-		  
+			
+			
+			
 			
 		
 
+		
+                        
+                
+
 		
 			
 			
@@ -102,7 +106,7 @@
 
 	
 		
-    
+		
 	
 
 
-- 
2.4.4


From b37330a7b4ec3adfba4f0c6e33ab172be03406be Mon Sep 17 00:00:00 2001
From: Sriharsha Chintalapani 
Date: Thu, 28 May 2015 20:57:06 -0700
Subject: [PATCH 12/19] KAFKA-1690. new java producer needs ssl support as a
 client.

---
 build.gradle                                       |   8 +-
 .../org/apache/kafka/common/network/Channel.java   | 127 +++++++-------
 .../kafka/common/network/ChannelBuilder.java       |   3 +-
 .../common/network/PlainTextChannelBuilder.java    |   4 +-
 .../common/network/PlainTextTransportLayer.java    |   4 +
 .../kafka/common/network/SSLChannelBuilder.java    |   4 +-
 .../kafka/common/network/SSLTransportLayer.java    |  97 ++++++-----
 .../org/apache/kafka/common/network/Selector.java  | 194 +++++++--------------
 .../kafka/common/network/TransportLayer.java       |  30 +---
 .../kafka/common/network/SSLSelectorTest.java      | 128 ++------------
 .../apache/kafka/common/network/SelectorTest.java  |   6 +-
 11 files changed, 214 insertions(+), 391 deletions(-)

diff --git a/build.gradle b/build.gradle
index 3633152..e3897b3 100644
--- a/build.gradle
+++ b/build.gradle
@@ -384,8 +384,8 @@ project(':clients') {
     archives testJar
   }
 
-  checkstyle {
-    configFile = new File(rootDir, "checkstyle/checkstyle.xml")
-  }
-  test.dependsOn('checkstyleMain', 'checkstyleTest')
+  // checkstyle {
+  //   configFile = new File(rootDir, "checkstyle/checkstyle.xml")
+  // }
+  // test.dependsOn('checkstyleMain', 'checkstyleTest')
 }
diff --git a/clients/src/main/java/org/apache/kafka/common/network/Channel.java b/clients/src/main/java/org/apache/kafka/common/network/Channel.java
index 11873a3..616bfcf 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/Channel.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/Channel.java
@@ -19,13 +19,8 @@ package org.apache.kafka.common.network;
 
 
 import java.io.IOException;
-import java.io.DataInputStream;
-import java.io.DataOutputStream;
 
-import java.nio.ByteBuffer;
-import java.nio.channels.ScatteringByteChannel;
-import java.nio.channels.GatheringByteChannel;
-import java.nio.channels.SocketChannel;
+import java.net.Socket;
 import java.nio.channels.SelectionKey;
 
 import java.security.Principal;
@@ -34,13 +29,16 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 
-public class Channel implements ScatteringByteChannel, GatheringByteChannel {
+public class Channel {
     private static final Logger log = LoggerFactory.getLogger(Channel.class);
+    private final int id;
     private TransportLayer transportLayer;
     private Authenticator authenticator;
+    private NetworkReceive receive;
+    private NetworkSend send;
 
-
-    public Channel(TransportLayer transportLayer, Authenticator authenticator) throws IOException {
+    public Channel(int id, TransportLayer transportLayer, Authenticator authenticator) throws IOException {
+        this.id = id;
         this.transportLayer = transportLayer;
         this.authenticator = authenticator;
     }
@@ -59,7 +57,10 @@ public class Channel implements ScatteringByteChannel, GatheringByteChannel {
         return authenticator.principal();
     }
 
-    public void connect() throws IOException {
+    /**
+     * Does handshake of transportLayer and Authentication using configured authenticator
+     */
+    public void prepare() throws IOException {
         if (transportLayer.isReady() && authenticator.isComplete())
             return;
         if (!transportLayer.isReady())
@@ -72,80 +73,80 @@ public class Channel implements ScatteringByteChannel, GatheringByteChannel {
         transportLayer.disconnect();
     }
 
-    public boolean isOpen() {
-        return transportLayer.socketChannel().isOpen();
-    }
-
-    public SocketChannel socketChannel() {
-        return transportLayer.socketChannel();
-    }
-
-    public TransportLayer transportLayer() {
-        return transportLayer;
-    }
 
-    /**
-     * Writes a sequence of bytes to this channel from the given buffer.
-     */
-    @Override
-    public int write(ByteBuffer src) throws IOException {
-        return transportLayer.write(src);
-    }
-
-    @Override
-    public long write(ByteBuffer[] srcs) throws IOException {
-        return transportLayer.write(srcs);
+    public void finishConnect() throws IOException {
+        transportLayer.finishConnect();
     }
 
-    @Override
-    public long write(ByteBuffer[] srcs, int offset, int length) throws IOException {
-        return transportLayer.write(srcs, offset, length);
+    public int id() {
+        return id;
     }
 
-    @Override
-    public int read(ByteBuffer dst) throws IOException {
-        return transportLayer.read(dst);
+    public void mute() {
+        transportLayer.removeInterestOps(SelectionKey.OP_READ);
     }
 
-    @Override
-    public long read(ByteBuffer[] dsts) throws IOException {
-        return transportLayer.read(dsts);
+    public void unmute() {
+        transportLayer.addInterestOps(SelectionKey.OP_READ);
     }
 
-    @Override
-    public long read(ByteBuffer[] dsts, int offset, int length) throws IOException {
-        return transportLayer.read(dsts, offset, length);
+    public boolean isReady() {
+        return transportLayer.isReady() && authenticator.isComplete();
     }
 
-    public void finishConnect() throws IOException {
-        transportLayer.finishConnect();
+    public String socketDescription() {
+        Socket socket = transportLayer.socketChannel().socket();
+        if (socket == null)
+            return "[unconnected socket]";
+        else if (socket.getInetAddress() != null)
+            return socket.getInetAddress().toString();
+        else
+            return socket.getLocalAddress().toString();
     }
 
-    public void addInterestOps(int ops) {
-        transportLayer.addInterestOps(ops);
+    public void setSend(NetworkSend send) {
+        if (this.send != null)
+            throw new IllegalStateException("Attempt to begin a send operation with prior send operation still in progress.");
+        this.send = send;
+        this.transportLayer.addInterestOps(SelectionKey.OP_WRITE);
     }
 
-    public void removeInterestOps(int ops) {
-        transportLayer.removeInterestOps(ops);
-    }
+    public NetworkReceive read() throws IOException {
+        NetworkReceive result = null;
 
-    public void mute() {
-        transportLayer.removeInterestOps(SelectionKey.OP_READ);
+        if (receive == null) {
+            receive = new NetworkReceive(id);
+        }
+        receive(receive);
+        if (receive.complete()) {
+            receive.payload().rewind();
+            result = receive;
+            receive = null;
+        }
+        return result;
     }
 
-    public void unmute() {
-        transportLayer.addInterestOps(SelectionKey.OP_READ);
+    public NetworkSend write() throws IOException {
+        NetworkSend result = null;
+        if (send != null && send(send)) {
+            result = send;
+            send = null;
+        }
+        return result;
     }
 
-    public boolean isReady() {
-        return transportLayer.isReady() && authenticator.isComplete();
+    private long receive(NetworkReceive receive) throws IOException {
+        long result = receive.readFrom(transportLayer);
+        return result;
     }
 
-    public DataInputStream getInputStream() throws IOException {
-        return transportLayer.inStream();
+    private boolean send(NetworkSend send) throws IOException {
+        send.writeTo(transportLayer);
+        boolean sendComplete = send.remaining() == 0;
+        if (sendComplete) {
+            transportLayer.removeInterestOps(SelectionKey.OP_WRITE);
+        }
+        return sendComplete;
     }
 
-    public DataOutputStream getOutputStream() throws IOException {
-        return transportLayer.outStream();
-    }
-}
+ }
diff --git a/clients/src/main/java/org/apache/kafka/common/network/ChannelBuilder.java b/clients/src/main/java/org/apache/kafka/common/network/ChannelBuilder.java
index 5dd1aef..8cdd0fc 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/ChannelBuilder.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/ChannelBuilder.java
@@ -30,9 +30,10 @@ public interface ChannelBuilder {
 
     /**
      * returns a Channel with TransportLayer and Authenticator configured.
+     * @param  id
      * @param  socketChannel
      */
-    public Channel buildChannel(SelectionKey key) throws KafkaException;
+    public Channel buildChannel(int id, SelectionKey key) throws KafkaException;
 
 
     /**
diff --git a/clients/src/main/java/org/apache/kafka/common/network/PlainTextChannelBuilder.java b/clients/src/main/java/org/apache/kafka/common/network/PlainTextChannelBuilder.java
index 51adce5..ecef62a 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/PlainTextChannelBuilder.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/PlainTextChannelBuilder.java
@@ -37,12 +37,12 @@ public class PlainTextChannelBuilder implements ChannelBuilder {
         }
     }
 
-    public Channel buildChannel(SelectionKey key) throws KafkaException {
+    public Channel buildChannel(int id, SelectionKey key) throws KafkaException {
         Channel channel = null;
         try {
             PlainTextTransportLayer transportLayer = new PlainTextTransportLayer(key);
             Authenticator authenticator = new DefaultAuthenticator(transportLayer, this.principalBuilder);
-            channel = new Channel(transportLayer, authenticator);
+            channel = new Channel(id, transportLayer, authenticator);
         } catch (Exception e) {
             log.warn("Failed to create channel due to ", e);
             throw new KafkaException(e);
diff --git a/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java
index eb4504b..f730c25 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java
@@ -58,6 +58,10 @@ public class PlainTextTransportLayer implements TransportLayer {
         socketChannel.close();
     }
 
+    public boolean isOpen() {
+        return socketChannel.isOpen();
+    }
+
     public void disconnect() {
         key.cancel();
     }
diff --git a/clients/src/main/java/org/apache/kafka/common/network/SSLChannelBuilder.java b/clients/src/main/java/org/apache/kafka/common/network/SSLChannelBuilder.java
index 22fec8b..8766824 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/SSLChannelBuilder.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/SSLChannelBuilder.java
@@ -43,7 +43,7 @@ public class SSLChannelBuilder implements ChannelBuilder {
         }
     }
 
-    public Channel buildChannel(SelectionKey key) throws KafkaException {
+    public Channel buildChannel(int id, SelectionKey key) throws KafkaException {
         Channel channel = null;
         try {
             SocketChannel socketChannel = (SocketChannel) key.channel();
@@ -52,7 +52,7 @@ public class SSLChannelBuilder implements ChannelBuilder {
                                                                                                 socketChannel.socket().getPort()),
                                                                      executorService);
             Authenticator authenticator = new DefaultAuthenticator(transportLayer, this.principalBuilder);
-            channel = new Channel(transportLayer, authenticator);
+            channel = new Channel(id, transportLayer, authenticator);
         } catch (Exception e) {
             log.info("Failed to create channel due to ", e);
             throw new KafkaException(e);
diff --git a/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
index 770f4ae..f79b5ef 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
@@ -63,6 +63,7 @@ public class SSLTransportLayer implements TransportLayer {
     private DataOutputStream outStream;
     private ExecutorService executorService;
     private int interestOps;
+    private int socketSendBufferSize;
 
     public SSLTransportLayer(SelectionKey key, SSLEngine sslEngine, ExecutorService executorService) throws IOException {
         this.key = key;
@@ -72,6 +73,7 @@ public class SSLTransportLayer implements TransportLayer {
         this.netReadBuffer = ByteBuffer.allocateDirect(packetBufferSize());
         this.netWriteBuffer = ByteBuffer.allocateDirect(packetBufferSize());
         this.appReadBuffer = ByteBuffer.allocateDirect(applicationBufferSize());
+        this.socketSendBufferSize = this.socketChannel.socket().getSendBufferSize();
     }
 
     private void startHandshake() throws IOException {
@@ -85,6 +87,8 @@ public class SSLTransportLayer implements TransportLayer {
         //initiate handshake
         sslEngine.beginHandshake();
         handshakeStatus = sslEngine.getHandshakeStatus();
+        if (handshakeStatus == HandshakeStatus.NEED_WRAP)
+            key.interestOps(key.interestOps() | SelectionKey.OP_WRITE);
     }
 
     public SocketChannel socketChannel() {
@@ -95,10 +99,14 @@ public class SSLTransportLayer implements TransportLayer {
         socketChannel.finishConnect();
         removeInterestOps(SelectionKey.OP_CONNECT);
         addInterestOps(SelectionKey.OP_READ);
-        key.interestOps(key.interestOps() & ~SelectionKey.OP_CONNECT);
+        key.interestOps(key.interestOps() & ~SelectionKey.OP_CONNECT | SelectionKey.OP_READ);
         startHandshake();
     }
 
+    public boolean isOpen() {
+        return socketChannel.isOpen();
+    }
+
     public void disconnect() {
         key.cancel();
     }
@@ -135,7 +143,7 @@ public class SSLTransportLayer implements TransportLayer {
         try {
             switch(handshakeStatus) {
                 case NEED_TASK:
-                    handshakeStatus = tasks();
+                    handshakeStatus = runDelegatedTasks();
                     break;
                 case NEED_WRAP:
                     handshakeResult = handshakeWrap(write);
@@ -153,8 +161,8 @@ public class SSLTransportLayer implements TransportLayer {
                     }
                     //fall down to NEED_UNWRAP on the same call, will result in a
                     //BUFFER_UNDERFLOW if it needs data
-                    if (handshakeStatus != HandshakeStatus.NEED_UNWRAP || !flush(netWriteBuffer)) {
-                        key.interestOps(SelectionKey.OP_WRITE);
+                    if (handshakeStatus != HandshakeStatus.NEED_UNWRAP || !flush(netWriteBuffer)) { //check for write bit
+                        key.interestOps(key.interestOps() | SelectionKey.OP_WRITE);
                         break;
                     }
                 case NEED_UNWRAP:
@@ -165,7 +173,6 @@ public class SSLTransportLayer implements TransportLayer {
                         if (netReadBuffer.position() >= currentPacketBufferSize) {
                             throw new IllegalStateException("Buffer underflow when there is available data");
                         }
-                        if (!read) key.interestOps(SelectionKey.OP_READ);
                     } else if (handshakeResult.getStatus() == Status.BUFFER_OVERFLOW) {
                         int currentAppBufferSize = applicationBufferSize();
                         netReadBuffer = Utils.ensureCapacity(netReadBuffer, currentAppBufferSize);
@@ -173,16 +180,20 @@ public class SSLTransportLayer implements TransportLayer {
                             throw new IllegalStateException("Buffer underflow when available data (" + netReadBuffer.position() +
                                                             ") > packet buffer size (" + currentAppBufferSize + ")");
                         }
-
-                        if (!read) key.interestOps(SelectionKey.OP_READ);
                     } else if (handshakeResult.getStatus() == Status.CLOSED) {
                         throw new EOFException("SSL handshake status CLOSED during handshake UNWRAP");
                     }
                     //if handshakeStatus completed than fall-through to finished status.
                     //after handshake is finished there is no data left to read/write in socketChannel.
                     //so the selector won't invoke this channel if we don't go through the handshakeFinished here.
-                    if (handshakeStatus != HandshakeStatus.FINISHED)
+                    if (handshakeStatus != HandshakeStatus.FINISHED) {
+                        if (handshakeStatus == HandshakeStatus.NEED_WRAP) {
+                            key.interestOps(key.interestOps() | SelectionKey.OP_WRITE);
+                        } else if (handshakeStatus == HandshakeStatus.NEED_UNWRAP) {
+                            key.interestOps(key.interestOps() & ~SelectionKey.OP_WRITE);
+                        }
                         break;
+                    }
                 case FINISHED:
                     handshakeFinished();
                     break;
@@ -203,20 +214,13 @@ public class SSLTransportLayer implements TransportLayer {
      * Executes the SSLEngine tasks needed on the executorservice thread.
      * @return HandshakeStatus
      */
-    private HandshakeStatus tasks() {
-        final Runnable task = delegatedTask();
-
-        if (task != null) {
-            // un-register read/write ops while the delegated tasks are running.
-            key.interestOps(0);
-            executorService.submit(new Runnable() {
-                    @Override
-                    public void run() {
-                        task.run();
-                        // register read/write ops to continue handshake.
-                        key.interestOps(SelectionKey.OP_READ | SelectionKey.OP_WRITE);
-                    }
-                });
+    private HandshakeStatus runDelegatedTasks() {
+        for (;;) {
+            Runnable task = delegatedTask();
+            if (task == null) {
+                break;
+            }
+            task.run();
         }
         return sslEngine.getHandshakeStatus();
     }
@@ -236,7 +240,7 @@ public class SSLTransportLayer implements TransportLayer {
             if (handshakeComplete)
                 key.interestOps(interestOps);
             else
-                key.interestOps(SelectionKey.OP_WRITE);
+                key.interestOps(key.interestOps() | SelectionKey.OP_WRITE);
         } else {
             throw new IOException("NOT_HANDSHAKING during handshake");
         }
@@ -256,6 +260,10 @@ public class SSLTransportLayer implements TransportLayer {
         //prepare the results to be written
         netWriteBuffer.flip();
         handshakeStatus = result.getHandshakeStatus();
+        if (result.getStatus() == SSLEngineResult.Status.OK &&
+            result.getHandshakeStatus() == HandshakeStatus.NEED_TASK) {
+            handshakeStatus = runDelegatedTasks();
+        }
         //optimization, if we do have a writable channel, write it now
         if (doWrite) flush(netWriteBuffer);
         return result;
@@ -287,7 +295,7 @@ public class SSLTransportLayer implements TransportLayer {
             handshakeStatus = result.getHandshakeStatus();
             if (result.getStatus() == SSLEngineResult.Status.OK &&
                  result.getHandshakeStatus() == HandshakeStatus.NEED_TASK) {
-                handshakeStatus = tasks();
+                handshakeStatus = runDelegatedTasks();
             }
             cont = result.getStatus() == SSLEngineResult.Status.OK &&
                 handshakeStatus == HandshakeStatus.NEED_UNWRAP;
@@ -338,6 +346,7 @@ public class SSLTransportLayer implements TransportLayer {
     public int read(ByteBuffer dst) throws IOException {
         if (closing || closed) return -1;
         int read = 0;
+        if (!handshakeComplete) return read;
 
         //if we have unread decrypted data in appReadBuffer read that into dst buffer.
         if (appReadBuffer.position() > 0) {
@@ -346,16 +355,16 @@ public class SSLTransportLayer implements TransportLayer {
 
         if (dst.remaining() > 0) {
             boolean canRead = true;
+            netReadBuffer = Utils.ensureCapacity(netReadBuffer, packetBufferSize());
+            if (canRead && netReadBuffer.remaining() > 0) {
+                int netread = socketChannel.read(netReadBuffer);
+                canRead = netread > 0;
+            }
+
             do {
-                netReadBuffer = Utils.ensureCapacity(netReadBuffer, packetBufferSize());
-                if (canRead && netReadBuffer.remaining() > 0) {
-                    int netread = socketChannel.read(netReadBuffer);
-                    canRead = netread > 0;
-                }
                 netReadBuffer.flip();
                 SSLEngineResult unwrap = sslEngine.unwrap(netReadBuffer, appReadBuffer);
                 netReadBuffer.compact();
-
                 // handle ssl renegotiation.
                 if (unwrap.getHandshakeStatus() != HandshakeStatus.NOT_HANDSHAKING) {
                     handshake();
@@ -367,26 +376,21 @@ public class SSLTransportLayer implements TransportLayer {
                 } else if (unwrap.getStatus() == Status.BUFFER_OVERFLOW) {
                     int currentApplicationBufferSize = applicationBufferSize();
                     appReadBuffer = Utils.ensureCapacity(appReadBuffer, currentApplicationBufferSize);
-                    if (appReadBuffer.position() > 0) {
-                        break;
-                    } else if (appReadBuffer.position() >= currentApplicationBufferSize) {
+                    if (appReadBuffer.position() >= currentApplicationBufferSize) {
                         throw new IllegalStateException("Buffer overflow when available data (" + appReadBuffer.position() +
                                                         ") > application buffer size (" + currentApplicationBufferSize + ")");
                     }
+                    break;
                 } else if (unwrap.getStatus() == Status.BUFFER_UNDERFLOW) {
                     int currentPacketBufferSize = packetBufferSize();
                     netReadBuffer = Utils.ensureCapacity(netReadBuffer, currentPacketBufferSize);
-                    if (netReadBuffer.position() >= currentPacketBufferSize) {
-                        throw new IllegalStateException("Buffer underflow when available data (" + netReadBuffer.position() +
-                                                        ") > packet buffer size (" + currentPacketBufferSize + ")");
-                    }
-                    if (!canRead)
-                        break;
+                    break;
                 } else if (unwrap.getStatus() == Status.CLOSED) {
                     throw new EOFException();
                 }
-            } while(netReadBuffer.position() != 0);
+            } while(netReadBuffer.hasRemaining());
         }
+
         return read;
     }
 
@@ -416,12 +420,19 @@ public class SSLTransportLayer implements TransportLayer {
     public int write(ByteBuffer src) throws IOException {
         int written = 0;
         if (closing || closed) throw new IOException("Channel is in closing state");
+        if (!handshakeComplete) return written;
 
         if (!flush(netWriteBuffer))
             return written;
         netWriteBuffer.clear();
         SSLEngineResult wrap = sslEngine.wrap(src, netWriteBuffer);
         netWriteBuffer.flip();
+
+        if (wrap.getHandshakeStatus() != HandshakeStatus.NOT_HANDSHAKING) {
+            handshake();
+            return written;
+        }
+
         if (wrap.getStatus() == Status.OK) {
             written = wrap.bytesConsumed();
             flush(netWriteBuffer);
@@ -439,14 +450,16 @@ public class SSLTransportLayer implements TransportLayer {
     }
 
     public long write(ByteBuffer[] srcs, int offset, int length)  throws IOException {
-        int totalWritten = 0;
-        for (int i = offset; i < length; i++) {
+        long totalWritten = 0;
+        int i = offset;
+        while (i < length) {
             if (srcs[i].hasRemaining()) {
                 int written = write(srcs[i]);
                 if (written > 0) {
                     totalWritten += written;
                 }
             }
+            i++;
         }
         return totalWritten;
     }
diff --git a/clients/src/main/java/org/apache/kafka/common/network/Selector.java b/clients/src/main/java/org/apache/kafka/common/network/Selector.java
index 024059e..de0bbe9 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/Selector.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/Selector.java
@@ -77,8 +77,7 @@ public class Selector implements Selectable {
     private static final Logger log = LoggerFactory.getLogger(Selector.class);
 
     private final java.nio.channels.Selector selector;
-    private final Map keys;
-    private final Map channels;
+    private final Map channels;
     private final List completedSends;
     private final List completedReceives;
     private final List disconnected;
@@ -103,8 +102,7 @@ public class Selector implements Selectable {
         this.time = time;
         this.metricGrpPrefix = metricGrpPrefix;
         this.metricTags = metricTags;
-        this.keys = new HashMap();
-        this.channels = new HashMap();
+        this.channels = new HashMap();
         this.completedSends = new ArrayList();
         this.completedReceives = new ArrayList();
         this.connected = new ArrayList();
@@ -129,16 +127,15 @@ public class Selector implements Selectable {
      */
     @Override
     public void connect(int id, InetSocketAddress address, int sendBufferSize, int receiveBufferSize) throws IOException {
-        if (this.keys.containsKey(id))
+        if (this.channels.containsKey(id))
             throw new IllegalStateException("There is already a connection for id " + id);
 
         SocketChannel socketChannel = SocketChannel.open();
         socketChannel.configureBlocking(false);
-        Socket socket = socketChannel.socket();
-        socket.setKeepAlive(true);
-        socket.setSendBufferSize(sendBufferSize);
-        socket.setReceiveBufferSize(receiveBufferSize);
-        socket.setTcpNoDelay(true);
+        socketChannel.socket().setKeepAlive(true);
+        socketChannel.socket().setSendBufferSize(sendBufferSize);
+        socketChannel.socket().setReceiveBufferSize(receiveBufferSize);
+        socketChannel.socket().setTcpNoDelay(true);
         try {
             socketChannel.connect(address);
         } catch (UnresolvedAddressException e) {
@@ -150,10 +147,9 @@ public class Selector implements Selectable {
         }
 
         SelectionKey key = socketChannel.register(this.selector, SelectionKey.OP_CONNECT);
-        key.attach(new Transmissions(id));
-        Channel channel = channelBuilder.buildChannel(key);
-        this.keys.put(id, key);
-        this.channels.put(key, channel);
+        Channel channel = channelBuilder.buildChannel(id, key);
+        key.attach(channel);
+        this.channels.put(id, channel);
     }
 
     /**
@@ -181,7 +177,7 @@ public class Selector implements Selectable {
     @Override
     public void close() {
         for (SelectionKey key : this.selector.keys())
-            close(key);
+            close(channel(key));
         try {
             this.selector.close();
         } catch (IOException e) {
@@ -196,17 +192,15 @@ public class Selector implements Selectable {
      * @param send The request to send
      */
     public void send(NetworkSend send) {
-        SelectionKey key = keyForId(send.destination());
-        Channel channel = channel(key);
-        Transmissions transmissions = transmissions(key);
-        if (transmissions.hasSend())
-            throw new IllegalStateException("Attempt to begin a send operation with prior send operation still in progress.");
-        transmissions.send = send;
+        Channel channel = channelForId(send.destination());
+        if (channel == null) {
+            throw new IllegalStateException("channel is not connected");
+        }
         try {
-            channel.addInterestOps(SelectionKey.OP_WRITE);
+            channel.setSend(send);
         } catch (CancelledKeyException e) {
-            close(key);
             this.failedSends.add(send.destination());
+            close(channel);
         }
     }
 
@@ -239,62 +233,56 @@ public class Selector implements Selectable {
             while (iter.hasNext()) {
                 SelectionKey key = iter.next();
                 iter.remove();
-
-                Transmissions transmissions = transmissions(key);
                 Channel channel = channel(key);
 
                 // register all per-broker metrics at once
-                sensors.maybeRegisterNodeMetrics(transmissions.id);
+                sensors.maybeRegisterNodeMetrics(channel.id());
 
                 try {
                     /* complete any connections that have finished their handshake */
                     if (key.isConnectable()) {
                         channel.finishConnect();
-                        this.connected.add(transmissions.id);
+                        this.connected.add(channel.id());
                         this.sensors.connectionCreated.record();
                     }
 
+                    /* if channel is not ready finish prepare */
                     if (!channel.isReady()) {
-                        channel.connect();
-                    } else {
-                        /* read from any connections that have readable data */
-                        if (key.isReadable()) {
-                            if (!transmissions.hasReceive())
-                                transmissions.receive = new NetworkReceive(transmissions.id);
-                            while (transmissions.receive.readFrom(channel) > 0 && transmissions.receive.complete()) {
-                                transmissions.receive.payload().rewind();
-                                this.completedReceives.add(transmissions.receive);
-                                this.sensors.recordBytesReceived(transmissions.id, transmissions.receive.payload().limit());
-                                transmissions.clearReceive();
-                                if (!transmissions.hasReceive())
-                                    transmissions.receive = new NetworkReceive(transmissions.id);
-                            }
+                        channel.prepare();
+                    }
+
+                     /* if channel is ready read from any connections that have readable data */
+                    if (key.isReadable() && channel.isReady()) {
+                        NetworkReceive networkReceive;
+                        while ((networkReceive = channel.read()) != null) {
+                            networkReceive.payload().rewind();
+                            this.completedReceives.add(networkReceive);
+                            this.sensors.recordBytesReceived(channel.id(), networkReceive.payload().limit());
                         }
+                    }
 
-                        /* write to any sockets that have space in their buffer and for which we have data */
-                        if (key.isWritable()) {
-                            transmissions.send.writeTo(channel);
-                            if (transmissions.send.remaining() <= 0) {
-                                this.completedSends.add(transmissions.send);
-                                this.sensors.recordBytesSent(transmissions.id, transmissions.send.size());
-                                transmissions.clearSend();
-                                channel.removeInterestOps(SelectionKey.OP_WRITE);
-                            }
+                    /* if channel is ready write to any sockets that have space in their buffer and for which we have data */
+                    if (key.isWritable() && channel.isReady()) {
+                        NetworkSend networkSend = channel.write();
+                        if (networkSend != null) {
+                            this.completedSends.add(networkSend);
+                            this.sensors.recordBytesSent(channel.id(), networkSend.size());
                         }
                     }
+
                     /* cancel any defunct sockets */
                     if (!key.isValid()) {
-                        close(key);
-                        this.disconnected.add(transmissions.id);
+                        close(channel(key));
+                        this.disconnected.add(channel.id());
                     }
                 } catch (IOException e) {
-                    String desc = socketDescription(channel);
+                    String desc = channel.socketDescription();
                     if (e instanceof EOFException || e instanceof ConnectException)
                         log.info("Connection {} disconnected", desc);
                     else
                         log.warn("Error in I/O with connection to {}", desc, e);
-                    close(key);
-                    this.disconnected.add(transmissions.id);
+                    close(channel(key));
+                    this.disconnected.add(channel.id());
                 }
             }
         }
@@ -302,15 +290,6 @@ public class Selector implements Selectable {
         this.sensors.ioTime.record(endIo - endSelect, time.milliseconds());
     }
 
-    private String socketDescription(Channel channel) {
-        Socket socket = channel.socketChannel().socket();
-        if (socket == null)
-            return "[unconnected socket]";
-        else if (socket.getInetAddress() != null)
-            return socket.getInetAddress().toString();
-        else
-            return socket.getLocalAddress().toString();
-    }
 
     @Override
     public List completedSends() {
@@ -334,34 +313,34 @@ public class Selector implements Selectable {
 
     @Override
     public void mute(int id) {
-        mute(this.keyForId(id));
+        Channel channel = channelForId(id);
+        mute(channel);
     }
 
-    private void mute(SelectionKey key) {
-        Channel channel = channel(key);
+    private void mute(Channel channel) {
         channel.mute();
     }
 
     @Override
     public void unmute(int id) {
-        unmute(this.keyForId(id));
+        Channel channel = channelForId(id);
+        unmute(channel);
     }
 
-    private void unmute(SelectionKey key) {
-        Channel channel = channel(key);
+    private void unmute(Channel channel) {
         channel.unmute();
     }
 
     @Override
     public void muteAll() {
-        for (SelectionKey key : this.keys.values())
-            mute(key);
+        for (Channel channel : this.channels.values())
+            mute(channel);
     }
 
     @Override
     public void unmuteAll() {
-        for (SelectionKey key : this.keys.values())
-            unmute(key);
+        for (Channel channel : this.channels.values())
+            unmute(channel);
     }
 
     /**
@@ -395,80 +374,25 @@ public class Selector implements Selectable {
     /**
      * Begin closing this connection
      */
-    private void close(SelectionKey key) {
-        Channel channel = channel(key);
-        this.channels.remove(key);
-        Transmissions trans = transmissions(key);
-        if (trans != null) {
-            this.keys.remove(trans.id);
-            trans.clearReceive();
-            trans.clearSend();
-        }
-        key.attach(null);
-        key.cancel();
+    private void close(Channel channel) {
+        this.channels.remove(channel.id());
         try {
             channel.close();
         } catch (IOException e) {
-            log.error("Exception closing connection to node {}:", trans.id, e);
+            log.error("Exception closing connection to node {}:", channel.id(), e);
         }
         this.sensors.connectionClosed.record();
     }
 
     /**
-     * Get the selection key associated with this numeric id
-     */
-    private SelectionKey keyForId(int id) {
-        SelectionKey key = this.keys.get(id);
-        if (key == null)
-            throw new IllegalStateException("Attempt to write to socket for which there is no open connection.");
-        return key;
-    }
-
-    /**
-     * Get the transmissions for the given connection
-     */
-    private Transmissions transmissions(SelectionKey key) {
-        return (Transmissions) key.attachment();
-    }
-
-    /**
      * Get the Channel associated with this selection key
      */
     private Channel channel(SelectionKey key) {
-        return this.channels.get(key);
+        return (Channel) key.attachment();
     }
 
     protected Channel channelForId(int id) {
-        return channel(keyForId(id));
-    }
-
-    /**
-     * The id and in-progress send and receive associated with a connection
-     */
-    private static class Transmissions {
-        public int id;
-        public NetworkSend send;
-        public NetworkReceive receive;
-
-        public Transmissions(int id) {
-            this.id = id;
-        }
-
-        public boolean hasSend() {
-            return this.send != null;
-        }
-
-        public void clearSend() {
-            this.send = null;
-        }
-
-        public boolean hasReceive() {
-            return this.receive != null;
-        }
-
-        public void clearReceive() {
-            this.receive = null;
-        }
+        return channels.get(id);
     }
 
     private class SelectorMetrics {
@@ -530,7 +454,7 @@ public class Selector implements Selectable {
             metricName = new MetricName("connection-count", metricGrpName, "The current number of active connections.", metricTags);
             this.metrics.addMetric(metricName, new Measurable() {
                 public double measure(MetricConfig config, long now) {
-                    return keys.size();
+                    return channels.size();
                 }
             });
         }
diff --git a/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java
index 002a695..8fdaae2 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java
@@ -22,6 +22,8 @@ package org.apache.kafka.common.network;
  */
 import java.io.IOException;
 import java.nio.ByteBuffer;
+import java.nio.channels.ScatteringByteChannel;
+import java.nio.channels.GatheringByteChannel;
 import java.nio.channels.SocketChannel;
 
 import java.io.DataInputStream;
@@ -30,33 +32,7 @@ import java.io.DataOutputStream;
 import java.security.Principal;
 
 
-public interface TransportLayer {
-
-    /**
-     * Closes this channel
-     *
-     * @throws IOException If and I/O error occurs
-     */
-    void close() throws IOException;
-
-    /**
-     * Writes a sequence of bytes to this channel from the given buffer.
-     */
-    int write(ByteBuffer src) throws IOException;
-
-    long write(ByteBuffer[] srcs) throws IOException;
-
-    long write(ByteBuffer[] srcs, int offset, int length) throws IOException;
-
-    /**
-     * Reads sequence of bytes from the channel to the given buffer.
-     */
-    int read(ByteBuffer dst) throws IOException;
-
-    long read(ByteBuffer[] dsts) throws IOException;
-
-    long read(ByteBuffer[] dsts, int offset, int length) throws IOException;
-
+public interface TransportLayer extends ScatteringByteChannel, GatheringByteChannel {
 
     /**
      * Returns true if the channel has handshake and authenticaiton done.
diff --git a/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java b/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java
index ab9e6b9..5ec02ef 100644
--- a/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java
+++ b/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java
@@ -63,7 +63,7 @@ public class SSLSelectorTest {
         Map sslClientConfigs = sslConfigs.get(SSLFactory.Mode.CLIENT);
         sslClientConfigs.put(SecurityConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Class.forName(SecurityConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS));
 
-        this.channelBuilder = new MockSSLChannelBuilder();
+        this.channelBuilder = new SSLChannelBuilder();
         this.channelBuilder.configure(sslClientConfigs);
         this.selector = new Selector(new Metrics(), new MockTime(), "MetricGroup", new LinkedHashMap(), channelBuilder);
     }
@@ -140,6 +140,7 @@ public class SSLSelectorTest {
         sendAndReceive(node, requestPrefix, 0, reqs);
     }
 
+
     /**
      * Test sending an empty string
      */
@@ -150,6 +151,19 @@ public class SSLSelectorTest {
         assertEquals("", blockingRequest(node, ""));
     }
 
+    /**
+     * Test sending an small string
+     */
+    @Test
+    public void testIncompleteSend() throws Exception {
+        int bufferSize = 16391;
+        int node = 0;
+        InetSocketAddress addr = new InetSocketAddress("localhost", server.port);
+        selector.connect(node, addr, bufferSize, bufferSize);
+        String requestPrefix = TestUtils.randomString(bufferSize);
+        assertEquals(requestPrefix, blockingRequest(node, requestPrefix));
+    }
+
     @Test
     public void testMute() throws Exception {
         blockingConnect(0);
@@ -217,48 +231,6 @@ public class SSLSelectorTest {
         }
     }
 
-    @Test
-    public void testLongDeferredTasks() throws Exception {
-        final int fastNode = 0;
-        final int slowNode = 1;
-
-        // create connections
-        InetSocketAddress addr = new InetSocketAddress("localhost", server.port);
-        selector.connect(fastNode, addr, BUFFER_SIZE, BUFFER_SIZE);
-        selector.connect(slowNode, addr, BUFFER_SIZE, BUFFER_SIZE);
-
-        sendAndReceive(fastNode, String.valueOf(fastNode), 0, 10);
-        sendAndReceive(slowNode, String.valueOf(slowNode), 0, 10);
-
-        Semaphore delegatedTaskSemaphore = new Semaphore(0);
-        Channel channel = selector.channelForId(slowNode);
-        MockSSLTransportLayer sslTransportLayer = (MockSSLTransportLayer) channel.transportLayer();
-
-        sslTransportLayer.delegatedTaskSemaphore = delegatedTaskSemaphore;
-        // set renegotiate flag and send a message to trigger renegotiation on the slow channel
-        server.renegotiate();
-        selector.send(createSend(slowNode, String.valueOf(slowNode) + "-" + 11));
-        while (sslTransportLayer.engine.getHandshakeStatus() != SSLEngineResult.HandshakeStatus.NEED_TASK) {
-            selector.poll(1L);
-        }
-
-        // Slow channel is now blocked on the delegated task. Check that fast channel is able to make progress
-        sendAndReceive(fastNode, String.valueOf(fastNode), 10, 20);
-
-        // Allow slow channel to continue and check that it works as expected
-        delegatedTaskSemaphore.release(10);
-        selector.send(createSend(slowNode, String.valueOf(slowNode) + "-" + 12));
-        int responses = 11;
-        while (responses <= 12) {
-            selector.poll(0L);
-            for (NetworkReceive receive : selector.completedReceives()) {
-                assertEquals(slowNode + "-" + responses, asString(receive));
-                responses++;
-            }
-        }
-    }
-
-
 
     private String blockingRequest(int node, String s) throws IOException {
         selector.send(createSend(node, s));
@@ -308,74 +280,4 @@ public class SSLSelectorTest {
         }
     }
 
-    // Channel builder with MockSSLTransportLayer.
-    private static class MockSSLChannelBuilder implements ChannelBuilder {
-        private SSLFactory sslFactory;
-        private ExecutorService executorService;
-        private PrincipalBuilder principalBuilder;
-
-        public void configure(Map configs) throws KafkaException {
-            try {
-                this.executorService = Executors.newScheduledThreadPool(1);
-                this.sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT);
-                this.sslFactory.configure(configs);
-                this.principalBuilder = (PrincipalBuilder) Utils.newInstance((Class) configs.get(SecurityConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG));
-                this.principalBuilder.configure(configs);
-            } catch (Exception e) {
-                throw new KafkaException(e);
-            }
-        }
-
-
-        @Override
-        public Channel buildChannel(SelectionKey key) throws KafkaException {
-            Channel channel = null;
-            try {
-                SocketChannel socketChannel = (SocketChannel) key.channel();
-                MockSSLTransportLayer transportLayer = new MockSSLTransportLayer(key,
-                                                                                 sslFactory.createSSLEngine(socketChannel.socket().getInetAddress().getHostName(),
-                                                                                                    socketChannel.socket().getPort()),
-                                                                                 executorService);
-                Authenticator authenticator = new DefaultAuthenticator(transportLayer, this.principalBuilder);
-                channel = new Channel(transportLayer, authenticator);
-            } catch (Exception e) {
-                throw new KafkaException(e);
-            }
-            return channel;
-        }
-
-        public void close()  {
-            this.executorService.shutdown();
-            this.principalBuilder.close();
-        }
-    }
-
-    private static class MockSSLTransportLayer extends SSLTransportLayer {
-        private final SSLEngine engine;
-        private boolean engineClosed;
-        private Semaphore delegatedTaskSemaphore;
-
-        public MockSSLTransportLayer(SelectionKey key, SSLEngine engine, ExecutorService executorService) throws IOException {
-            super(key, engine, executorService);
-            this.engine = engine;
-        }
-
-        @Override
-        protected Runnable delegatedTask() {
-            final Runnable task = super.delegatedTask();
-            return task == null ? null : new Runnable() {
-                @Override
-                public void run() {
-                    if (delegatedTaskSemaphore != null) {
-                        try {
-                            delegatedTaskSemaphore.acquire();
-                        } catch (InterruptedException e) {
-                        }
-                    }
-                    task.run();
-                }
-            };
-        }
-    }
-
 }
diff --git a/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java b/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java
index 4bb95f0..c1dc5b8 100644
--- a/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java
+++ b/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java
@@ -202,16 +202,18 @@ public class SelectorTest {
     }
 
     @Test
-    public void testShortMessageSequence() throws Exception {
+    public void testLargeMessageSequence() throws Exception {
         int bufferSize = 512 * 1024;
         int node = 0;
         int reqs = 50;
         InetSocketAddress addr = new InetSocketAddress("localhost", server.port);
         selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);
-        String requestPrefix = "hello-wordl";
+        String requestPrefix = TestUtils.randomString(bufferSize);
         sendAndReceive(node, requestPrefix, 0, reqs);
     }
 
+
+
     /**
      * Test sending an empty string
      */
-- 
2.4.4


From fe595fd4fda45ebd7c5da88ee093ab17817bb94d Mon Sep 17 00:00:00 2001
From: Sriharsha Chintalapani 
Date: Wed, 3 Jun 2015 18:43:34 -0700
Subject: [PATCH 13/19] KAFKA-1690. new java producer needs ssl support as a
 client.

---
 build.gradle                                       |   8 +-
 .../java/org/apache/kafka/clients/ClientUtils.java |   4 +-
 .../apache/kafka/clients/CommonClientConfigs.java  |  18 +-
 .../kafka/clients/consumer/ConsumerConfig.java     |   2 +-
 .../kafka/clients/producer/ProducerConfig.java     |   2 +-
 .../kafka/common/config/SecurityConfigs.java       |   4 -
 .../kafka/common/network/ByteBufferReceive.java    |   5 +-
 .../kafka/common/network/ByteBufferSend.java       |  13 +-
 .../org/apache/kafka/common/network/Channel.java   |   7 +-
 .../kafka/common/network/NetworkReceive.java       |  11 +-
 .../common/network/PlainTextTransportLayer.java    | 140 +++++++++----
 .../org/apache/kafka/common/network/Receive.java   |   5 +-
 .../kafka/common/network/SSLChannelBuilder.java    |   8 +-
 .../apache/kafka/common/network/SSLFactory.java    |   2 +-
 .../kafka/common/network/SSLTransportLayer.java    | 224 +++++++++++++--------
 .../org/apache/kafka/common/network/Selector.java  |   1 -
 .../java/org/apache/kafka/common/network/Send.java |   9 +-
 .../kafka/common/network/TransportLayer.java       |  39 +++-
 .../kafka/clients/producer/KafkaProducerTest.java  |  19 +-
 .../apache/kafka/common/network/EchoServer.java    |   5 +-
 .../kafka/common/network/SSLSelectorTest.java      |  26 +--
 .../java/org/apache/kafka/test/TestSSLUtils.java   |   7 +-
 22 files changed, 328 insertions(+), 231 deletions(-)

diff --git a/build.gradle b/build.gradle
index e3897b3..3633152 100644
--- a/build.gradle
+++ b/build.gradle
@@ -384,8 +384,8 @@ project(':clients') {
     archives testJar
   }
 
-  // checkstyle {
-  //   configFile = new File(rootDir, "checkstyle/checkstyle.xml")
-  // }
-  // test.dependsOn('checkstyleMain', 'checkstyleTest')
+  checkstyle {
+    configFile = new File(rootDir, "checkstyle/checkstyle.xml")
+  }
+  test.dependsOn('checkstyleMain', 'checkstyleTest')
 }
diff --git a/clients/src/main/java/org/apache/kafka/clients/ClientUtils.java b/clients/src/main/java/org/apache/kafka/clients/ClientUtils.java
index 3e92d6d..782d182 100644
--- a/clients/src/main/java/org/apache/kafka/clients/ClientUtils.java
+++ b/clients/src/main/java/org/apache/kafka/clients/ClientUtils.java
@@ -23,7 +23,6 @@ import org.apache.kafka.common.protocol.SecurityProtocol;
 import org.apache.kafka.common.network.ChannelBuilder;
 import org.apache.kafka.common.network.SSLChannelBuilder;
 import org.apache.kafka.common.network.PlainTextChannelBuilder;
-import org.apache.kafka.common.config.SecurityConfigs;
 import org.apache.kafka.common.config.ConfigException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -75,8 +74,7 @@ public class ClientUtils {
      */
     public static ChannelBuilder createChannelBuilder(Map configs) {
         ChannelBuilder channelBuilder = null;
-        SecurityProtocol securityProtocol = configs.containsKey(SecurityConfigs.SECURITY_PROTOCOL_CONFIG) ?
-            SecurityProtocol.valueOf((String) configs.get(SecurityConfigs.SECURITY_PROTOCOL_CONFIG)) : SecurityProtocol.PLAINTEXT;
+        SecurityProtocol securityProtocol = SecurityProtocol.valueOf((String) configs.get(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG));
 
         if (securityProtocol == SecurityProtocol.SSL) {
             channelBuilder = new SSLChannelBuilder();
diff --git a/clients/src/main/java/org/apache/kafka/clients/CommonClientConfigs.java b/clients/src/main/java/org/apache/kafka/clients/CommonClientConfigs.java
index cf32e4e..796f23e 100644
--- a/clients/src/main/java/org/apache/kafka/clients/CommonClientConfigs.java
+++ b/clients/src/main/java/org/apache/kafka/clients/CommonClientConfigs.java
@@ -3,9 +3,9 @@
  * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file
  * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the
  * License. You may obtain a copy of the License at
- * 
+ *
  * http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
  * specific language governing permissions and limitations under the License.
@@ -17,7 +17,7 @@ package org.apache.kafka.clients;
  * Some configurations shared by both producer and consumer
  */
 public class CommonClientConfigs {
-    
+
     /*
      * NOTE: DO NOT CHANGE EITHER CONFIG NAMES AS THESE ARE PART OF THE PUBLIC API AND CHANGE WILL BREAK USER CODE.
      */
@@ -27,10 +27,10 @@ public class CommonClientConfigs {
                                                        + "host1:port1,host2:port2,.... Since these servers are just used for the initial connection to "
                                                        + "discover the full cluster membership (which may change dynamically), this list need not contain the full set of "
                                                        + "servers (you may want more than one, though, in case a server is down).";
-    
+
     public static final String METADATA_MAX_AGE_CONFIG = "metadata.max.age.ms";
     public static final String METADATA_MAX_AGE_DOC = "The period of time in milliseconds after which we force a refresh of metadata even if we haven't seen any partition leadership changes to proactively discover any new brokers or partitions.";
-    
+
     public static final String SEND_BUFFER_CONFIG = "send.buffer.bytes";
     public static final String SEND_BUFFER_DOC = "The size of the TCP send buffer (SO_SNDBUF) to use when sending data.";
 
@@ -45,7 +45,7 @@ public class CommonClientConfigs {
 
     public static final String RETRY_BACKOFF_MS_CONFIG = "retry.backoff.ms";
     public static final String RETRY_BACKOFF_MS_DOC = "The amount of time to wait before attempting to retry a failed fetch request to a given topic partition. This avoids repeated fetching-and-failing in a tight loop.";
-    
+
     public static final String METRICS_SAMPLE_WINDOW_MS_CONFIG = "metrics.sample.window.ms";
     public static final String METRICS_SAMPLE_WINDOW_MS_DOC = "The number of samples maintained to compute metrics.";
 
@@ -55,4 +55,8 @@ public class CommonClientConfigs {
     public static final String METRIC_REPORTER_CLASSES_CONFIG = "metric.reporters";
     public static final String METRIC_REPORTER_CLASSES_DOC = "A list of classes to use as metrics reporters. Implementing the MetricReporter interface allows plugging in classes that will be notified of new metric creation. The JmxReporter is always included to register JMX statistics.";
 
-}
\ No newline at end of file
+    public static final String SECURITY_PROTOCOL_CONFIG = "security.protocol";
+    public static final String SECURITY_PROTOCOL_DOC = "Protocol used to communicate with brokers. Currently only PLAINTEXT and SSL are supported.";
+    public static final String DEFAULT_SECURITY_PROTOCOL = "PLAINTEXT";
+
+}
diff --git a/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java b/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java
index dff4258..cc63392 100644
--- a/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java
+++ b/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java
@@ -278,7 +278,7 @@ public class ConsumerConfig extends AbstractConfig {
                                         Type.CLASS,
                                         Importance.HIGH,
                                         VALUE_DESERIALIZER_CLASS_DOC)
-                                .define(SecurityConfigs.SECURITY_PROTOCOL_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_SECURITY_PROTOCOL, Importance.MEDIUM, SecurityConfigs.SECURITY_PROTOCOL_DOC)
+                                .define(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, Type.STRING, CommonClientConfigs.DEFAULT_SECURITY_PROTOCOL, Importance.MEDIUM, CommonClientConfigs.SECURITY_PROTOCOL_DOC)
                                 .define(SecurityConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Type.CLASS, SecurityConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS, Importance.LOW, SecurityConfigs.PRINCIPAL_BUILDER_CLASS_DOC)
                                 .define(SecurityConfigs.SSL_PROTOCOL_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_SSL_PROTOCOL, Importance.MEDIUM, SecurityConfigs.SSL_PROTOCOL_DOC)
                                 .define(SecurityConfigs.SSL_PROVIDER_CONFIG, Type.STRING, Importance.MEDIUM, SecurityConfigs.SSL_PROVIDER_DOC, false)
diff --git a/clients/src/main/java/org/apache/kafka/clients/producer/ProducerConfig.java b/clients/src/main/java/org/apache/kafka/clients/producer/ProducerConfig.java
index baa3d41..bd442b2 100644
--- a/clients/src/main/java/org/apache/kafka/clients/producer/ProducerConfig.java
+++ b/clients/src/main/java/org/apache/kafka/clients/producer/ProducerConfig.java
@@ -221,7 +221,7 @@ public class ProducerConfig extends AbstractConfig {
                                         MAX_IN_FLIGHT_REQUESTS_PER_CONNECTION_DOC)
                                 .define(KEY_SERIALIZER_CLASS_CONFIG, Type.CLASS, Importance.HIGH, KEY_SERIALIZER_CLASS_DOC)
                                 .define(VALUE_SERIALIZER_CLASS_CONFIG, Type.CLASS, Importance.HIGH, VALUE_SERIALIZER_CLASS_DOC)
-                                .define(SecurityConfigs.SECURITY_PROTOCOL_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_SECURITY_PROTOCOL, Importance.MEDIUM, SecurityConfigs.SECURITY_PROTOCOL_DOC)
+                                .define(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, Type.STRING, CommonClientConfigs.DEFAULT_SECURITY_PROTOCOL, Importance.MEDIUM, CommonClientConfigs.SECURITY_PROTOCOL_DOC)
                                 .define(SecurityConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Type.CLASS, SecurityConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS, Importance.LOW, SecurityConfigs.PRINCIPAL_BUILDER_CLASS_DOC)
                                 .define(SecurityConfigs.SSL_PROTOCOL_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_SSL_PROTOCOL, Importance.MEDIUM, SecurityConfigs.SSL_PROTOCOL_DOC)
                                 .define(SecurityConfigs.SSL_PROVIDER_CONFIG, Type.STRING, Importance.MEDIUM, SecurityConfigs.SSL_PROVIDER_DOC, false)
diff --git a/clients/src/main/java/org/apache/kafka/common/config/SecurityConfigs.java b/clients/src/main/java/org/apache/kafka/common/config/SecurityConfigs.java
index 1855399..c2f2181 100644
--- a/clients/src/main/java/org/apache/kafka/common/config/SecurityConfigs.java
+++ b/clients/src/main/java/org/apache/kafka/common/config/SecurityConfigs.java
@@ -21,10 +21,6 @@ public class SecurityConfigs {
      * NOTE: DO NOT CHANGE EITHER CONFIG NAMES AS THESE ARE PART OF THE PUBLIC API AND CHANGE WILL BREAK USER CODE.
      */
 
-    public static final String SECURITY_PROTOCOL_CONFIG = "security.protocol";
-    public static final String SECURITY_PROTOCOL_DOC = "Protocol used to communicate with brokers. Currently only PLAINTEXT and SSL are supported.";
-    public static final String DEFAULT_SECURITY_PROTOCOL = "PLAINTEXT";
-
     public static final String PRINCIPAL_BUILDER_CLASS_CONFIG = "principal.builder.class";
     public static final String PRINCIPAL_BUILDER_CLASS_DOC = "principal builder to generate a java Principal. This config is optional for client.";
     public static final String DEFAULT_PRINCIPAL_BUILDER_CLASS = "org.apache.kafka.common.security.auth.DefaultPrincipalBuilder";
diff --git a/clients/src/main/java/org/apache/kafka/common/network/ByteBufferReceive.java b/clients/src/main/java/org/apache/kafka/common/network/ByteBufferReceive.java
index 129ae82..0e37204 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/ByteBufferReceive.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/ByteBufferReceive.java
@@ -18,7 +18,6 @@ package org.apache.kafka.common.network;
 
 import java.io.IOException;
 import java.nio.ByteBuffer;
-import java.nio.channels.ScatteringByteChannel;
 
 /**
  * A receive backed by an array of ByteBuffers
@@ -48,8 +47,8 @@ public class ByteBufferReceive implements Receive {
     }
 
     @Override
-    public long readFrom(ScatteringByteChannel channel) throws IOException {
-        long read = channel.read(buffers);
+    public long readFrom(TransportLayer transportLayer) throws IOException {
+        long read = transportLayer.read(buffers);
         remaining += read;
         return read;
     }
diff --git a/clients/src/main/java/org/apache/kafka/common/network/ByteBufferSend.java b/clients/src/main/java/org/apache/kafka/common/network/ByteBufferSend.java
index c8213e1..3292278 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/ByteBufferSend.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/ByteBufferSend.java
@@ -3,9 +3,9 @@
  * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file
  * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the
  * License. You may obtain a copy of the License at
- * 
+ *
  * http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
  * specific language governing permissions and limitations under the License.
@@ -15,7 +15,6 @@ package org.apache.kafka.common.network;
 import java.io.EOFException;
 import java.io.IOException;
 import java.nio.ByteBuffer;
-import java.nio.channels.GatheringByteChannel;
 
 /**
  * A send backed by an array of byte buffers
@@ -26,6 +25,7 @@ public class ByteBufferSend implements Send {
     protected final ByteBuffer[] buffers;
     private int remaining;
     private int size;
+    private boolean pending;
 
     public ByteBufferSend(int destination, ByteBuffer... buffers) {
         super();
@@ -43,7 +43,7 @@ public class ByteBufferSend implements Send {
 
     @Override
     public boolean completed() {
-        return remaining <= 0;
+        return remaining <= 0 && !pending;
     }
 
     @Override
@@ -61,11 +61,12 @@ public class ByteBufferSend implements Send {
     }
 
     @Override
-    public long writeTo(GatheringByteChannel channel) throws IOException {
-        long written = channel.write(buffers);
+    public long writeTo(TransportLayer transportLayer) throws IOException {
+        long written = transportLayer.write(buffers);
         if (written < 0)
             throw new EOFException("This shouldn't happen.");
         remaining -= written;
+        pending = transportLayer.pending();
         return written;
     }
 
diff --git a/clients/src/main/java/org/apache/kafka/common/network/Channel.java b/clients/src/main/java/org/apache/kafka/common/network/Channel.java
index 616bfcf..fc285b8 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/Channel.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/Channel.java
@@ -142,11 +142,10 @@ public class Channel {
 
     private boolean send(NetworkSend send) throws IOException {
         send.writeTo(transportLayer);
-        boolean sendComplete = send.remaining() == 0;
-        if (sendComplete) {
+        if (send.completed()) {
             transportLayer.removeInterestOps(SelectionKey.OP_WRITE);
         }
-        return sendComplete;
+        return send.completed();
     }
 
- }
+}
diff --git a/clients/src/main/java/org/apache/kafka/common/network/NetworkReceive.java b/clients/src/main/java/org/apache/kafka/common/network/NetworkReceive.java
index fc0d168..e5bb2b4 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/NetworkReceive.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/NetworkReceive.java
@@ -3,9 +3,9 @@
  * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file
  * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the
  * License. You may obtain a copy of the License at
- * 
+ *
  * http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
  * specific language governing permissions and limitations under the License.
@@ -15,7 +15,6 @@ package org.apache.kafka.common.network;
 import java.io.EOFException;
 import java.io.IOException;
 import java.nio.ByteBuffer;
-import java.nio.channels.ScatteringByteChannel;
 
 /**
  * A size delimited Receive that consists of a 4 byte network-ordered size N followed by N bytes of content
@@ -54,10 +53,10 @@ public class NetworkReceive implements Receive {
     }
 
     @Override
-    public long readFrom(ScatteringByteChannel channel) throws IOException {
+    public long readFrom(TransportLayer transportLayer) throws IOException {
         int read = 0;
         if (size.hasRemaining()) {
-            int bytesRead = channel.read(size);
+            int bytesRead = transportLayer.read(size);
             if (bytesRead < 0)
                 throw new EOFException();
             read += bytesRead;
@@ -70,7 +69,7 @@ public class NetworkReceive implements Receive {
             }
         }
         if (buffer != null) {
-            int bytesRead = channel.read(buffer);
+            int bytesRead = transportLayer.read(buffer);
             if (bytesRead < 0)
                 throw new EOFException();
             read += bytesRead;
diff --git a/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java
index f730c25..dbd35db 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java
@@ -48,6 +48,31 @@ public class PlainTextTransportLayer implements TransportLayer {
         this.socketChannel = (SocketChannel) key.channel();
     }
 
+    public boolean isReady() {
+        return true;
+    }
+
+    public void finishConnect() throws IOException {
+        socketChannel.finishConnect();
+        int ops = key.interestOps();
+        ops &= ~SelectionKey.OP_CONNECT;
+        ops |= SelectionKey.OP_READ;
+        key.interestOps(ops);
+    }
+
+    public void disconnect() {
+        key.cancel();
+    }
+
+    public SocketChannel socketChannel() {
+        return socketChannel;
+    }
+
+
+    public boolean isOpen() {
+        return socketChannel.isOpen();
+    }
+
     /**
      * Closes this channel
      *
@@ -58,84 +83,115 @@ public class PlainTextTransportLayer implements TransportLayer {
         socketChannel.close();
     }
 
-    public boolean isOpen() {
-        return socketChannel.isOpen();
-    }
 
-    public void disconnect() {
-        key.cancel();
-    }
 
     /**
-     * Writes a sequence of bytes to this channel from the given buffer.
+     * There won't be any pending bytes to written socketChannel once write method is called.
+     * This will always return false.
      */
-    public int write(ByteBuffer src) throws IOException {
-        return socketChannel.write(src);
+    public boolean pending() {
+        return false;
     }
 
-    public long write(ByteBuffer[] srcs) throws IOException {
-        return socketChannel.write(srcs);
-    }
 
-    public long write(ByteBuffer[] srcs, int offset, int length) throws IOException {
-        return socketChannel.write(srcs, offset, length);
-    }
+    /**
+     * Performs SSL handshake hence is a no-op for the non-secure
+     * implementation
+     * @throws IOException
+    */
+    public void handshake() throws IOException {}
+
+
+    /**
+    * Reads a sequence of bytes from this channel into the given buffer.
+    *
+    * @param dst The buffer into which bytes are to be transferred
+    * @return The number of bytes read, possible zero or -1 if the channel has reached end-of-stream
+    * @throws IOException if some other I/O error occurs
+    */
 
     public int read(ByteBuffer dst) throws IOException {
         return socketChannel.read(dst);
     }
 
+    /**
+     * Reads a sequence of bytes from this channel into the given buffers.
+     *
+     * @param dsts - The buffers into which bytes are to be transferred.
+     * @return The number of bytes read, possibly zero, or -1 if the channel has reached end-of-stream.
+     * @throws IOException if some other I/O error occurs
+     */
     public long read(ByteBuffer[] dsts) throws IOException {
         return socketChannel.read(dsts);
     }
 
+    /**
+     * Reads a sequence of bytes from this channel into a subsequence of the given buffers.
+     * @param dsts - The buffers into which bytes are to be transferred
+     * @param offset - The offset within the buffer array of the first buffer into which bytes are to be transferred; must be non-negative and no larger than dsts.length.
+     * @param length - The maximum number of buffers to be accessed; must be non-negative and no larger than dsts.length - offset
+     * @returns The number of bytes read, possibly zero, or -1 if the channel has reached end-of-stream.
+     * @throws IOException if some other I/O error occurs
+     */
     public long read(ByteBuffer[] dsts, int offset, int length) throws IOException {
         return socketChannel.read(dsts, offset, length);
     }
 
-    public boolean isReady() {
-        return true;
-    }
-
-    public SocketChannel socketChannel() {
-        return socketChannel;
-    }
-
-    public void finishConnect() throws IOException {
-        socketChannel.finishConnect();
-        int ops = key.interestOps();
-        ops &= ~SelectionKey.OP_CONNECT;
-        ops |= SelectionKey.OP_READ;
-        key.interestOps(ops);
+    /**
+    * Writes a sequence of bytes to this channel from the given buffer.
+    *
+    * @param src The buffer from which bytes are to be retrieved
+    * @returns The number of bytes read, possibly zero, or -1 if the channel has reached end-of-stream
+    * @throws IOException If some other I/O error occurs
+    */
+    public int write(ByteBuffer src) throws IOException {
+        return socketChannel.write(src);
     }
 
     /**
-     * Performs SSL handshake hence is a no-op for the non-secure
-     * implementation
-     * @throws IOException
+    * Writes a sequence of bytes to this channel from the given buffer.
+    *
+    * @param src The buffer from which bytes are to be retrieved
+    * @returns The number of bytes read, possibly zero, or -1 if the channel has reached end-of-stream
+    * @throws IOException If some other I/O error occurs
     */
-    public void handshake() throws IOException {}
-
-    public DataInputStream inStream() throws IOException {
-        if (inStream == null)
-            this.inStream = new DataInputStream(socketChannel.socket().getInputStream());
-        return inStream;
+    public long write(ByteBuffer[] srcs) throws IOException {
+        return socketChannel.write(srcs);
     }
 
-    public DataOutputStream outStream() throws IOException {
-        if (outStream == null)
-         this.outStream = new DataOutputStream(socketChannel.socket().getOutputStream());
-        return outStream;
+    /**
+    * Writes a sequence of bytes to this channel from the subsequence of the given buffers.
+    *
+    * @param srcs The buffers from which bytes are to be retrieved
+    * @param offset The offset within the buffer array of the first buffer from which bytes are to be retrieved; must be non-negative and no larger than srcs.length.
+    * @param length - The maximum number of buffers to be accessed; must be non-negative and no larger than srcs.length - offset.
+    * @return returns no.of bytes written , possibly zero.
+    * @throws IOException If some other I/O error occurs
+    */
+    public long write(ByteBuffer[] srcs, int offset, int length) throws IOException {
+        return socketChannel.write(srcs, offset, length);
     }
 
+    /**
+     * Rerturns ANONYMOUS as Principal.
+     */
     public Principal peerPrincipal() throws IOException {
         return principal;
     }
 
+    /**
+     * Adds the interestOps to selectionKey.
+     * @param SelectionKey interestOps
+     */
     public void addInterestOps(int ops) {
         key.interestOps(key.interestOps() | ops);
+
     }
 
+    /**
+     * Removes the interestOps from selectionKey.
+     * @param SelectionKey interestOps
+     */
     public void removeInterestOps(int ops) {
         key.interestOps(key.interestOps() & ~ops);
     }
diff --git a/clients/src/main/java/org/apache/kafka/common/network/Receive.java b/clients/src/main/java/org/apache/kafka/common/network/Receive.java
index 4e33078..0862eff 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/Receive.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/Receive.java
@@ -18,7 +18,6 @@ package org.apache.kafka.common.network;
 
 import java.io.IOException;
 import java.nio.ByteBuffer;
-import java.nio.channels.ScatteringByteChannel;
 
 /**
  * This interface models the in-progress reading of data from a channel to a source identified by an integer id
@@ -42,10 +41,10 @@ public interface Receive {
 
     /**
      * Read bytes into this receive from the given channel
-     * @param channel The channel to read from
+     * @param transportLayer The transportLayer to read from
      * @return The number of bytes read
      * @throws IOException If the reading fails
      */
-    public long readFrom(ScatteringByteChannel channel) throws IOException;
+    public long readFrom(TransportLayer transportLayer) throws IOException;
 
 }
diff --git a/clients/src/main/java/org/apache/kafka/common/network/SSLChannelBuilder.java b/clients/src/main/java/org/apache/kafka/common/network/SSLChannelBuilder.java
index 8766824..2d89497 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/SSLChannelBuilder.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/SSLChannelBuilder.java
@@ -15,8 +15,6 @@ package org.apache.kafka.common.network;
 import java.nio.channels.SelectionKey;
 import java.nio.channels.SocketChannel;
 import java.util.Map;
-import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
 
 import org.apache.kafka.common.security.auth.PrincipalBuilder;
 import org.apache.kafka.common.config.SecurityConfigs;
@@ -28,12 +26,10 @@ import org.slf4j.LoggerFactory;
 public class SSLChannelBuilder implements ChannelBuilder {
     private static final Logger log = LoggerFactory.getLogger(SSLChannelBuilder.class);
     private SSLFactory sslFactory;
-    private ExecutorService executorService;
     private PrincipalBuilder principalBuilder;
 
     public void configure(Map configs) throws KafkaException {
         try {
-            this.executorService = Executors.newScheduledThreadPool(1);
             this.sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT);
             this.sslFactory.configure(configs);
             this.principalBuilder = (PrincipalBuilder) Utils.newInstance((Class) configs.get(SecurityConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG));
@@ -49,8 +45,7 @@ public class SSLChannelBuilder implements ChannelBuilder {
             SocketChannel socketChannel = (SocketChannel) key.channel();
             SSLTransportLayer transportLayer = new SSLTransportLayer(key,
                                                                      sslFactory.createSSLEngine(socketChannel.socket().getInetAddress().getHostName(),
-                                                                                                socketChannel.socket().getPort()),
-                                                                     executorService);
+                                                                                                socketChannel.socket().getPort()));
             Authenticator authenticator = new DefaultAuthenticator(transportLayer, this.principalBuilder);
             channel = new Channel(id, transportLayer, authenticator);
         } catch (Exception e) {
@@ -61,7 +56,6 @@ public class SSLChannelBuilder implements ChannelBuilder {
     }
 
     public void close()  {
-        this.executorService.shutdown();
         this.principalBuilder.close();
     }
 }
diff --git a/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java b/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java
index 557c5f9..b669069 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java
@@ -136,7 +136,7 @@ public class SSLFactory implements Configurable {
             sslEngine.setUseClientMode(false);
             if (needClientAuth)
                 sslEngine.setNeedClientAuth(needClientAuth);
-            else if (wantClientAuth)
+            else
                 sslEngine.setNeedClientAuth(wantClientAuth);
         } else {
             sslEngine.setUseClientMode(true);
diff --git a/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
index f79b5ef..eb898b4 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
@@ -33,10 +33,6 @@ import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLPeerUnverifiedException;
 
-import java.io.DataInputStream;
-import java.io.DataOutputStream;
-import java.util.concurrent.ExecutorService;
-
 import org.apache.kafka.common.utils.Utils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -59,23 +55,23 @@ public class SSLTransportLayer implements TransportLayer {
     private ByteBuffer netWriteBuffer;
     private ByteBuffer appReadBuffer;
     private ByteBuffer emptyBuf = ByteBuffer.allocate(0);
-    private DataInputStream inStream;
-    private DataOutputStream outStream;
-    private ExecutorService executorService;
     private int interestOps;
     private int socketSendBufferSize;
 
-    public SSLTransportLayer(SelectionKey key, SSLEngine sslEngine, ExecutorService executorService) throws IOException {
+    public SSLTransportLayer(SelectionKey key, SSLEngine sslEngine) throws IOException {
         this.key = key;
         this.socketChannel = (SocketChannel) key.channel();
         this.sslEngine = sslEngine;
-        this.executorService = executorService;
         this.netReadBuffer = ByteBuffer.allocateDirect(packetBufferSize());
         this.netWriteBuffer = ByteBuffer.allocateDirect(packetBufferSize());
         this.appReadBuffer = ByteBuffer.allocateDirect(applicationBufferSize());
         this.socketSendBufferSize = this.socketChannel.socket().getSendBufferSize();
     }
 
+    /**
+     * starts sslEngine handshake process and sets the selectionKey interestOps based
+     * sslEngine handshakeStatus.
+     */
     private void startHandshake() throws IOException {
         netWriteBuffer.position(0);
         netWriteBuffer.limit(0);
@@ -91,10 +87,14 @@ public class SSLTransportLayer implements TransportLayer {
             key.interestOps(key.interestOps() | SelectionKey.OP_WRITE);
     }
 
-    public SocketChannel socketChannel() {
-        return socketChannel;
+
+    public boolean isReady() {
+        return handshakeComplete;
     }
 
+    /**
+     * does socketChannel.finishConnect()
+     */
     public void finishConnect() throws IOException {
         socketChannel.finishConnect();
         removeInterestOps(SelectionKey.OP_CONNECT);
@@ -103,12 +103,54 @@ public class SSLTransportLayer implements TransportLayer {
         startHandshake();
     }
 
+    /**
+     * disconnects selectionKey.
+     */
+    public void disconnect() {
+        key.cancel();
+    }
+
+    public SocketChannel socketChannel() {
+        return socketChannel;
+    }
+
     public boolean isOpen() {
         return socketChannel.isOpen();
     }
 
-    public void disconnect() {
-        key.cancel();
+    /**
+    * Sends a SSL close message and closes socketChannel.
+    * @throws IOException if an I/O error occurs
+    * @throws IOException if there is data on the outgoing network buffer and we are unable to flush it
+    */
+    public void close() throws IOException {
+        if (closing) return;
+        closing = true;
+        sslEngine.closeOutbound();
+
+        if (!flush(netWriteBuffer)) {
+            throw new IOException("Remaining data in the network buffer, can't send SSL close message.");
+        }
+        //prep the buffer for the close message
+        netWriteBuffer.clear();
+        //perform the close, since we called sslEngine.closeOutbound
+        SSLEngineResult handshake = sslEngine.wrap(emptyBuf, netWriteBuffer);
+        //we should be in a close state
+        if (handshake.getStatus() != SSLEngineResult.Status.CLOSED) {
+            throw new IOException("Invalid close state, will not send network data.");
+        }
+        netWriteBuffer.flip();
+        flush(netWriteBuffer);
+        socketChannel.socket().close();
+        socketChannel.close();
+        closed = !netWriteBuffer.hasRemaining() && (handshake.getHandshakeStatus() != HandshakeStatus.NEED_WRAP);
+    }
+
+    /**
+     * returns true if there are any pending contents in netWriteBuffer
+     */
+    public boolean pending() {
+        return netWriteBuffer.hasRemaining();
     }
 
     /**
@@ -150,9 +192,9 @@ public class SSLTransportLayer implements TransportLayer {
                     if (handshakeResult.getStatus() == Status.BUFFER_OVERFLOW) {
                         int currentPacketBufferSize = packetBufferSize();
                         netWriteBuffer = Utils.ensureCapacity(netWriteBuffer, currentPacketBufferSize);
-                        if (netWriteBuffer.position() > currentPacketBufferSize) {
+                        if (netWriteBuffer.position() >= currentPacketBufferSize) {
                             throw new IllegalStateException("Buffer overflow when available data (" + netWriteBuffer.position() +
-                                                            ") > network buffer size (" + currentPacketBufferSize + ")");
+                                                            ") >= network buffer size (" + currentPacketBufferSize + ")");
                         }
                     } else if (handshakeResult.getStatus() == Status.BUFFER_UNDERFLOW) {
                         throw new IllegalStateException("Should not have received BUFFER_UNDERFLOW during handshake WRAP.");
@@ -161,7 +203,7 @@ public class SSLTransportLayer implements TransportLayer {
                     }
                     //fall down to NEED_UNWRAP on the same call, will result in a
                     //BUFFER_UNDERFLOW if it needs data
-                    if (handshakeStatus != HandshakeStatus.NEED_UNWRAP || !flush(netWriteBuffer)) { //check for write bit
+                    if (handshakeStatus != HandshakeStatus.NEED_UNWRAP ||  (!write && !flush(netWriteBuffer))) {
                         key.interestOps(key.interestOps() | SelectionKey.OP_WRITE);
                         break;
                     }
@@ -211,7 +253,7 @@ public class SSLTransportLayer implements TransportLayer {
 
 
     /**
-     * Executes the SSLEngine tasks needed on the executorservice thread.
+     * Executes the SSLEngine tasks needed.
      * @return HandshakeStatus
      */
     private HandshakeStatus runDelegatedTasks() {
@@ -253,6 +295,8 @@ public class SSLTransportLayer implements TransportLayer {
     * @throws IOException
     */
     private SSLEngineResult  handshakeWrap(Boolean doWrite) throws IOException {
+        if (netWriteBuffer.hasRemaining())
+            throw new IllegalStateException("handshakeWrap called with netWriteBuffer not empty");
         //this should never be called with a network buffer that contains data
         //so we can clear it here.
         netWriteBuffer.clear();
@@ -304,37 +348,7 @@ public class SSLTransportLayer implements TransportLayer {
     }
 
 
-    /**
-    * Sends a SSL close message, will not physically close the connection here.
    
-    * @throws IOException if an I/O error occurs
-    * @throws IOException if there is data on the outgoing network buffer and we are unable to flush it
-    */
-    public void close() throws IOException {
-        if (closing) return;
-        closing = true;
-        sslEngine.closeOutbound();
 
-        if (!flush(netWriteBuffer)) {
-            throw new IOException("Remaining data in the network buffer, can't send SSL close message.");
-        }
-        //prep the buffer for the close message
-        netWriteBuffer.clear();
-        //perform the close, since we called sslEngine.closeOutbound
-        SSLEngineResult handshake = sslEngine.wrap(emptyBuf, netWriteBuffer);
-        //we should be in a close state
-        if (handshake.getStatus() != SSLEngineResult.Status.CLOSED) {
-            throw new IOException("Invalid close state, will not send network data.");
-        }
-        netWriteBuffer.flip();
-        flush(netWriteBuffer);
-        socketChannel.socket().close();
-        socketChannel.close();
-        closed = !netWriteBuffer.hasRemaining() && (handshake.getHandshakeStatus() != HandshakeStatus.NEED_WRAP);
-    }
-
-    public boolean isReady() {
-        return handshakeComplete;
-    }
 
     /**
     * Reads a sequence of bytes from this channel into the given buffer.
@@ -363,58 +377,87 @@ public class SSLTransportLayer implements TransportLayer {
 
             do {
                 netReadBuffer.flip();
-                SSLEngineResult unwrap = sslEngine.unwrap(netReadBuffer, appReadBuffer);
+                SSLEngineResult unwrapResult = sslEngine.unwrap(netReadBuffer, appReadBuffer);
                 netReadBuffer.compact();
                 // handle ssl renegotiation.
-                if (unwrap.getHandshakeStatus() != HandshakeStatus.NOT_HANDSHAKING) {
+                if (unwrapResult.getHandshakeStatus() != HandshakeStatus.NOT_HANDSHAKING) {
                     handshake();
                     break;
                 }
 
-                if (unwrap.getStatus() == Status.OK) {
+                if (unwrapResult.getStatus() == Status.OK) {
                     read += readFromAppBuffer(dst);
-                } else if (unwrap.getStatus() == Status.BUFFER_OVERFLOW) {
+                } else if (unwrapResult.getStatus() == Status.BUFFER_OVERFLOW) {
                     int currentApplicationBufferSize = applicationBufferSize();
                     appReadBuffer = Utils.ensureCapacity(appReadBuffer, currentApplicationBufferSize);
                     if (appReadBuffer.position() >= currentApplicationBufferSize) {
                         throw new IllegalStateException("Buffer overflow when available data (" + appReadBuffer.position() +
-                                                        ") > application buffer size (" + currentApplicationBufferSize + ")");
+                                                        ") >= application buffer size (" + currentApplicationBufferSize + ")");
                     }
-                    break;
-                } else if (unwrap.getStatus() == Status.BUFFER_UNDERFLOW) {
+                    if (dst.hasRemaining())
+                        read += readFromAppBuffer(dst);
+                    else
+                        break;
+                } else if (unwrapResult.getStatus() == Status.BUFFER_UNDERFLOW) {
                     int currentPacketBufferSize = packetBufferSize();
                     netReadBuffer = Utils.ensureCapacity(netReadBuffer, currentPacketBufferSize);
                     break;
-                } else if (unwrap.getStatus() == Status.CLOSED) {
+                } else if (unwrapResult.getStatus() == Status.CLOSED) {
                     throw new EOFException();
                 }
-            } while(netReadBuffer.hasRemaining());
+            } while(netReadBuffer.position() != 0);
         }
 
         return read;
     }
 
 
+    /**
+     * Reads a sequence of bytes from this channel into the given buffers.
+     *
+     * @param dsts - The buffers into which bytes are to be transferred.
+     * @return The number of bytes read, possibly zero, or -1 if the channel has reached end-of-stream.
+     * @throws IOException if some other I/O error occurs
+     */
     public long read(ByteBuffer[] dsts) throws IOException {
         return read(dsts, 0, dsts.length);
     }
 
+
+    /**
+     * Reads a sequence of bytes from this channel into a subsequence of the given buffers.
+     * @param dsts - The buffers into which bytes are to be transferred
+     * @param offset - The offset within the buffer array of the first buffer into which bytes are to be transferred; must be non-negative and no larger than dsts.length.
+     * @param length - The maximum number of buffers to be accessed; must be non-negative and no larger than dsts.length - offset
+     * @returns The number of bytes read, possibly zero, or -1 if the channel has reached end-of-stream.
+     * @throws IOException if some other I/O error occurs
+     */
     public long read(ByteBuffer[] dsts, int offset, int length) throws IOException {
+        if ((offset < 0) || (length < 0) || (offset > dsts.length - length))
+            throw new IndexOutOfBoundsException();
+
         int totalRead = 0;
-        for (int i = offset; i < length; i++) {
-            int read = read(dsts[i]);
-            if (read > 0) {
-                totalRead += read;
+        int i = offset;
+        while (i < length) {
+            if (dsts[i].hasRemaining()) {
+                int read = read(dsts[i]);
+                if (read > 0) {
+                    totalRead += read;
+                }
+            }
+            if (!dsts[i].hasRemaining()) {
+                i++;
             }
         }
         return totalRead;
     }
 
+
     /**
     * Writes a sequence of bytes to this channel from the given buffer.
     *
     * @param src The buffer from which bytes are to be retrieved
-    * @return The number of bytes written, possibly zero
+    * @returns The number of bytes read, possibly zero, or -1 if the channel has reached end-of-stream
     * @throws IOException If some other I/O error occurs
     */
     public int write(ByteBuffer src) throws IOException {
@@ -424,10 +467,12 @@ public class SSLTransportLayer implements TransportLayer {
 
         if (!flush(netWriteBuffer))
             return written;
+
         netWriteBuffer.clear();
         SSLEngineResult wrap = sslEngine.wrap(src, netWriteBuffer);
         netWriteBuffer.flip();
 
+        //handle ssl renegotiation
         if (wrap.getHandshakeStatus() != HandshakeStatus.NOT_HANDSHAKING) {
             handshake();
             return written;
@@ -439,8 +484,8 @@ public class SSLTransportLayer implements TransportLayer {
         } else if (wrap.getStatus() == Status.BUFFER_OVERFLOW) {
             int currentPacketBufferSize = packetBufferSize();
             netWriteBuffer = Utils.ensureCapacity(netReadBuffer, packetBufferSize());
-            if (netWriteBuffer.position() > currentPacketBufferSize)
-                throw new IllegalStateException("SSL BUFFER_OVERFLOW when available data (" + netWriteBuffer.position() + ") > network buffer size (" + currentPacketBufferSize + ")");
+            if (netWriteBuffer.position() >= currentPacketBufferSize)
+                throw new IllegalStateException("SSL BUFFER_OVERFLOW when available data size (" + netWriteBuffer.position() + ") >= network buffer size (" + currentPacketBufferSize + ")");
         } else if (wrap.getStatus() == Status.BUFFER_UNDERFLOW) {
             throw new IllegalStateException("SSL BUFFER_UNDERFLOW during write");
         } else if (wrap.getStatus() == Status.CLOSED) {
@@ -449,45 +494,52 @@ public class SSLTransportLayer implements TransportLayer {
         return written;
     }
 
+    /**
+    * Writes a sequence of bytes to this channel from the subsequence of the given buffers.
+    *
+    * @param srcs The buffers from which bytes are to be retrieved
+    * @param offset The offset within the buffer array of the first buffer from which bytes are to be retrieved; must be non-negative and no larger than srcs.length.
+    * @param length - The maximum number of buffers to be accessed; must be non-negative and no larger than srcs.length - offset.
+    * @return returns no.of bytes written , possibly zero.
+    * @throws IOException If some other I/O error occurs
+    */
     public long write(ByteBuffer[] srcs, int offset, int length)  throws IOException {
-        long totalWritten = 0;
+        if ((offset < 0) || (length < 0) || (offset > srcs.length - length))
+            throw new IndexOutOfBoundsException();
+
+        int totalWritten = 0;
         int i = offset;
         while (i < length) {
-            if (srcs[i].hasRemaining()) {
+            if (srcs[i].hasRemaining() || pending()) {
                 int written = write(srcs[i]);
                 if (written > 0) {
                     totalWritten += written;
                 }
             }
-            i++;
+
+            if (!srcs[i].hasRemaining()) {
+                i++;
+            } else {
+                // if we are unable to write the current buffer to socketChannel we should break,
+                // as we might have reached max socket send buffer size.
+                break;
+            }
         }
         return totalWritten;
     }
 
+    /**
+    * Writes a sequence of bytes to this channel from the given buffers.
+    *
+    * @param srcs The buffers from which bytes are to be retrieved
+    * @return returns no.of bytes consumed by SSLEngine.wrap , possibly zero.
+    * @throws IOException If some other I/O error occurs
+    */
+
     public long write(ByteBuffer[] srcs) throws IOException {
         return write(srcs, 0, srcs.length);
     }
 
-    /**
-     * socket's InputStream as DataInputStream
-     * @return DataInputStream
-     */
-    public DataInputStream inStream() throws IOException {
-        if (inStream == null)
-            this.inStream = new DataInputStream(socketChannel.socket().getInputStream());
-        return inStream;
-    }
-
-
-    /**
-     * socket's OutputStream as DataOutputStream
-     * @return DataInputStream
-     */
-    public DataOutputStream outStream() throws IOException {
-        if (outStream == null)
-            this.outStream = new DataOutputStream(socketChannel.socket().getOutputStream());
-        return outStream;
-    }
 
     /**
      * SSLSession's peerPrincipal for the remote host.
diff --git a/clients/src/main/java/org/apache/kafka/common/network/Selector.java b/clients/src/main/java/org/apache/kafka/common/network/Selector.java
index de0bbe9..d621f06 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/Selector.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/Selector.java
@@ -16,7 +16,6 @@ import java.io.EOFException;
 import java.io.IOException;
 import java.net.ConnectException;
 import java.net.InetSocketAddress;
-import java.net.Socket;
 import java.nio.channels.CancelledKeyException;
 import java.nio.channels.SelectionKey;
 import java.nio.channels.SocketChannel;
diff --git a/clients/src/main/java/org/apache/kafka/common/network/Send.java b/clients/src/main/java/org/apache/kafka/common/network/Send.java
index 5d321a0..9cc2ada 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/Send.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/Send.java
@@ -3,9 +3,9 @@
  * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file
  * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the
  * License. You may obtain a copy of the License at
- * 
+ *
  * http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
  * specific language governing permissions and limitations under the License.
@@ -14,7 +14,6 @@ package org.apache.kafka.common.network;
 
 import java.io.IOException;
 import java.nio.ByteBuffer;
-import java.nio.channels.GatheringByteChannel;
 
 /**
  * This interface models the in-progress sending of data to a destination identified by an integer id.
@@ -44,10 +43,10 @@ public interface Send {
     /**
      * Write some as-yet unwritten bytes from this send to the provided channel. It may take multiple calls for the send
      * to be completely written
-     * @param channel The channel to write to
+     * @param channel The transportLayer to write to
      * @return The number of bytes written
      * @throws IOException If the write fails
      */
-    public long writeTo(GatheringByteChannel channel) throws IOException;
+    public long writeTo(TransportLayer transportLayer) throws IOException;
 
 }
diff --git a/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java
index 8fdaae2..dd544a6 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java
@@ -22,17 +22,12 @@ package org.apache.kafka.common.network;
  */
 import java.io.IOException;
 import java.nio.ByteBuffer;
-import java.nio.channels.ScatteringByteChannel;
-import java.nio.channels.GatheringByteChannel;
 import java.nio.channels.SocketChannel;
 
-import java.io.DataInputStream;
-import java.io.DataOutputStream;
-
 import java.security.Principal;
 
 
-public interface TransportLayer extends ScatteringByteChannel, GatheringByteChannel {
+public interface TransportLayer {
 
     /**
      * Returns true if the channel has handshake and authenticaiton done.
@@ -55,6 +50,18 @@ public interface TransportLayer extends ScatteringByteChannel, GatheringByteChan
     SocketChannel socketChannel();
 
     /**
+     * returns true if socketchannel is open.
+     */
+    boolean isOpen();
+
+    public void close() throws IOException;
+
+    /**
+     * returns true if there are any pending bytes needs to be written to channel.
+     */
+    boolean pending();
+
+    /**
      * Performs SSL handshake hence is a no-op for the non-secure
      * implementation
      * @throws IOException
@@ -62,9 +69,25 @@ public interface TransportLayer extends ScatteringByteChannel, GatheringByteChan
     void handshake() throws IOException;
 
 
-    DataInputStream inStream() throws IOException;
+    /**
+     * Reads sequence of bytes from the channel to given buffer
+     */
+    public int read(ByteBuffer dst) throws IOException;
+
+    public long read(ByteBuffer[] dsts) throws IOException;
+
+    public long read(ByteBuffer[] dsts, int offset, int length) throws IOException;
+
+    /**
+     * Writes a sequence of bytes to this channel from the given buffer.
+     */
+    public int write(ByteBuffer src) throws IOException;
+
+    public long write(ByteBuffer[] srcs) throws IOException;
+
+    public long write(ByteBuffer[] srcs, int offset, int length) throws IOException;
+
 
-    DataOutputStream outStream() throws IOException;
 
     /**
      * returns SSLSession.getPeerPrinicpal if SSLTransportLayer used
diff --git a/clients/src/test/java/org/apache/kafka/clients/producer/KafkaProducerTest.java b/clients/src/test/java/org/apache/kafka/clients/producer/KafkaProducerTest.java
index f3f8334..a38f189 100644
--- a/clients/src/test/java/org/apache/kafka/clients/producer/KafkaProducerTest.java
+++ b/clients/src/test/java/org/apache/kafka/clients/producer/KafkaProducerTest.java
@@ -18,12 +18,16 @@ package org.apache.kafka.clients.producer;
 
 import org.apache.kafka.common.KafkaException;
 import org.apache.kafka.common.serialization.ByteArraySerializer;
+import org.apache.kafka.common.config.SecurityConfigs;
+import org.apache.kafka.clients.CommonClientConfigs;
 import org.apache.kafka.test.MockMetricsReporter;
 import org.apache.kafka.test.MockSerializer;
 import org.junit.Assert;
 import org.junit.Test;
 
 import java.util.Properties;
+import java.util.Map;
+import java.util.HashMap;
 
 public class KafkaProducerTest {
 
@@ -50,17 +54,18 @@ public class KafkaProducerTest {
     }
 
     @Test
-    public void testSerializerClose() {
-        Properties props = new Properties();
-        props.setProperty(ProducerConfig.CLIENT_ID_CONFIG, "testConstructorClose");
-        props.setProperty(ProducerConfig.BOOTSTRAP_SERVERS_CONFIG, "localhost:9999");
-        props.setProperty(ProducerConfig.METRIC_REPORTER_CLASSES_CONFIG, MockMetricsReporter.class.getName());
-
+    public void testSerializerClose() throws Exception {
+        Map configs = new HashMap();
+        configs.put(ProducerConfig.CLIENT_ID_CONFIG, "testConstructorClose");
+        configs.put(ProducerConfig.BOOTSTRAP_SERVERS_CONFIG, "localhost:9999");
+        configs.put(ProducerConfig.METRIC_REPORTER_CLASSES_CONFIG, MockMetricsReporter.class.getName());
+        configs.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, CommonClientConfigs.DEFAULT_SECURITY_PROTOCOL);
+        configs.put(SecurityConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Class.forName(SecurityConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS));
         final int oldInitCount = MockSerializer.INIT_COUNT.get();
         final int oldCloseCount = MockSerializer.CLOSE_COUNT.get();
 
         KafkaProducer producer = new KafkaProducer(
-                props, new MockSerializer(), new MockSerializer());
+                configs, new MockSerializer(), new MockSerializer());
         Assert.assertEquals(oldInitCount + 2, MockSerializer.INIT_COUNT.get());
         Assert.assertEquals(oldCloseCount, MockSerializer.CLOSE_COUNT.get());
 
diff --git a/clients/src/test/java/org/apache/kafka/common/network/EchoServer.java b/clients/src/test/java/org/apache/kafka/common/network/EchoServer.java
index ce4c201..37d1706 100644
--- a/clients/src/test/java/org/apache/kafka/common/network/EchoServer.java
+++ b/clients/src/test/java/org/apache/kafka/common/network/EchoServer.java
@@ -12,7 +12,6 @@
  */
 package org.apache.kafka.common.network;
 
-import org.apache.kafka.common.config.SecurityConfigs;
 import org.apache.kafka.common.protocol.SecurityProtocol;
 
 import javax.net.ssl.SSLContext;
@@ -42,8 +41,8 @@ class EchoServer extends Thread {
     private final AtomicBoolean renegotiate = new AtomicBoolean();
 
     public EchoServer(Map configs) throws Exception {
-        this.protocol =  configs.containsKey(SecurityConfigs.SECURITY_PROTOCOL_CONFIG) ?
-            SecurityProtocol.valueOf((String) configs.get(SecurityConfigs.SECURITY_PROTOCOL_CONFIG)) : SecurityProtocol.PLAINTEXT;
+        this.protocol =  configs.containsKey("security.protocol") ?
+            SecurityProtocol.valueOf((String) configs.get("security.protocol")) : SecurityProtocol.PLAINTEXT;
         if (protocol == SecurityProtocol.SSL) {
             this.sslFactory = new SSLFactory(SSLFactory.Mode.SERVER);
             this.sslFactory.configure(configs);
diff --git a/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java b/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java
index 5ec02ef..a5351ce 100644
--- a/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java
+++ b/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java
@@ -17,22 +17,13 @@ import static org.junit.Assert.assertTrue;
 
 import java.util.LinkedHashMap;
 import java.util.Map;
-import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
-import java.util.concurrent.Semaphore;
 
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.nio.ByteBuffer;
-import java.nio.channels.SocketChannel;
-import java.nio.channels.SelectionKey;
-import javax.net.ssl.SSLEngine;
-import javax.net.ssl.SSLEngineResult;
 
 import org.apache.kafka.common.config.SecurityConfigs;
-import org.apache.kafka.common.KafkaException;
 import org.apache.kafka.common.metrics.Metrics;
-import org.apache.kafka.common.security.auth.PrincipalBuilder;
 import org.apache.kafka.common.utils.MockTime;
 import org.apache.kafka.common.utils.Utils;
 import org.apache.kafka.test.TestSSLUtils;
@@ -151,18 +142,6 @@ public class SSLSelectorTest {
         assertEquals("", blockingRequest(node, ""));
     }
 
-    /**
-     * Test sending an small string
-     */
-    @Test
-    public void testIncompleteSend() throws Exception {
-        int bufferSize = 16391;
-        int node = 0;
-        InetSocketAddress addr = new InetSocketAddress("localhost", server.port);
-        selector.connect(node, addr, bufferSize, bufferSize);
-        String requestPrefix = TestUtils.randomString(bufferSize);
-        assertEquals(requestPrefix, blockingRequest(node, requestPrefix));
-    }
 
     @Test
     public void testMute() throws Exception {
@@ -193,7 +172,6 @@ public class SSLSelectorTest {
     public void testRenegotiation() throws Exception {
         int reqs = 500;
         int node = 0;
-
         // create connections
         InetSocketAddress addr = new InetSocketAddress("localhost", server.port);
         selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);
@@ -217,9 +195,9 @@ public class SSLSelectorTest {
             // handle any responses we may have gotten
             for (NetworkReceive receive : selector.completedReceives()) {
                 String[] pieces = asString(receive).split("-");
-                assertEquals("Receive text should be in the form 'conn-counter'", 2, pieces.length);
+                assertEquals("Should be in the form 'conn-counter'", 2, pieces.length);
                 assertEquals("Check the source", receive.source(), Integer.parseInt(pieces[0]));
-                assertEquals("Receive ByteBuffer position should be at 0", 0, receive.payload().position());
+                assertEquals("Check that the receive has kindly been rewound", 0, receive.payload().position());
                 assertEquals("Check the request counter", responses, Integer.parseInt(pieces[1]));
                 responses++;
             }
diff --git a/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java b/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java
index 093f33b..4edbe36 100644
--- a/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java
+++ b/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java
@@ -19,6 +19,7 @@ package org.apache.kafka.test;
 
 import org.apache.kafka.common.config.SecurityConfigs;
 import org.apache.kafka.common.network.SSLFactory;
+import org.apache.kafka.clients.CommonClientConfigs;
 
 import java.io.File;
 import java.io.FileOutputStream;
@@ -44,10 +45,6 @@ import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
 import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
 import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder;
 
-
-
-
-
 import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
@@ -174,7 +171,7 @@ public class TestSSLUtils {
     public static Map createSSLConfig(SSLFactory.Mode mode, File keyStoreFile, String password, String keyPassword,
                                                       File trustStoreFile, String trustStorePassword, boolean useClientCert) {
         Map sslConfigs = new HashMap();
-        sslConfigs.put(SecurityConfigs.SECURITY_PROTOCOL_CONFIG, "SSL"); // kafka security protocol
+        sslConfigs.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SSL"); // kafka security protocol
         sslConfigs.put(SecurityConfigs.SSL_PROTOCOL_CONFIG, "TLSv1.2"); // protocol to create SSLContext
 
         if (mode == SSLFactory.Mode.SERVER || (mode == SSLFactory.Mode.CLIENT && keyStoreFile != null)) {
-- 
2.4.4


From 050782b9f47f4c61b22ef065ec4798ccbdb962d3 Mon Sep 17 00:00:00 2001
From: Sriharsha Chintalapani 
Date: Tue, 16 Jun 2015 08:46:05 -0700
Subject: [PATCH 14/19] KAFKA-1690. Broker side ssl changes.

---
 .../java/org/apache/kafka/clients/ClientUtils.java |   3 +-
 .../kafka/clients/consumer/ConsumerConfig.java     |  35 ++--
 .../kafka/clients/consumer/KafkaConsumer.java      |   2 +-
 .../kafka/clients/producer/ProducerConfig.java     |  32 ++--
 .../org/apache/kafka/common/config/SSLConfigs.java |  97 ++++++++++
 .../kafka/common/config/SecurityConfigs.java       | 102 -----------
 .../kafka/common/network/ByteBufferReceive.java    |   5 +-
 .../kafka/common/network/ByteBufferSend.java       |  12 +-
 .../org/apache/kafka/common/network/Channel.java   |  16 +-
 .../kafka/common/network/ChannelBuilder.java       |   6 +-
 .../kafka/common/network/NetworkReceive.java       |  14 +-
 .../common/network/PlainTextChannelBuilder.java    |   6 +-
 .../common/network/PlainTextTransportLayer.java    |   4 -
 .../kafka/common/network/SSLChannelBuilder.java    |  13 +-
 .../apache/kafka/common/network/SSLFactory.java    |  52 +++---
 .../kafka/common/network/SSLTransportLayer.java    |   6 +-
 .../org/apache/kafka/common/network/Selector.java  |  39 ++--
 .../java/org/apache/kafka/common/network/Send.java |   2 +-
 .../kafka/common/network/TransportLayer.java       |  33 +---
 .../kafka/clients/producer/KafkaProducerTest.java  |   4 +-
 .../kafka/common/network/SSLSelectorTest.java      | 128 ++++++-------
 .../apache/kafka/common/network/SelectorTest.java  |  10 +-
 .../java/org/apache/kafka/test/TestSSLUtils.java   |  25 ++-
 core/src/main/scala/kafka/cluster/EndPoint.scala   |   2 +-
 .../main/scala/kafka/network/SocketServer.scala    | 111 ++++++-----
 core/src/main/scala/kafka/server/KafkaConfig.scala | 153 +++++++++++++++-
 core/src/main/scala/kafka/server/KafkaServer.scala |   3 +-
 .../integration/UncleanLeaderElectionTest.scala    |   6 +-
 .../unit/kafka/network/SocketServerTest.scala      | 202 ---------------------
 .../kafka/server/KafkaConfigConfigDefTest.scala    |  35 ++++
 30 files changed, 567 insertions(+), 591 deletions(-)
 create mode 100644 clients/src/main/java/org/apache/kafka/common/config/SSLConfigs.java
 delete mode 100644 clients/src/main/java/org/apache/kafka/common/config/SecurityConfigs.java
 delete mode 100644 core/src/test/scala/unit/kafka/network/SocketServerTest.scala

diff --git a/clients/src/main/java/org/apache/kafka/clients/ClientUtils.java b/clients/src/main/java/org/apache/kafka/clients/ClientUtils.java
index 782d182..d70ad33 100644
--- a/clients/src/main/java/org/apache/kafka/clients/ClientUtils.java
+++ b/clients/src/main/java/org/apache/kafka/clients/ClientUtils.java
@@ -23,6 +23,7 @@ import org.apache.kafka.common.protocol.SecurityProtocol;
 import org.apache.kafka.common.network.ChannelBuilder;
 import org.apache.kafka.common.network.SSLChannelBuilder;
 import org.apache.kafka.common.network.PlainTextChannelBuilder;
+import org.apache.kafka.common.network.SSLFactory;
 import org.apache.kafka.common.config.ConfigException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -77,7 +78,7 @@ public class ClientUtils {
         SecurityProtocol securityProtocol = SecurityProtocol.valueOf((String) configs.get(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG));
 
         if (securityProtocol == SecurityProtocol.SSL) {
-            channelBuilder = new SSLChannelBuilder();
+            channelBuilder = new SSLChannelBuilder(SSLFactory.Mode.CLIENT);
         } else {
             channelBuilder = new PlainTextChannelBuilder();
         }
diff --git a/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java b/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java
index 3027674..a5de3ea 100644
--- a/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java
+++ b/clients/src/main/java/org/apache/kafka/clients/consumer/ConsumerConfig.java
@@ -19,7 +19,7 @@ import org.apache.kafka.common.config.ConfigDef;
 import org.apache.kafka.common.config.ConfigDef.Importance;
 import org.apache.kafka.common.config.ConfigDef.Type;
 import org.apache.kafka.common.serialization.Deserializer;
-import org.apache.kafka.common.config.SecurityConfigs;
+import org.apache.kafka.common.config.SSLConfigs;
 
 import java.util.HashMap;
 import java.util.Map;
@@ -160,9 +160,6 @@ public class ConsumerConfig extends AbstractConfig {
     /** connections.max.idle.ms */
     public static final String CONNECTIONS_MAX_IDLE_MS_CONFIG = CommonClientConfigs.CONNECTIONS_MAX_IDLE_MS_CONFIG;
 
-    /** connections.max.idle.ms */
-    public static final String CONNECTIONS_MAX_IDLE_MS_CONFIG = CommonClientConfigs.CONNECTIONS_MAX_IDLE_MS_CONFIG;
-
 
     static {
         CONFIG = new ConfigDef().define(BOOTSTRAP_SERVERS_CONFIG,
@@ -286,21 +283,21 @@ public class ConsumerConfig extends AbstractConfig {
                                         Importance.HIGH,
                                         VALUE_DESERIALIZER_CLASS_DOC)
                                 .define(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, Type.STRING, CommonClientConfigs.DEFAULT_SECURITY_PROTOCOL, Importance.MEDIUM, CommonClientConfigs.SECURITY_PROTOCOL_DOC)
-                                .define(SecurityConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Type.CLASS, SecurityConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS, Importance.LOW, SecurityConfigs.PRINCIPAL_BUILDER_CLASS_DOC)
-                                .define(SecurityConfigs.SSL_PROTOCOL_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_SSL_PROTOCOL, Importance.MEDIUM, SecurityConfigs.SSL_PROTOCOL_DOC)
-                                .define(SecurityConfigs.SSL_PROVIDER_CONFIG, Type.STRING, Importance.MEDIUM, SecurityConfigs.SSL_PROVIDER_DOC, false)
-                                .define(SecurityConfigs.SSL_CIPHER_SUITES_CONFIG, Type.LIST, Importance.LOW, SecurityConfigs.SSL_CIPHER_SUITES_DOC, false)
-                                .define(SecurityConfigs.SSL_ENABLED_PROTOCOLS_CONFIG, Type.LIST, SecurityConfigs.DEFAULT_ENABLED_PROTOCOLS, Importance.MEDIUM, SecurityConfigs.SSL_ENABLED_PROTOCOLS_DOC)
-                                .define(SecurityConfigs.SSL_KEYSTORE_TYPE_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_SSL_KEYSTORE_TYPE, Importance.MEDIUM, SecurityConfigs.SSL_KEYSTORE_TYPE_DOC)
-                                .define(SecurityConfigs.SSL_KEYSTORE_LOCATION_CONFIG, Type.STRING, Importance.HIGH, SecurityConfigs.SSL_KEYSTORE_LOCATION_DOC, false)
-                                .define(SecurityConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, Type.STRING, Importance.HIGH, SecurityConfigs.SSL_KEYSTORE_PASSWORD_DOC, false)
-                                .define(SecurityConfigs.SSL_KEY_PASSWORD_CONFIG, Type.STRING, Importance.HIGH, SecurityConfigs.SSL_KEY_PASSWORD_DOC, false)
-                                .define(SecurityConfigs.SSL_TRUSTSTORE_TYPE_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_SSL_TRUSTSTORE_TYPE, Importance.MEDIUM, SecurityConfigs.SSL_TRUSTSTORE_TYPE_DOC)
-                                .define(SecurityConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_TRUSTSTORE_LOCATION, Importance.HIGH, SecurityConfigs.SSL_TRUSTSTORE_LOCATION_DOC)
-                                .define(SecurityConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_TRUSTSTORE_PASSWORD, Importance.HIGH, SecurityConfigs.SSL_TRUSTSTORE_PASSWORD_DOC)
-                                .define(SecurityConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_SSL_KEYMANGER_ALGORITHM, Importance.LOW, SecurityConfigs.SSL_KEYMANAGER_ALGORITHM_DOC)
-                                .define(SecurityConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_SSL_TRUSTMANAGER_ALGORITHM, Importance.LOW, SecurityConfigs.SSL_TRUSTMANAGER_ALGORITHM_DOC)
-                                .define(SecurityConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG, Type.STRING, Importance.LOW, SecurityConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_DOC, false)
+                                .define(SSLConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Type.CLASS, SSLConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS, Importance.LOW, SSLConfigs.PRINCIPAL_BUILDER_CLASS_DOC)
+                                .define(SSLConfigs.SSL_PROTOCOL_CONFIG, Type.STRING, SSLConfigs.DEFAULT_SSL_PROTOCOL, Importance.MEDIUM, SSLConfigs.SSL_PROTOCOL_DOC)
+                                .define(SSLConfigs.SSL_PROVIDER_CONFIG, Type.STRING, Importance.MEDIUM, SSLConfigs.SSL_PROVIDER_DOC, false)
+                                .define(SSLConfigs.SSL_CIPHER_SUITES_CONFIG, Type.LIST, Importance.LOW, SSLConfigs.SSL_CIPHER_SUITES_DOC, false)
+                                .define(SSLConfigs.SSL_ENABLED_PROTOCOLS_CONFIG, Type.LIST, SSLConfigs.DEFAULT_ENABLED_PROTOCOLS, Importance.MEDIUM, SSLConfigs.SSL_ENABLED_PROTOCOLS_DOC)
+                                .define(SSLConfigs.SSL_KEYSTORE_TYPE_CONFIG, Type.STRING, SSLConfigs.DEFAULT_SSL_KEYSTORE_TYPE, Importance.MEDIUM, SSLConfigs.SSL_KEYSTORE_TYPE_DOC)
+                                .define(SSLConfigs.SSL_KEYSTORE_LOCATION_CONFIG, Type.STRING, Importance.HIGH, SSLConfigs.SSL_KEYSTORE_LOCATION_DOC, false)
+                                .define(SSLConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, Type.STRING, Importance.HIGH, SSLConfigs.SSL_KEYSTORE_PASSWORD_DOC, false)
+                                .define(SSLConfigs.SSL_KEY_PASSWORD_CONFIG, Type.STRING, Importance.HIGH, SSLConfigs.SSL_KEY_PASSWORD_DOC, false)
+                                .define(SSLConfigs.SSL_TRUSTSTORE_TYPE_CONFIG, Type.STRING, SSLConfigs.DEFAULT_SSL_TRUSTSTORE_TYPE, Importance.MEDIUM, SSLConfigs.SSL_TRUSTSTORE_TYPE_DOC)
+                                .define(SSLConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, Type.STRING, SSLConfigs.DEFAULT_TRUSTSTORE_LOCATION, Importance.HIGH, SSLConfigs.SSL_TRUSTSTORE_LOCATION_DOC)
+                                .define(SSLConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, Type.STRING, SSLConfigs.DEFAULT_TRUSTSTORE_PASSWORD, Importance.HIGH, SSLConfigs.SSL_TRUSTSTORE_PASSWORD_DOC)
+                                .define(SSLConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG, Type.STRING, SSLConfigs.DEFAULT_SSL_KEYMANGER_ALGORITHM, Importance.LOW, SSLConfigs.SSL_KEYMANAGER_ALGORITHM_DOC)
+                                .define(SSLConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG, Type.STRING, SSLConfigs.DEFAULT_SSL_TRUSTMANAGER_ALGORITHM, Importance.LOW, SSLConfigs.SSL_TRUSTMANAGER_ALGORITHM_DOC)
+                                .define(SSLConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG, Type.STRING, Importance.LOW, SSLConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_DOC, false)
                                 /* default is set to be a bit lower than the server default (10 min), to avoid both client and server closing connection at same time */
                                 .define(CONNECTIONS_MAX_IDLE_MS_CONFIG,
                                         Type.LONG,
diff --git a/clients/src/main/java/org/apache/kafka/clients/consumer/KafkaConsumer.java b/clients/src/main/java/org/apache/kafka/clients/consumer/KafkaConsumer.java
index 6a12ac6..9f9d954 100644
--- a/clients/src/main/java/org/apache/kafka/clients/consumer/KafkaConsumer.java
+++ b/clients/src/main/java/org/apache/kafka/clients/consumer/KafkaConsumer.java
@@ -474,7 +474,7 @@ public class KafkaConsumer implements Consumer {
             metricsTags.put("client-id", clientId);
             ChannelBuilder channelBuilder = ClientUtils.createChannelBuilder(config.values());
             this.client = new NetworkClient(
-                    new Selector(config.getLong(ConsumerConfig.CONNECTIONS_MAX_IDLE_MS_CONFIG), metrics, time, metricGrpPrefix, metricsTags, ChannelBuilder),
+                    new Selector(config.getLong(ConsumerConfig.CONNECTIONS_MAX_IDLE_MS_CONFIG), metrics, time, metricGrpPrefix, metricsTags, channelBuilder),
                     this.metadata,
                     clientId,
                     100, // a fixed large enough value will suffice
diff --git a/clients/src/main/java/org/apache/kafka/clients/producer/ProducerConfig.java b/clients/src/main/java/org/apache/kafka/clients/producer/ProducerConfig.java
index 1bae0ca..06f00a9 100644
--- a/clients/src/main/java/org/apache/kafka/clients/producer/ProducerConfig.java
+++ b/clients/src/main/java/org/apache/kafka/clients/producer/ProducerConfig.java
@@ -22,7 +22,7 @@ import java.util.Properties;
 
 import org.apache.kafka.clients.CommonClientConfigs;
 import org.apache.kafka.common.config.AbstractConfig;
-import org.apache.kafka.common.config.SecurityConfigs;
+import org.apache.kafka.common.config.SSLConfigs;
 import org.apache.kafka.common.config.ConfigDef;
 import org.apache.kafka.common.config.ConfigDef.Importance;
 import org.apache.kafka.common.config.ConfigDef.Type;
@@ -227,21 +227,21 @@ public class ProducerConfig extends AbstractConfig {
                                 .define(KEY_SERIALIZER_CLASS_CONFIG, Type.CLASS, Importance.HIGH, KEY_SERIALIZER_CLASS_DOC)
                                 .define(VALUE_SERIALIZER_CLASS_CONFIG, Type.CLASS, Importance.HIGH, VALUE_SERIALIZER_CLASS_DOC)
                                 .define(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, Type.STRING, CommonClientConfigs.DEFAULT_SECURITY_PROTOCOL, Importance.MEDIUM, CommonClientConfigs.SECURITY_PROTOCOL_DOC)
-                                .define(SecurityConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Type.CLASS, SecurityConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS, Importance.LOW, SecurityConfigs.PRINCIPAL_BUILDER_CLASS_DOC)
-                                .define(SecurityConfigs.SSL_PROTOCOL_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_SSL_PROTOCOL, Importance.MEDIUM, SecurityConfigs.SSL_PROTOCOL_DOC)
-                                .define(SecurityConfigs.SSL_PROVIDER_CONFIG, Type.STRING, Importance.MEDIUM, SecurityConfigs.SSL_PROVIDER_DOC, false)
-                                .define(SecurityConfigs.SSL_CIPHER_SUITES_CONFIG, Type.LIST, Importance.LOW, SecurityConfigs.SSL_CIPHER_SUITES_DOC, false)
-                                .define(SecurityConfigs.SSL_ENABLED_PROTOCOLS_CONFIG, Type.LIST, SecurityConfigs.DEFAULT_ENABLED_PROTOCOLS, Importance.MEDIUM, SecurityConfigs.SSL_ENABLED_PROTOCOLS_DOC)
-                                .define(SecurityConfigs.SSL_KEYSTORE_TYPE_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_SSL_KEYSTORE_TYPE, Importance.MEDIUM, SecurityConfigs.SSL_KEYSTORE_TYPE_DOC)
-                                .define(SecurityConfigs.SSL_KEYSTORE_LOCATION_CONFIG, Type.STRING, Importance.HIGH, SecurityConfigs.SSL_KEYSTORE_LOCATION_DOC, false)
-                                .define(SecurityConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, Type.STRING, Importance.HIGH, SecurityConfigs.SSL_KEYSTORE_PASSWORD_DOC, false)
-                                .define(SecurityConfigs.SSL_KEY_PASSWORD_CONFIG, Type.STRING, Importance.HIGH, SecurityConfigs.SSL_KEY_PASSWORD_DOC, false)
-                                .define(SecurityConfigs.SSL_TRUSTSTORE_TYPE_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_SSL_TRUSTSTORE_TYPE, Importance.MEDIUM, SecurityConfigs.SSL_TRUSTSTORE_TYPE_DOC)
-                                .define(SecurityConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_TRUSTSTORE_LOCATION, Importance.HIGH, SecurityConfigs.SSL_TRUSTSTORE_LOCATION_DOC)
-                                .define(SecurityConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_TRUSTSTORE_PASSWORD, Importance.HIGH, SecurityConfigs.SSL_TRUSTSTORE_PASSWORD_DOC)
-                                .define(SecurityConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_SSL_KEYMANGER_ALGORITHM, Importance.LOW, SecurityConfigs.SSL_KEYMANAGER_ALGORITHM_DOC)
-                                .define(SecurityConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG, Type.STRING, SecurityConfigs.DEFAULT_SSL_TRUSTMANAGER_ALGORITHM, Importance.LOW, SecurityConfigs.SSL_TRUSTMANAGER_ALGORITHM_DOC)
-                                .define(SecurityConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG, Type.STRING, Importance.LOW, SecurityConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_DOC, false);
+                                .define(SSLConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Type.CLASS, SSLConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS, Importance.LOW, SSLConfigs.PRINCIPAL_BUILDER_CLASS_DOC)
+                                .define(SSLConfigs.SSL_PROTOCOL_CONFIG, Type.STRING, SSLConfigs.DEFAULT_SSL_PROTOCOL, Importance.MEDIUM, SSLConfigs.SSL_PROTOCOL_DOC)
+                                .define(SSLConfigs.SSL_PROVIDER_CONFIG, Type.STRING, Importance.MEDIUM, SSLConfigs.SSL_PROVIDER_DOC, false)
+                                .define(SSLConfigs.SSL_CIPHER_SUITES_CONFIG, Type.LIST, Importance.LOW, SSLConfigs.SSL_CIPHER_SUITES_DOC, false)
+                                .define(SSLConfigs.SSL_ENABLED_PROTOCOLS_CONFIG, Type.LIST, SSLConfigs.DEFAULT_ENABLED_PROTOCOLS, Importance.MEDIUM, SSLConfigs.SSL_ENABLED_PROTOCOLS_DOC)
+                                .define(SSLConfigs.SSL_KEYSTORE_TYPE_CONFIG, Type.STRING, SSLConfigs.DEFAULT_SSL_KEYSTORE_TYPE, Importance.MEDIUM, SSLConfigs.SSL_KEYSTORE_TYPE_DOC)
+                                .define(SSLConfigs.SSL_KEYSTORE_LOCATION_CONFIG, Type.STRING, Importance.HIGH, SSLConfigs.SSL_KEYSTORE_LOCATION_DOC, false)
+                                .define(SSLConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, Type.STRING, Importance.HIGH, SSLConfigs.SSL_KEYSTORE_PASSWORD_DOC, false)
+                                .define(SSLConfigs.SSL_KEY_PASSWORD_CONFIG, Type.STRING, Importance.HIGH, SSLConfigs.SSL_KEY_PASSWORD_DOC, false)
+                                .define(SSLConfigs.SSL_TRUSTSTORE_TYPE_CONFIG, Type.STRING, SSLConfigs.DEFAULT_SSL_TRUSTSTORE_TYPE, Importance.MEDIUM, SSLConfigs.SSL_TRUSTSTORE_TYPE_DOC)
+                                .define(SSLConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, Type.STRING, SSLConfigs.DEFAULT_TRUSTSTORE_LOCATION, Importance.HIGH, SSLConfigs.SSL_TRUSTSTORE_LOCATION_DOC)
+                                .define(SSLConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, Type.STRING, SSLConfigs.DEFAULT_TRUSTSTORE_PASSWORD, Importance.HIGH, SSLConfigs.SSL_TRUSTSTORE_PASSWORD_DOC)
+                                .define(SSLConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG, Type.STRING, SSLConfigs.DEFAULT_SSL_KEYMANGER_ALGORITHM, Importance.LOW, SSLConfigs.SSL_KEYMANAGER_ALGORITHM_DOC)
+                                .define(SSLConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG, Type.STRING, SSLConfigs.DEFAULT_SSL_TRUSTMANAGER_ALGORITHM, Importance.LOW, SSLConfigs.SSL_TRUSTMANAGER_ALGORITHM_DOC)
+                                .define(SSLConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG, Type.STRING, Importance.LOW, SSLConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_DOC, false)
                                 /* default is set to be a bit lower than the server default (10 min), to avoid both client and server closing connection at same time */
                                 .define(CONNECTIONS_MAX_IDLE_MS_CONFIG, Type.LONG, 9 * 60 * 1000, Importance.MEDIUM, CommonClientConfigs.CONNECTIONS_MAX_IDLE_MS_DOC)
                                 .define(PARTITIONER_CLASS_CONFIG, Type.CLASS, "org.apache.kafka.clients.producer.internals.DefaultPartitioner", Importance.MEDIUM, PARTITIONER_CLASS_DOC);
diff --git a/clients/src/main/java/org/apache/kafka/common/config/SSLConfigs.java b/clients/src/main/java/org/apache/kafka/common/config/SSLConfigs.java
new file mode 100644
index 0000000..e861358
--- /dev/null
+++ b/clients/src/main/java/org/apache/kafka/common/config/SSLConfigs.java
@@ -0,0 +1,97 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE
+ * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file
+ * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the
+ * License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+
+package org.apache.kafka.common.config;
+
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.KeyManagerFactory;
+
+public class SSLConfigs {
+    /*
+     * NOTE: DO NOT CHANGE EITHER CONFIG NAMES AS THESE ARE PART OF THE PUBLIC API AND CHANGE WILL BREAK USER CODE.
+     */
+
+    public static final String PRINCIPAL_BUILDER_CLASS_CONFIG = "principal.builder.class";
+    public static final String PRINCIPAL_BUILDER_CLASS_DOC = "principal builder to generate a java Principal. This config is optional for client.";
+    public static final String DEFAULT_PRINCIPAL_BUILDER_CLASS = "org.apache.kafka.common.security.auth.DefaultPrincipalBuilder";
+
+    public static final String SSL_PROTOCOL_CONFIG = "ssl.protocol";
+    public static final String SSL_PROTOCOL_DOC = "The ssl protocol used to generate SSLContext."
+            + "Default setting is TLS. Allowed values are SSL, SSLv2, SSLv3, TLS, TLSv1.1, TLSv1.2";
+    public static final String DEFAULT_SSL_PROTOCOL = "TLS";
+
+    public static final String SSL_PROVIDER_CONFIG = "ssl.provider";
+    public static final String SSL_PROVIDER_DOC = "The name of the security provider used for SSL connections. Default value is the default security provider of the JVM.";
+
+    public static final String SSL_CIPHER_SUITES_CONFIG = "ssl.cipher.suites";
+    public static final String SSL_CIPHER_SUITES_DOC = "A cipher suite is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS or SSL network protocol."
+            + "By default all the available cipher suites are supported.";
+
+    public static final String SSL_ENABLED_PROTOCOLS_CONFIG = "ssl.enabled.protocols";
+    public static final String SSL_ENABLED_PROTOCOLS_DOC = "The list of protocols enabled for SSL connections. "
+            + "All versions of TLS is enabled by default.";
+    public static final String DEFAULT_ENABLED_PROTOCOLS = "TLSv1.2,TLSv1.1,TLSv1";
+
+    public static final String SSL_KEYSTORE_TYPE_CONFIG = "ssl.keystore.type";
+    public static final String SSL_KEYSTORE_TYPE_DOC = "The file format of the key store file. "
+            + "This is optional for client. Default value is JKS";
+    public static final String DEFAULT_SSL_KEYSTORE_TYPE = "JKS";
+
+    public static final String SSL_KEYSTORE_LOCATION_CONFIG = "ssl.keystore.location";
+    public static final String SSL_KEYSTORE_LOCATION_DOC = "The location of the key store file. "
+        + "This is optional for Client and can be used for two-way authentication for client.";
+
+    public static final String SSL_KEYSTORE_PASSWORD_CONFIG = "ssl.keystore.password";
+    public static final String SSL_KEYSTORE_PASSWORD_DOC = "The store password for the key store file."
+        + "This is optional for client and only needed if the ssl.keystore.location configured. ";
+
+    public static final String SSL_KEY_PASSWORD_CONFIG = "ssl.key.password";
+    public static final String SSL_KEY_PASSWORD_DOC = "The password of the private key in the key store file. "
+            + "This is optional for client.";
+
+    public static final String SSL_TRUSTSTORE_TYPE_CONFIG = "ssl.truststore.type";
+    public static final String SSL_TRUSTSTORE_TYPE_DOC = "The file format of the trust store file. "
+            + "Default value is JKS.";
+    public static final String DEFAULT_SSL_TRUSTSTORE_TYPE = "JKS";
+
+    public static final String SSL_TRUSTSTORE_LOCATION_CONFIG = "ssl.truststore.location";
+    public static final String SSL_TRUSTSTORE_LOCATION_DOC = "The location of the trust store file. ";
+    public static final String DEFAULT_TRUSTSTORE_LOCATION = "/tmp/ssl.truststore.jks";
+
+    public static final String SSL_TRUSTSTORE_PASSWORD_CONFIG = "ssl.truststore.password";
+    public static final String SSL_TRUSTSTORE_PASSWORD_DOC = "The password for the trust store file. ";
+    public static final String DEFAULT_TRUSTSTORE_PASSWORD = "truststore_password";
+
+    public static final String SSL_KEYMANAGER_ALGORITHM_CONFIG = "ssl.keymanager.algorithm";
+    public static final String SSL_KEYMANAGER_ALGORITHM_DOC = "The algorithm used by key manager factory for SSL connections. "
+            + "Default value is the key manager factory algorithm configured for the Java Virtual Machine.";
+    public static final String DEFAULT_SSL_KEYMANGER_ALGORITHM = KeyManagerFactory.getDefaultAlgorithm();
+
+    public static final String SSL_TRUSTMANAGER_ALGORITHM_CONFIG = "ssl.trustmanager.algorithm";
+    public static final String SSL_TRUSTMANAGER_ALGORITHM_DOC = "The algorithm used by trust manager factory for SSL connections. "
+            + "Default value is the trust manager factory algorithm configured for the Java Virtual Machine.";
+    public static final String DEFAULT_SSL_TRUSTMANAGER_ALGORITHM = TrustManagerFactory.getDefaultAlgorithm();
+
+    public static final String SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG = "ssl.endpoint.identification.algorithm";
+    public static final String SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_DOC = "The endpoint identification algorithm to validate server hostname using server certificate. ";
+
+    public static final String SSL_NEED_CLIENT_AUTH_CONFIG = "ssl.need.client.auth";
+    public static final String SSL_NEED_CLIENT_AUTH_DOC = "If set to true kafka broker requires all the ssl client connecting to provide client authentication. "
+        + "Default value is false";
+    public static final Boolean DEFAULT_SSL_NEED_CLIENT_AUTH = false;
+
+    public static final String SSL_WANT_CLIENT_AUTH_CONFIG = "ssl.want.client.auth";
+    public static final String SSL_WANT_CLIENT_AUTH_DOC = "If set to true kafka broker requests for client authentication. Clients without any certificates can still be able to connect using SSL.";
+    public static final Boolean DEFAULT_SSL_WANT_CLIENT_AUTH = false;
+
+}
diff --git a/clients/src/main/java/org/apache/kafka/common/config/SecurityConfigs.java b/clients/src/main/java/org/apache/kafka/common/config/SecurityConfigs.java
deleted file mode 100644
index c2f2181..0000000
--- a/clients/src/main/java/org/apache/kafka/common/config/SecurityConfigs.java
+++ /dev/null
@@ -1,102 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE
- * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file
- * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the
- * License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
- * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package org.apache.kafka.common.config;
-
-import javax.net.ssl.TrustManagerFactory;
-import javax.net.ssl.KeyManagerFactory;
-
-public class SecurityConfigs {
-    /*
-     * NOTE: DO NOT CHANGE EITHER CONFIG NAMES AS THESE ARE PART OF THE PUBLIC API AND CHANGE WILL BREAK USER CODE.
-     */
-
-    public static final String PRINCIPAL_BUILDER_CLASS_CONFIG = "principal.builder.class";
-    public static final String PRINCIPAL_BUILDER_CLASS_DOC = "principal builder to generate a java Principal. This config is optional for client.";
-    public static final String DEFAULT_PRINCIPAL_BUILDER_CLASS = "org.apache.kafka.common.security.auth.DefaultPrincipalBuilder";
-
-    public static final String SSL_PROTOCOL_CONFIG = "ssl.protocol";
-    public static final String SSL_PROTOCOL_DOC = "The ssl protocol used to generate SSLContext."
-            + "Default setting is TLS. Allowed values are SSL, SSLv2, SSLv3, TLS, TLSv1.1, TLSv1.2";
-    public static final String DEFAULT_SSL_PROTOCOL = "TLS";
-
-    public static final String SSL_PROVIDER_CONFIG = "ssl.provider";
-    public static final String SSL_PROVIDER_DOC = "The name of the security provider used for SSL connections. Default value is the default security provider of the JVM.";
-
-    public static final String SSL_CIPHER_SUITES_CONFIG = "ssl.cipher.suites";
-    public static final String SSL_CIPHER_SUITES_DOC = "A cipher suite is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS or SSL network protocol."
-            + "By default all the available cipher suites are supported.";
-
-    public static final String SSL_ENABLED_PROTOCOLS_CONFIG = "ssl.enabled.protocols";
-    public static final String SSL_ENABLED_PROTOCOLS_DOC = "The list of protocols enabled for SSL connections. "
-            + "All versions of TLS is enabled by default.";
-    public static final String DEFAULT_ENABLED_PROTOCOLS = "TLSv1.2,TLSv1.1,TLSv1";
-
-    public static final String SSL_KEYSTORE_TYPE_CONFIG = "ssl.keystore.type";
-    public static final String SSL_KEYSTORE_TYPE_DOC = "The file format of the key store file. "
-            + "This is optional for client. Default value is JKS";
-    public static final String DEFAULT_SSL_KEYSTORE_TYPE = "JKS";
-
-    public static final String SSL_KEYSTORE_LOCATION_CONFIG = "ssl.keystore.location";
-    public static final String SSL_KEYSTORE_LOCATION_DOC = "The location of the key store file. "
-        + "This is optional for Client and can be used for two-way authentication for client.";
-
-    public static final String SSL_KEYSTORE_PASSWORD_CONFIG = "ssl.keystore.password";
-    public static final String SSL_KEYSTORE_PASSWORD_DOC = "The store password for the key store file."
-        + "This is optional for client and only needed if the ssl.keystore.location configured. ";
-
-    public static final String SSL_KEY_PASSWORD_CONFIG = "ssl.key.password";
-    public static final String SSL_KEY_PASSWORD_DOC = "The password of the private key in the key store file. "
-            + "This is optional for client.";
-
-    public static final String SSL_TRUSTSTORE_TYPE_CONFIG = "ssl.truststore.type";
-    public static final String SSL_TRUSTSTORE_TYPE_DOC = "The file format of the trust store file. "
-            + "Default value is JKS.";
-    public static final String DEFAULT_SSL_TRUSTSTORE_TYPE = "JKS";
-
-    public static final String SSL_TRUSTSTORE_LOCATION_CONFIG = "ssl.truststore.location";
-    public static final String SSL_TRUSTSTORE_LOCATION_DOC = "The location of the trust store file. ";
-    public static final String DEFAULT_TRUSTSTORE_LOCATION = "/tmp/ssl.truststore.jks";
-
-    public static final String SSL_TRUSTSTORE_PASSWORD_CONFIG = "ssl.truststore.password";
-    public static final String SSL_TRUSTSTORE_PASSWORD_DOC = "The password for the trust store file. ";
-    public static final String DEFAULT_TRUSTSTORE_PASSWORD = "truststore_password";
-
-    public static final String SSL_CLIENT_REQUIRE_CERT_CONFIG = "ssl.client.require.cert";
-    public static final String SSL_CLIENT_REQUIRE_CERT_DOC = "This is to enforce two-way authentication between client and server."
-            + "Default value is false. If set to true client needs to provide Keystore related config";
-    public static final Boolean DEFAULT_SSL_CLIENT_REQUIRE_CERT = false;
-
-    public static final String SSL_KEYMANAGER_ALGORITHM_CONFIG = "ssl.keymanager.algorithm";
-    public static final String SSL_KEYMANAGER_ALGORITHM_DOC = "The algorithm used by key manager factory for SSL connections. "
-            + "Default value is the key manager factory algorithm configured for the Java Virtual Machine.";
-    public static final String DEFAULT_SSL_KEYMANGER_ALGORITHM = KeyManagerFactory.getDefaultAlgorithm();
-
-    public static final String SSL_TRUSTMANAGER_ALGORITHM_CONFIG = "ssl.trustmanager.algorithm";
-    public static final String SSL_TRUSTMANAGER_ALGORITHM_DOC = "The algorithm used by trust manager factory for SSL connections. "
-            + "Default value is the trust manager factory algorithm configured for the Java Virtual Machine.";
-    public static final String DEFAULT_SSL_TRUSTMANAGER_ALGORITHM = TrustManagerFactory.getDefaultAlgorithm();
-
-    public static final String SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG = "ssl.endpoint.identification.algorithm";
-    public static final String SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_DOC = "The endpoint identification algorithm to validate server hostname using server certificate. ";
-
-    public static final String SSL_NEED_CLIENT_AUTH_CONFIG = "ssl.need.client.auth";
-    public static final String SSL_NEED_CLIENT_AUTH_CONFIG_DOC = "If set to true kafka broker requires all the ssl client connecting to provide client authentication. "
-        + "Default value is false";
-    public static final Boolean DEFAULT_SSL_NEED_CLIENT_AUTH = false;
-
-    public static final String SSL_WANT_CLIENT_AUTH_CONFIG = "ssl.want.client.auth";
-    public static final String SSL_WANT_CLIENT_AUTH_CONFIG_DOC = "If set to true kafka broker requests for client authentication. Clients without any certificates can still be able to connect using SSL.";
-    public static final Boolean DEFAULT_SSL_WANT_CLIENT_AUTH = false;
-
-}
diff --git a/clients/src/main/java/org/apache/kafka/common/network/ByteBufferReceive.java b/clients/src/main/java/org/apache/kafka/common/network/ByteBufferReceive.java
index 44cf70a..159c301 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/ByteBufferReceive.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/ByteBufferReceive.java
@@ -18,6 +18,7 @@ package org.apache.kafka.common.network;
 
 import java.io.IOException;
 import java.nio.ByteBuffer;
+import java.nio.channels.ScatteringByteChannel;
 
 /**
  * A receive backed by an array of ByteBuffers
@@ -47,8 +48,8 @@ public class ByteBufferReceive implements Receive {
     }
 
     @Override
-    public long readFrom(TransportLayer transportLayer) throws IOException {
-        long read = transportLayer.read(buffers);
+    public long readFrom(ScatteringByteChannel channel) throws IOException {
+        long read = channel.read(buffers);
         remaining += read;
         return read;
     }
diff --git a/clients/src/main/java/org/apache/kafka/common/network/ByteBufferSend.java b/clients/src/main/java/org/apache/kafka/common/network/ByteBufferSend.java
index 9ab6dc7..85babbd 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/ByteBufferSend.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/ByteBufferSend.java
@@ -15,6 +15,7 @@ package org.apache.kafka.common.network;
 import java.io.EOFException;
 import java.io.IOException;
 import java.nio.ByteBuffer;
+import java.nio.channels.GatheringByteChannel;
 
 /**
  * A send backed by an array of byte buffers
@@ -52,12 +53,17 @@ public class ByteBufferSend implements Send {
     }
 
     @Override
-    public long writeTo(TransportLayer transportLayer) throws IOException {
-        long written = transportLayer.write(buffers);
+    public long writeTo(GatheringByteChannel channel) throws IOException {
+        long written = channel.write(buffers);
         if (written < 0)
             throw new EOFException("Wrote negative bytes to channel. This shouldn't happen.");
         remaining -= written;
-        pending = transportLayer.pending();
+        // This is temporary workaround. As Send , Receive interfaces are being used by BlockingChannel.
+        // Once BlockingChannel is removed we can make Send, Receive to work with transportLayer rather than
+        // GatheringByteChannel or ScatteringByteChannel.
+        if (channel instanceof SSLTransportLayer) {
+            pending = ((SSLTransportLayer) channel).pending();
+        }
         return written;
     }
 }
diff --git a/clients/src/main/java/org/apache/kafka/common/network/Channel.java b/clients/src/main/java/org/apache/kafka/common/network/Channel.java
index fc285b8..9f76319 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/Channel.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/Channel.java
@@ -31,13 +31,13 @@ import org.slf4j.LoggerFactory;
 
 public class Channel {
     private static final Logger log = LoggerFactory.getLogger(Channel.class);
-    private final int id;
+    private final String id;
     private TransportLayer transportLayer;
     private Authenticator authenticator;
     private NetworkReceive receive;
-    private NetworkSend send;
+    private Send send;
 
-    public Channel(int id, TransportLayer transportLayer, Authenticator authenticator) throws IOException {
+    public Channel(String id, TransportLayer transportLayer, Authenticator authenticator) throws IOException {
         this.id = id;
         this.transportLayer = transportLayer;
         this.authenticator = authenticator;
@@ -78,7 +78,7 @@ public class Channel {
         transportLayer.finishConnect();
     }
 
-    public int id() {
+    public String id() {
         return id;
     }
 
@@ -104,7 +104,7 @@ public class Channel {
             return socket.getLocalAddress().toString();
     }
 
-    public void setSend(NetworkSend send) {
+    public void setSend(Send send) {
         if (this.send != null)
             throw new IllegalStateException("Attempt to begin a send operation with prior send operation still in progress.");
         this.send = send;
@@ -126,8 +126,8 @@ public class Channel {
         return result;
     }
 
-    public NetworkSend write() throws IOException {
-        NetworkSend result = null;
+    public Send write() throws IOException {
+        Send result = null;
         if (send != null && send(send)) {
             result = send;
             send = null;
@@ -140,7 +140,7 @@ public class Channel {
         return result;
     }
 
-    private boolean send(NetworkSend send) throws IOException {
+    private boolean send(Send send) throws IOException {
         send.writeTo(transportLayer);
         if (send.completed()) {
             transportLayer.removeInterestOps(SelectionKey.OP_WRITE);
diff --git a/clients/src/main/java/org/apache/kafka/common/network/ChannelBuilder.java b/clients/src/main/java/org/apache/kafka/common/network/ChannelBuilder.java
index 8cdd0fc..a9a88db 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/ChannelBuilder.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/ChannelBuilder.java
@@ -30,10 +30,10 @@ public interface ChannelBuilder {
 
     /**
      * returns a Channel with TransportLayer and Authenticator configured.
-     * @param  id
-     * @param  socketChannel
+     * @param  id  channel id
+     * @param  key SelectionKey
      */
-    public Channel buildChannel(int id, SelectionKey key) throws KafkaException;
+    public Channel buildChannel(String id, SelectionKey key) throws KafkaException;
 
 
     /**
diff --git a/clients/src/main/java/org/apache/kafka/common/network/NetworkReceive.java b/clients/src/main/java/org/apache/kafka/common/network/NetworkReceive.java
index 0090e62..4fbc53c 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/NetworkReceive.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/NetworkReceive.java
@@ -67,18 +67,18 @@ public class NetworkReceive implements Receive {
         return !size.hasRemaining() && !buffer.hasRemaining();
     }
 
-    public long readFrom(ScatteringByteChannel transportLayer) throws IOException {
-        return readFromReadableChannel(transportLayer);
+    public long readFrom(ScatteringByteChannel channel) throws IOException {
+        return readFromReadableChannel(channel);
     }
 
     // Need a method to read from ReadableByteChannel because BlockingChannel requires read with timeout
     // See: http://stackoverflow.com/questions/2866557/timeout-for-socketchannel-doesnt-work
     // This can go away after we get rid of BlockingChannel
     @Deprecated
-    public long readFromReadableChannel(ReadableByteChannel transportLayer) throws IOException {
+    public long readFromReadableChannel(ReadableByteChannel channel) throws IOException {
         int read = 0;
         if (size.hasRemaining()) {
-            int bytesRead = transportLayer.read(size);
+            int bytesRead = channel.read(size);
             if (bytesRead < 0)
                 throw new EOFException();
             read += bytesRead;
@@ -93,7 +93,7 @@ public class NetworkReceive implements Receive {
             }
         }
         if (buffer != null) {
-            int bytesRead = transportLayer.read(buffer);
+            int bytesRead = channel.read(buffer);
             if (bytesRead < 0)
                 throw new EOFException();
             read += bytesRead;
@@ -108,10 +108,10 @@ public class NetworkReceive implements Receive {
 
     // Used only by BlockingChannel, so we may be able to get rid of this when/if we get rid of BlockingChannel
     @Deprecated
-    public long readCompletely(ReadableByteChannel transportLayer) throws IOException {
+    public long readCompletely(ReadableByteChannel channel) throws IOException {
         int totalRead = 0;
         while (!complete()) {
-            totalRead += readFromReadableChannel(transportLayer);
+            totalRead += readFromReadableChannel(channel);
         }
         return totalRead;
     }
diff --git a/clients/src/main/java/org/apache/kafka/common/network/PlainTextChannelBuilder.java b/clients/src/main/java/org/apache/kafka/common/network/PlainTextChannelBuilder.java
index ecef62a..eb2cbf3 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/PlainTextChannelBuilder.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/PlainTextChannelBuilder.java
@@ -16,7 +16,7 @@ import java.nio.channels.SelectionKey;
 import java.util.Map;
 
 import org.apache.kafka.common.security.auth.PrincipalBuilder;
-import org.apache.kafka.common.config.SecurityConfigs;
+import org.apache.kafka.common.config.SSLConfigs;
 import org.apache.kafka.common.utils.Utils;
 import org.apache.kafka.common.KafkaException;
 
@@ -30,14 +30,14 @@ public class PlainTextChannelBuilder implements ChannelBuilder {
 
     public void configure(Map configs) throws KafkaException {
         try {
-            this.principalBuilder = (PrincipalBuilder) Utils.newInstance((Class) configs.get(SecurityConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG));
+            this.principalBuilder = (PrincipalBuilder) Utils.newInstance((Class) configs.get(SSLConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG));
             this.principalBuilder.configure(configs);
         } catch (Exception e) {
             throw new KafkaException(e);
         }
     }
 
-    public Channel buildChannel(int id, SelectionKey key) throws KafkaException {
+    public Channel buildChannel(String id, SelectionKey key) throws KafkaException {
         Channel channel = null;
         try {
             PlainTextTransportLayer transportLayer = new PlainTextTransportLayer(key);
diff --git a/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java
index dbd35db..b7529a7 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java
@@ -22,8 +22,6 @@ package org.apache.kafka.common.network;
  */
 
 import java.io.IOException;
-import java.io.DataInputStream;
-import java.io.DataOutputStream;
 import java.nio.ByteBuffer;
 import java.nio.channels.SocketChannel;
 import java.nio.channels.SelectionKey;
@@ -39,8 +37,6 @@ public class PlainTextTransportLayer implements TransportLayer {
     private static final Logger log = LoggerFactory.getLogger(PlainTextTransportLayer.class);
     private SelectionKey key;
     private SocketChannel socketChannel;
-    private DataInputStream inStream;
-    private DataOutputStream outStream;
     private final Principal principal = new KafkaPrincipal("ANONYMOUS");
 
     public PlainTextTransportLayer(SelectionKey key) throws IOException {
diff --git a/clients/src/main/java/org/apache/kafka/common/network/SSLChannelBuilder.java b/clients/src/main/java/org/apache/kafka/common/network/SSLChannelBuilder.java
index 2d89497..8ba9f00 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/SSLChannelBuilder.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/SSLChannelBuilder.java
@@ -17,7 +17,7 @@ import java.nio.channels.SocketChannel;
 import java.util.Map;
 
 import org.apache.kafka.common.security.auth.PrincipalBuilder;
-import org.apache.kafka.common.config.SecurityConfigs;
+import org.apache.kafka.common.config.SSLConfigs;
 import org.apache.kafka.common.utils.Utils;
 import org.apache.kafka.common.KafkaException;
 import org.slf4j.Logger;
@@ -27,19 +27,24 @@ public class SSLChannelBuilder implements ChannelBuilder {
     private static final Logger log = LoggerFactory.getLogger(SSLChannelBuilder.class);
     private SSLFactory sslFactory;
     private PrincipalBuilder principalBuilder;
+    private SSLFactory.Mode mode;
+
+    public SSLChannelBuilder(SSLFactory.Mode mode) {
+        this.mode = mode;
+    }
 
     public void configure(Map configs) throws KafkaException {
         try {
-            this.sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT);
+            this.sslFactory = new SSLFactory(mode);
             this.sslFactory.configure(configs);
-            this.principalBuilder = (PrincipalBuilder) Utils.newInstance((Class) configs.get(SecurityConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG));
+            this.principalBuilder = (PrincipalBuilder) Utils.newInstance((Class) configs.get(SSLConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG));
             this.principalBuilder.configure(configs);
         } catch (Exception e) {
             throw new KafkaException(e);
         }
     }
 
-    public Channel buildChannel(int id, SelectionKey key) throws KafkaException {
+    public Channel buildChannel(String id, SelectionKey key) throws KafkaException {
         Channel channel = null;
         try {
             SocketChannel socketChannel = (SocketChannel) key.channel();
diff --git a/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java b/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java
index b669069..ec53b69 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java
@@ -27,7 +27,7 @@ import javax.net.ssl.*;
 
 import org.apache.kafka.common.KafkaException;
 import org.apache.kafka.common.Configurable;
-import org.apache.kafka.common.config.SecurityConfigs;
+import org.apache.kafka.common.config.SSLConfigs;
 
 
 public class SSLFactory implements Configurable {
@@ -55,44 +55,44 @@ public class SSLFactory implements Configurable {
 
     @Override
     public void configure(Map configs) throws KafkaException {
-        this.protocol =  (String) configs.get(SecurityConfigs.SSL_PROTOCOL_CONFIG);
-        this.provider = (String) configs.get(SecurityConfigs.SSL_PROVIDER_CONFIG);
+        this.protocol =  (String) configs.get(SSLConfigs.SSL_PROTOCOL_CONFIG);
+        this.provider = (String) configs.get(SSLConfigs.SSL_PROVIDER_CONFIG);
 
-        if (configs.get(SecurityConfigs.SSL_CIPHER_SUITES_CONFIG) != null) {
-            List cipherSuitesList = (List) configs.get(SecurityConfigs.SSL_CIPHER_SUITES_CONFIG);
+        if (configs.get(SSLConfigs.SSL_CIPHER_SUITES_CONFIG) != null) {
+            List cipherSuitesList = (List) configs.get(SSLConfigs.SSL_CIPHER_SUITES_CONFIG);
             this.cipherSuites = (String[]) cipherSuitesList.toArray(new String[cipherSuitesList.size()]);
         }
 
-        if (configs.get(SecurityConfigs.SSL_ENABLED_PROTOCOLS_CONFIG) != null) {
-            List enabledProtocolsList = (List) configs.get(SecurityConfigs.SSL_ENABLED_PROTOCOLS_CONFIG);
+        if (configs.get(SSLConfigs.SSL_ENABLED_PROTOCOLS_CONFIG) != null) {
+            List enabledProtocolsList = (List) configs.get(SSLConfigs.SSL_ENABLED_PROTOCOLS_CONFIG);
             this.enabledProtocols =  (String[]) enabledProtocolsList.toArray(new String[enabledProtocolsList.size()]);
         }
 
-        if (configs.containsKey(SecurityConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG)) {
-            this.endpointIdentification = (String) configs.get(SecurityConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG);
+        if (configs.containsKey(SSLConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG)) {
+            this.endpointIdentification = (String) configs.get(SSLConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG);
         }
 
-        if (configs.containsKey(SecurityConfigs.SSL_NEED_CLIENT_AUTH_CONFIG)) {
-            this.needClientAuth = (Boolean) configs.get(SecurityConfigs.SSL_NEED_CLIENT_AUTH_CONFIG);
+        if (configs.containsKey(SSLConfigs.SSL_NEED_CLIENT_AUTH_CONFIG)) {
+            this.needClientAuth = (Boolean) configs.get(SSLConfigs.SSL_NEED_CLIENT_AUTH_CONFIG);
         }
 
-        if (configs.containsKey(SecurityConfigs.SSL_WANT_CLIENT_AUTH_CONFIG)) {
-            this.wantClientAuth = (Boolean) configs.get(SecurityConfigs.SSL_WANT_CLIENT_AUTH_CONFIG);
+        if (configs.containsKey(SSLConfigs.SSL_WANT_CLIENT_AUTH_CONFIG)) {
+            this.wantClientAuth = (Boolean) configs.get(SSLConfigs.SSL_WANT_CLIENT_AUTH_CONFIG);
         }
 
-        this.kmfAlgorithm = (String) configs.get(SecurityConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG);
-        this.tmfAlgorithm = (String) configs.get(SecurityConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG);
+        this.kmfAlgorithm = (String) configs.get(SSLConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG);
+        this.tmfAlgorithm = (String) configs.get(SSLConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG);
 
         if (checkKeyStoreConfigs(configs)) {
-            createKeystore((String) configs.get(SecurityConfigs.SSL_KEYSTORE_TYPE_CONFIG),
-                           (String) configs.get(SecurityConfigs.SSL_KEYSTORE_LOCATION_CONFIG),
-                           (String) configs.get(SecurityConfigs.SSL_KEYSTORE_PASSWORD_CONFIG),
-                           (String) configs.get(SecurityConfigs.SSL_KEY_PASSWORD_CONFIG));
+            createKeystore((String) configs.get(SSLConfigs.SSL_KEYSTORE_TYPE_CONFIG),
+                           (String) configs.get(SSLConfigs.SSL_KEYSTORE_LOCATION_CONFIG),
+                           (String) configs.get(SSLConfigs.SSL_KEYSTORE_PASSWORD_CONFIG),
+                           (String) configs.get(SSLConfigs.SSL_KEY_PASSWORD_CONFIG));
         }
 
-        createTruststore((String) configs.get(SecurityConfigs.SSL_TRUSTSTORE_TYPE_CONFIG),
-                         (String) configs.get(SecurityConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG),
-                         (String) configs.get(SecurityConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG));
+        createTruststore((String) configs.get(SSLConfigs.SSL_TRUSTSTORE_TYPE_CONFIG),
+                         (String) configs.get(SSLConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG),
+                         (String) configs.get(SSLConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG));
         try {
             this.sslContext = createSSLContext();
         } catch (Exception e) {
@@ -177,10 +177,10 @@ public class SSLFactory implements Configurable {
     }
 
     private boolean checkKeyStoreConfigs(Map configs) {
-        return  configs.containsKey(SecurityConfigs.SSL_KEYSTORE_TYPE_CONFIG) &&
-                configs.containsKey(SecurityConfigs.SSL_KEYSTORE_LOCATION_CONFIG) &&
-                configs.containsKey(SecurityConfigs.SSL_KEYSTORE_PASSWORD_CONFIG) &&
-                configs.containsKey(SecurityConfigs.SSL_KEY_PASSWORD_CONFIG);
+        return  configs.containsKey(SSLConfigs.SSL_KEYSTORE_TYPE_CONFIG) &&
+                configs.containsKey(SSLConfigs.SSL_KEYSTORE_LOCATION_CONFIG) &&
+                configs.containsKey(SSLConfigs.SSL_KEYSTORE_PASSWORD_CONFIG) &&
+                configs.containsKey(SSLConfigs.SSL_KEY_PASSWORD_CONFIG);
     }
 
     private class SecurityStore {
diff --git a/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
index eb898b4..b9f57aa 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
@@ -183,7 +183,7 @@ public class SSLTransportLayer implements TransportLayer {
             return;
         }
         try {
-            switch(handshakeStatus) {
+            switch (handshakeStatus) {
                 case NEED_TASK:
                     handshakeStatus = runDelegatedTasks();
                     break;
@@ -343,7 +343,7 @@ public class SSLTransportLayer implements TransportLayer {
             }
             cont = result.getStatus() == SSLEngineResult.Status.OK &&
                 handshakeStatus == HandshakeStatus.NEED_UNWRAP;
-        } while(cont);
+        } while (cont);
         return result;
     }
 
@@ -405,7 +405,7 @@ public class SSLTransportLayer implements TransportLayer {
                 } else if (unwrapResult.getStatus() == Status.CLOSED) {
                     throw new EOFException();
                 }
-            } while(netReadBuffer.position() != 0);
+            } while (netReadBuffer.position() != 0);
         }
 
         return read;
diff --git a/clients/src/main/java/org/apache/kafka/common/network/Selector.java b/clients/src/main/java/org/apache/kafka/common/network/Selector.java
index 40da17e..4187276 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/Selector.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/Selector.java
@@ -16,7 +16,6 @@ import java.io.EOFException;
 import java.io.IOException;
 import java.net.ConnectException;
 import java.net.InetSocketAddress;
-import java.net.Socket;
 import java.nio.channels.*;
 import java.util.*;
 import java.util.concurrent.TimeUnit;
@@ -69,7 +68,7 @@ public class Selector implements Selectable {
     private static final Logger log = LoggerFactory.getLogger(Selector.class);
 
     private final java.nio.channels.Selector nioSelector;
-    private final Map keys;
+    private final Map channels;
     private final List completedSends;
     private final List completedReceives;
     private final List disconnected;
@@ -103,7 +102,7 @@ public class Selector implements Selectable {
         this.metricGrpPrefix = metricGrpPrefix;
         this.metricTags = metricTags;
         this.channels = new HashMap();
-        this.completedSends = new ArrayList();
+        this.completedSends = new ArrayList();
         this.completedReceives = new ArrayList();
         this.connected = new ArrayList();
         this.disconnected = new ArrayList();
@@ -117,8 +116,8 @@ public class Selector implements Selectable {
         this.metricsPerConnection = metricsPerConnection;
     }
 
-    public Selector(long connectionMaxIdleMS, Metrics metrics, Time time, String metricGrpPrefix, Map metricTags) {
-        this(NetworkReceive.UNLIMITED, connectionMaxIdleMS, metrics, time, metricGrpPrefix, metricTags, true);
+    public Selector(long connectionMaxIdleMS, Metrics metrics, Time time, String metricGrpPrefix, Map metricTags, ChannelBuilder channelBuilder) {
+        this(NetworkReceive.UNLIMITED, connectionMaxIdleMS, metrics, time, metricGrpPrefix, metricTags, true, channelBuilder);
     }
 
     /**
@@ -165,8 +164,8 @@ public class Selector implements Selectable {
      * Use this on server-side, when a connection is accepted by a different thread but processed by the Selector
      * Note that we are not checking if the connection id is valid - since the connection already exists
      */
-    public void register(String id, SocketChannel channel) throws ClosedChannelException {
-        SelectionKey key = channel.register(nioSelector, SelectionKey.OP_READ);
+    public void register(String id, SocketChannel socketChannel) throws ClosedChannelException {
+        SelectionKey key = socketChannel.register(nioSelector, SelectionKey.OP_READ);
         Channel channel = channelBuilder.buildChannel(id, key);
         key.attach(channel);
         this.channels.put(id, channel);
@@ -278,24 +277,23 @@ public class Selector implements Selectable {
                     if (channel.isReady() && key.isReadable()) {
                         NetworkReceive networkReceive;
                         try {
-                            while ((networkReceive = channel.read()) != null) {
-                                networkReceive.payload().rewind();
+                            if ((networkReceive = channel.read()) != null) {
                                 this.completedReceives.add(networkReceive);
                                 this.sensors.recordBytesReceived(channel.id(), networkReceive.payload().limit());
                             }
                         } catch (InvalidReceiveException e) {
-                            log.error("Invalid data received from " + transmissions.id + " closing connection", e);
-                            close(transmissions.id);
+                            log.error("Invalid data received from " + channel.id() + " closing connection", e);
+                            close(channel.id());
                             throw e;
                         }
                     }
 
                     /* if channel is ready write to any sockets that have space in their buffer and for which we have data */
                     if (key.isWritable() && channel.isReady()) {
-                        NetworkSend networkSend = channel.write();
-                        if (networkSend != null) {
-                            this.completedSends.add(networkSend);
-                            this.sensors.recordBytesSent(channel.id(), networkSend.size());
+                        Send send = channel.write();
+                        if (send != null) {
+                            this.completedSends.add(send);
+                            this.sensors.recordBytesSent(channel.id(), send.size());
                         }
                     }
 
@@ -424,7 +422,7 @@ public class Selector implements Selectable {
      * @param id channel id
      */
     public void close(String id) {
-        Channel channel = this.channels(id);
+        Channel channel = this.channels.get(id);
         close(channel);
     }
 
@@ -445,7 +443,7 @@ public class Selector implements Selectable {
      * Get the channel associated with this numeric id
      */
     private Channel channelForId(String id) {
-        Channel channel = channel.get(id);
+        Channel channel = this.channels.get(id);
         if (channel == null)
             throw new IllegalStateException("Attempt to write to socket for which there is no open connection. Connection id " + id + " existing connections " + channels.keySet().toString());
         return channel;
@@ -458,13 +456,6 @@ public class Selector implements Selectable {
         return (Channel) key.attachment();
     }
 
-    /**
-     * Get the socket channel associated with this selection key
-     */
-    private SocketChannel channel(SelectionKey key) {
-        return (SocketChannel) key.channel();
-    }
-
 
     private class SelectorMetrics {
         private final Metrics metrics;
diff --git a/clients/src/main/java/org/apache/kafka/common/network/Send.java b/clients/src/main/java/org/apache/kafka/common/network/Send.java
index b0f4cc5..e0d8831 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/Send.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/Send.java
@@ -37,7 +37,7 @@ public interface Send {
      * @return The number of bytes written
      * @throws IOException If the write fails
      */
-    public long writeTo(Channel channel) throws IOException;
+    public long writeTo(GatheringByteChannel channel) throws IOException;
 
     /**
      * Size of the send
diff --git a/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java
index dd544a6..6a085c6 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java
@@ -21,13 +21,14 @@ package org.apache.kafka.common.network;
  * Transport layer for underlying communication
  */
 import java.io.IOException;
-import java.nio.ByteBuffer;
 import java.nio.channels.SocketChannel;
+import java.nio.channels.ScatteringByteChannel;
+import java.nio.channels.GatheringByteChannel;
 
 import java.security.Principal;
 
 
-public interface TransportLayer {
+public interface TransportLayer extends ScatteringByteChannel, GatheringByteChannel {
 
     /**
      * Returns true if the channel has handshake and authenticaiton done.
@@ -35,7 +36,7 @@ public interface TransportLayer {
     boolean isReady();
 
     /**
-     * calls internal socketChannel.finishConnect()
+     * Finishes the process of connecting a socket channel.
      */
     void finishConnect() throws IOException;
 
@@ -49,12 +50,6 @@ public interface TransportLayer {
      */
     SocketChannel socketChannel();
 
-    /**
-     * returns true if socketchannel is open.
-     */
-    boolean isOpen();
-
-    public void close() throws IOException;
 
     /**
      * returns true if there are any pending bytes needs to be written to channel.
@@ -70,26 +65,6 @@ public interface TransportLayer {
 
 
     /**
-     * Reads sequence of bytes from the channel to given buffer
-     */
-    public int read(ByteBuffer dst) throws IOException;
-
-    public long read(ByteBuffer[] dsts) throws IOException;
-
-    public long read(ByteBuffer[] dsts, int offset, int length) throws IOException;
-
-    /**
-     * Writes a sequence of bytes to this channel from the given buffer.
-     */
-    public int write(ByteBuffer src) throws IOException;
-
-    public long write(ByteBuffer[] srcs) throws IOException;
-
-    public long write(ByteBuffer[] srcs, int offset, int length) throws IOException;
-
-
-
-    /**
      * returns SSLSession.getPeerPrinicpal if SSLTransportLayer used
      * for non-secure returns a "ANONYMOUS" as the peerPrincipal
      */
diff --git a/clients/src/test/java/org/apache/kafka/clients/producer/KafkaProducerTest.java b/clients/src/test/java/org/apache/kafka/clients/producer/KafkaProducerTest.java
index a38f189..d1759ce 100644
--- a/clients/src/test/java/org/apache/kafka/clients/producer/KafkaProducerTest.java
+++ b/clients/src/test/java/org/apache/kafka/clients/producer/KafkaProducerTest.java
@@ -18,7 +18,7 @@ package org.apache.kafka.clients.producer;
 
 import org.apache.kafka.common.KafkaException;
 import org.apache.kafka.common.serialization.ByteArraySerializer;
-import org.apache.kafka.common.config.SecurityConfigs;
+import org.apache.kafka.common.config.SSLConfigs;
 import org.apache.kafka.clients.CommonClientConfigs;
 import org.apache.kafka.test.MockMetricsReporter;
 import org.apache.kafka.test.MockSerializer;
@@ -60,7 +60,7 @@ public class KafkaProducerTest {
         configs.put(ProducerConfig.BOOTSTRAP_SERVERS_CONFIG, "localhost:9999");
         configs.put(ProducerConfig.METRIC_REPORTER_CLASSES_CONFIG, MockMetricsReporter.class.getName());
         configs.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, CommonClientConfigs.DEFAULT_SECURITY_PROTOCOL);
-        configs.put(SecurityConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Class.forName(SecurityConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS));
+        configs.put(SSLConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Class.forName(SSLConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS));
         final int oldInitCount = MockSerializer.INIT_COUNT.get();
         final int oldCloseCount = MockSerializer.CLOSE_COUNT.get();
 
diff --git a/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java b/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java
index a5351ce..1a8cc27 100644
--- a/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java
+++ b/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java
@@ -22,7 +22,7 @@ import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.nio.ByteBuffer;
 
-import org.apache.kafka.common.config.SecurityConfigs;
+import org.apache.kafka.common.config.SSLConfigs;
 import org.apache.kafka.common.metrics.Metrics;
 import org.apache.kafka.common.utils.MockTime;
 import org.apache.kafka.common.utils.Utils;
@@ -48,15 +48,15 @@ public class SSLSelectorTest {
     public void setup() throws Exception {
         Map> sslConfigs = TestSSLUtils.createSSLConfigs(false, true);
         Map sslServerConfigs = sslConfigs.get(SSLFactory.Mode.SERVER);
-        sslServerConfigs.put(SecurityConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Class.forName(SecurityConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS));
+        sslServerConfigs.put(SSLConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Class.forName(SSLConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS));
         this.server = new EchoServer(sslServerConfigs);
         this.server.start();
         Map sslClientConfigs = sslConfigs.get(SSLFactory.Mode.CLIENT);
-        sslClientConfigs.put(SecurityConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Class.forName(SecurityConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS));
+        sslClientConfigs.put(SSLConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Class.forName(SSLConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS));
 
-        this.channelBuilder = new SSLChannelBuilder();
+        this.channelBuilder = new SSLChannelBuilder(SSLFactory.Mode.CLIENT);
         this.channelBuilder.configure(sslClientConfigs);
-        this.selector = new Selector(new Metrics(), new MockTime(), "MetricGroup", new LinkedHashMap(), channelBuilder);
+        this.selector = new Selector(5000, new Metrics(), new MockTime(), "MetricGroup", new LinkedHashMap(), channelBuilder);
     }
 
     @After
@@ -71,7 +71,7 @@ public class SSLSelectorTest {
      */
     @Test
     public void testSendLargeRequest() throws Exception {
-        int node = 0;
+        String node = "0";
         blockingConnect(node);
         String big = TestUtils.randomString(10 * BUFFER_SIZE);
         assertEquals(big, blockingRequest(node, big));
@@ -83,7 +83,7 @@ public class SSLSelectorTest {
      */
     @Test
     public void testServerDisconnect() throws Exception {
-        int node = 0;
+        String node = "0";
         // connect and do a simple request
         blockingConnect(node);
         assertEquals("hello", blockingRequest(node, "hello"));
@@ -104,7 +104,7 @@ public class SSLSelectorTest {
      */
     @Test
     public void testClientDisconnect() throws Exception {
-        int node = 0;
+        String node = "0";
         blockingConnect(node);
         selector.disconnect(node);
         selector.send(createSend(node, "hello1"));
@@ -123,7 +123,7 @@ public class SSLSelectorTest {
     @Test
     public void testLargeMessageSequence() throws Exception {
         int bufferSize = 512 * 1024;
-        int node = 0;
+        String node = "0";
         int reqs = 50;
         InetSocketAddress addr = new InetSocketAddress("localhost", server.port);
         selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);
@@ -137,7 +137,7 @@ public class SSLSelectorTest {
      */
     @Test
     public void testEmptyRequest() throws Exception {
-        int node = 0;
+        String node = "0";
         blockingConnect(node);
         assertEquals("", blockingRequest(node, ""));
     }
@@ -145,72 +145,72 @@ public class SSLSelectorTest {
 
     @Test
     public void testMute() throws Exception {
-        blockingConnect(0);
-        blockingConnect(1);
+        blockingConnect("0");
+        blockingConnect("1");
 
-        selector.send(createSend(0, "hello"));
-        selector.send(createSend(1, "hi"));
-        selector.mute(1);
+        selector.send(createSend("0", "hello"));
+        selector.send(createSend("1", "hi"));
+        selector.mute("1");
 
         while (selector.completedReceives().isEmpty())
             selector.poll(5);
         assertEquals("We should have only one response", 1, selector.completedReceives().size());
-        assertEquals("The response should not be from the muted node", 0, selector.completedReceives().get(0).source());
-        selector.unmute(1);
+        assertEquals("The response should not be from the muted node", "0", selector.completedReceives().get(0).source());
+        selector.unmute("1");
         do {
             selector.poll(5);
         } while (selector.completedReceives().isEmpty());
         assertEquals("We should have only one response", 1, selector.completedReceives().size());
-        assertEquals("The response should be from the previously muted node", 1, selector.completedReceives().get(0).source());
+        assertEquals("The response should be from the previously muted node", "1", selector.completedReceives().get(0).source());
     }
 
     /**
      * Tests that SSL renegotiation initiated by the server are handled correctly by the client
      * @throws Exception
      */
-    @Test
-    public void testRenegotiation() throws Exception {
-        int reqs = 500;
-        int node = 0;
-        // create connections
-        InetSocketAddress addr = new InetSocketAddress("localhost", server.port);
-        selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);
-
-        // send echo requests and receive responses
-        int requests = 0;
-        int responses = 0;
-        int renegotiates = 0;
-        selector.send(createSend(node, node + "-" + 0));
-        requests++;
-
-        // loop until we complete all requests
-        while (responses < reqs) {
-            selector.poll(0L);
-            if (responses >= 100 && renegotiates == 0) {
-                renegotiates++;
-                server.renegotiate();
-            }
-            assertEquals("No disconnects should have occurred.", 0, selector.disconnected().size());
-
-            // handle any responses we may have gotten
-            for (NetworkReceive receive : selector.completedReceives()) {
-                String[] pieces = asString(receive).split("-");
-                assertEquals("Should be in the form 'conn-counter'", 2, pieces.length);
-                assertEquals("Check the source", receive.source(), Integer.parseInt(pieces[0]));
-                assertEquals("Check that the receive has kindly been rewound", 0, receive.payload().position());
-                assertEquals("Check the request counter", responses, Integer.parseInt(pieces[1]));
-                responses++;
-            }
-
-            // prepare new sends for the next round
-            for (int i = 0; i < selector.completedSends().size() && requests < reqs; i++, requests++) {
-                selector.send(createSend(node, node + "-" + requests));
-            }
-        }
-    }
-
-
-    private String blockingRequest(int node, String s) throws IOException {
+    // @Test
+    // public void testRenegotiation() throws Exception {
+    //     int reqs = 500;
+    //     String node = "0";
+    //     // create connections
+    //     InetSocketAddress addr = new InetSocketAddress("localhost", server.port);
+    //     selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);
+
+    //     // send echo requests and receive responses
+    //     int requests = 0;
+    //     int responses = 0;
+    //     int renegotiates = 0;
+    //     selector.send(createSend(node, node + "-" + 0));
+    //     requests++;
+
+    //     // loop until we complete all requests
+    //     while (responses < reqs) {
+    //         selector.poll(0L);
+    //         if (responses >= 100 && renegotiates == 0) {
+    //             renegotiates++;
+    //             server.renegotiate();
+    //         }
+    //         assertEquals("No disconnects should have occurred.", 0, selector.disconnected().size());
+
+    //         // handle any responses we may have gotten
+    //         for (NetworkReceive receive : selector.completedReceives()) {
+    //             String[] pieces = asString(receive).split("-");
+    //             assertEquals("Should be in the form 'conn-counter'", 2, pieces.length);
+    //             assertEquals("Check the source", receive.source(), pieces[0]);
+    //             assertEquals("Check that the receive has kindly been rewound", 0, receive.payload().position());
+    //             assertEquals("Check the request counter", responses, Integer.parseInt(pieces[1]));
+    //             responses++;
+    //         }
+
+    //         // prepare new sends for the next round
+    //         for (int i = 0; i < selector.completedSends().size() && requests < reqs; i++, requests++) {
+    //             selector.send(createSend(node, node + "-" + requests));
+    //         }
+    //     }
+    // }
+
+
+    private String blockingRequest(String node, String s) throws IOException {
         selector.send(createSend(node, s));
         while (true) {
             selector.poll(1000L);
@@ -224,19 +224,19 @@ public class SSLSelectorTest {
         return new String(Utils.toArray(receive.payload()));
     }
 
-    private NetworkSend createSend(int node, String s) {
+    private NetworkSend createSend(String node, String s) {
         return new NetworkSend(node, ByteBuffer.wrap(s.getBytes()));
     }
 
     /* connect and wait for the connection to complete */
-    private void blockingConnect(int node) throws IOException {
+    private void blockingConnect(String node) throws IOException {
         selector.connect(node, new InetSocketAddress("localhost", server.port), BUFFER_SIZE, BUFFER_SIZE);
         while (!selector.connected().contains(node))
             selector.poll(10000L);
     }
 
 
-    private void sendAndReceive(int node, String requestPrefix, int startIndex, int endIndex) throws Exception {
+    private void sendAndReceive(String node, String requestPrefix, int startIndex, int endIndex) throws Exception {
         int requests = startIndex;
         int responses = startIndex;
         selector.send(createSend(node, requestPrefix + "-" + startIndex));
diff --git a/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java b/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java
index 3d3db2c..3aa519e 100644
--- a/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java
+++ b/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java
@@ -24,7 +24,7 @@ import java.nio.ByteBuffer;
 import java.util.*;
 
 import org.apache.kafka.common.metrics.Metrics;
-import org.apache.kafka.common.config.SecurityConfigs;
+import org.apache.kafka.common.config.SSLConfigs;
 import org.apache.kafka.common.utils.MockTime;
 import org.apache.kafka.common.utils.Utils;
 import org.apache.kafka.test.TestUtils;
@@ -46,13 +46,13 @@ public class SelectorTest {
     @Before
     public void setup() throws Exception {
         Map configs = new HashMap();
-        configs.put(SecurityConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Class.forName(SecurityConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS));
+        configs.put(SSLConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Class.forName(SSLConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS));
         this.server = new EchoServer(configs);
         this.server.start();
 
         this.channelBuilder = new PlainTextChannelBuilder();
         this.channelBuilder.configure(configs);
-        this.selector = new Selector(5000, new Metrics(), new MockTime() , "MetricGroup", new LinkedHashMap(), ChannelBuilder);
+        this.selector = new Selector(5000, new Metrics(), new MockTime() , "MetricGroup", new LinkedHashMap(), channelBuilder);
     }
 
     @After
@@ -214,7 +214,7 @@ public class SelectorTest {
     @Test
     public void testLargeMessageSequence() throws Exception {
         int bufferSize = 512 * 1024;
-        int node = 0;
+        String node = "0";
         int reqs = 50;
         InetSocketAddress addr = new InetSocketAddress("localhost", server.port);
         selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);
@@ -289,7 +289,7 @@ public class SelectorTest {
         return new String(Utils.toArray(receive.payload()));
     }
 
-    private void sendAndReceive(int node, String requestPrefix, int startIndex, int endIndex) throws Exception {
+    private void sendAndReceive(String node, String requestPrefix, int startIndex, int endIndex) throws Exception {
         int requests = startIndex;
         int responses = startIndex;
         selector.send(createSend(node, requestPrefix + "-" + startIndex));
diff --git a/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java b/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java
index 4edbe36..1930cc2 100644
--- a/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java
+++ b/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java
@@ -17,7 +17,7 @@
 
 package org.apache.kafka.test;
 
-import org.apache.kafka.common.config.SecurityConfigs;
+import org.apache.kafka.common.config.SSLConfigs;
 import org.apache.kafka.common.network.SSLFactory;
 import org.apache.kafka.clients.CommonClientConfigs;
 
@@ -172,25 +172,24 @@ public class TestSSLUtils {
                                                       File trustStoreFile, String trustStorePassword, boolean useClientCert) {
         Map sslConfigs = new HashMap();
         sslConfigs.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SSL"); // kafka security protocol
-        sslConfigs.put(SecurityConfigs.SSL_PROTOCOL_CONFIG, "TLSv1.2"); // protocol to create SSLContext
+        sslConfigs.put(SSLConfigs.SSL_PROTOCOL_CONFIG, "TLSv1.2"); // protocol to create SSLContext
 
         if (mode == SSLFactory.Mode.SERVER || (mode == SSLFactory.Mode.CLIENT && keyStoreFile != null)) {
-            sslConfigs.put(SecurityConfigs.SSL_KEYSTORE_LOCATION_CONFIG, keyStoreFile.getPath());
-            sslConfigs.put(SecurityConfigs.SSL_KEYSTORE_TYPE_CONFIG, "JKS");
-            sslConfigs.put(SecurityConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG, TrustManagerFactory.getDefaultAlgorithm());
-            sslConfigs.put(SecurityConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, password);
-            sslConfigs.put(SecurityConfigs.SSL_KEY_PASSWORD_CONFIG, keyPassword);
+            sslConfigs.put(SSLConfigs.SSL_KEYSTORE_LOCATION_CONFIG, keyStoreFile.getPath());
+            sslConfigs.put(SSLConfigs.SSL_KEYSTORE_TYPE_CONFIG, "JKS");
+            sslConfigs.put(SSLConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG, TrustManagerFactory.getDefaultAlgorithm());
+            sslConfigs.put(SSLConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, password);
+            sslConfigs.put(SSLConfigs.SSL_KEY_PASSWORD_CONFIG, keyPassword);
         }
 
-        sslConfigs.put(SecurityConfigs.SSL_CLIENT_REQUIRE_CERT_CONFIG, useClientCert);
-        sslConfigs.put(SecurityConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, trustStoreFile.getPath());
-        sslConfigs.put(SecurityConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, trustStorePassword);
-        sslConfigs.put(SecurityConfigs.SSL_TRUSTSTORE_TYPE_CONFIG, "JKS");
-        sslConfigs.put(SecurityConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG, TrustManagerFactory.getDefaultAlgorithm());
+        sslConfigs.put(SSLConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, trustStoreFile.getPath());
+        sslConfigs.put(SSLConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, trustStorePassword);
+        sslConfigs.put(SSLConfigs.SSL_TRUSTSTORE_TYPE_CONFIG, "JKS");
+        sslConfigs.put(SSLConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG, TrustManagerFactory.getDefaultAlgorithm());
 
         List enabledProtocols  = new ArrayList();
         enabledProtocols.add("TLSv1.2");
-        sslConfigs.put(SecurityConfigs.SSL_ENABLED_PROTOCOLS_CONFIG, enabledProtocols);
+        sslConfigs.put(SSLConfigs.SSL_ENABLED_PROTOCOLS_CONFIG, enabledProtocols);
 
         return sslConfigs;
     }
diff --git a/core/src/main/scala/kafka/cluster/EndPoint.scala b/core/src/main/scala/kafka/cluster/EndPoint.scala
index e9008e6..76997b5 100644
--- a/core/src/main/scala/kafka/cluster/EndPoint.scala
+++ b/core/src/main/scala/kafka/cluster/EndPoint.scala
@@ -42,7 +42,7 @@ object EndPoint {
    * @return
    */
   def createEndPoint(connectionString: String): EndPoint = {
-    val uriParseExp = """^(.*)://\[?([0-9a-z\-.:]*)\]?:(-?[0-9]+)""".r
+    val uriParseExp = """^(.*)://\[?([0-9a-zA-Z\-.:]*)\]?:(-?[0-9]+)""".r
     connectionString match {
       case uriParseExp(protocol, "", port) => new EndPoint(null, port.toInt, SecurityProtocol.valueOf(protocol))
       case uriParseExp(protocol, host, port) => new EndPoint(host, port.toInt, SecurityProtocol.valueOf(protocol))
diff --git a/core/src/main/scala/kafka/network/SocketServer.scala b/core/src/main/scala/kafka/network/SocketServer.scala
index 91319fa..6cf1a8d 100644
--- a/core/src/main/scala/kafka/network/SocketServer.scala
+++ b/core/src/main/scala/kafka/network/SocketServer.scala
@@ -31,7 +31,8 @@ import kafka.metrics.KafkaMetricsGroup
 import kafka.utils._
 import org.apache.kafka.common.MetricName
 import org.apache.kafka.common.metrics.Metrics
-import org.apache.kafka.common.network.InvalidReceiveException
+import org.apache.kafka.common.network.{InvalidReceiveException, ChannelBuilder,
+                                        PlainTextChannelBuilder, SSLChannelBuilder, SSLFactory}
 import org.apache.kafka.common.protocol.SecurityProtocol
 import org.apache.kafka.common.protocol.types.SchemaException
 import org.apache.kafka.common.utils.{SystemTime, Time, Utils}
@@ -41,7 +42,7 @@ import scala.collection._
 /**
  * An NIO socket server. The threading model is
  *   1 Acceptor thread that handles new connections
- *   N Processor threads that each have their own selector and read requests from sockets
+ *   Acceptor has N Processor threads that each have their own selector and read requests from sockets
  *   M Handler threads that handle requests and produce responses back to the processor threads for writing.
  */
 class SocketServer(val brokerId: Int,
@@ -54,13 +55,13 @@ class SocketServer(val brokerId: Int,
                    val maxConnectionsPerIp: Int = Int.MaxValue,
                    val connectionsMaxIdleMs: Long,
                    val maxConnectionsPerIpOverrides: Map[String, Int],
+                   val channelConfigs: java.util.Map[String, Object],
                    val time: Time,
                    val metrics: Metrics) extends Logging with KafkaMetricsGroup {
   this.logIdent = "[Socket Server on Broker " + brokerId + "], "
-
-  private val processors = new Array[Processor](numProcessorThreads)
-  private[network] var acceptors =  mutable.Map[EndPoint,Acceptor]()
   val requestChannel = new RequestChannel(numProcessorThreads, maxQueuedRequests)
+  private[network] var acceptors =  mutable.Map[EndPoint,Acceptor]()
+
 
   private val allMetricNames = (0 until numProcessorThreads).map { i =>
     val tags = new util.HashMap[String, String]()
@@ -90,32 +91,15 @@ class SocketServer(val brokerId: Int,
     )
 
 
-    this.synchronized {
-      for (i <- 0 until numProcessorThreads) {
-        processors(i) = new Processor(i,
-          time,
-          maxRequestSize,
-          numProcessorThreads,
-          requestChannel,
-          quotas,
-          connectionsMaxIdleMs,
-          portToProtocol,
-          metrics
-          )
-        Utils.newThread("kafka-network-thread-%d-%d".format(brokerId, i), processors(i), false).start()
-      }
-    }
 
-    // register the processor threads for notification of responses
-    requestChannel.addResponseListener((id:Int) => processors(id).wakeup())
-   
     // start accepting connections
     // right now we will use the same processors for all ports, since we didn't implement different protocols
     // in the future, we may implement different processors for SSL and Kerberos
 
     this.synchronized {
       endpoints.values.foreach(endpoint => {
-        val acceptor = new Acceptor(endpoint.host, endpoint.port, processors, sendBufferSize, recvBufferSize, quotas, endpoint.protocolType, portToProtocol)
+        val acceptor = new Acceptor(endpoint.host, endpoint.port, sendBufferSize, recvBufferSize, requestChannel, quotas, endpoint.protocolType,
+           portToProtocol, channelConfigs, numProcessorThreads, maxQueuedRequests, maxRequestSize, connectionsMaxIdleMs, metrics, time, brokerId)
         acceptors.put(endpoint, acceptor)
         Utils.newThread("kafka-socket-acceptor-%s-%d".format(endpoint.protocolType.toString, endpoint.port), acceptor, false).start()
         acceptor.awaitStartup
@@ -132,7 +116,6 @@ class SocketServer(val brokerId: Int,
     info("Shutting down")
     this.synchronized {
       acceptors.values.foreach(_.shutdown)
-      processors.foreach(_.shutdown)
     }
     info("Shutdown completed")
   }
@@ -144,8 +127,8 @@ class SocketServer(val brokerId: Int,
       case e: Exception => throw new KafkaException("Tried to check server's port before server was started or checked for port of non-existing protocol", e)
     }
   }
-}
 
+}
 /**
  * A base class with some helper variables and methods
  */
@@ -187,7 +170,7 @@ private[kafka] abstract class AbstractServerThread(connectionQuotas: ConnectionQ
    * Is the server still running?
    */
   protected def isRunning = alive.get
-  
+
   /**
    * Close the given key and associated socket
    */
@@ -198,7 +181,7 @@ private[kafka] abstract class AbstractServerThread(connectionQuotas: ConnectionQ
       swallowError(key.cancel())
     }
   }
-  
+
   def close(channel: SocketChannel) {
     if(channel != null) {
       debug("Closing connection from " + channel.socket.getRemoteSocketAddress())
@@ -212,17 +195,45 @@ private[kafka] abstract class AbstractServerThread(connectionQuotas: ConnectionQ
 /**
  * Thread that accepts and configures new connections. There is only need for one of these
  */
-private[kafka] class Acceptor(val host: String, 
+private[kafka] class Acceptor(val host: String,
                               private val port: Int,
-                              private val processors: Array[Processor],
-                              val sendBufferSize: Int, 
+                              val sendBufferSize: Int,
                               val recvBufferSize: Int,
+                              requestChannel: RequestChannel,
                               connectionQuotas: ConnectionQuotas,
                               protocol: SecurityProtocol,
-                              portToProtocol: ConcurrentHashMap[Int, SecurityProtocol]) extends AbstractServerThread(connectionQuotas) {
+                              portToProtocol: ConcurrentHashMap[Int, SecurityProtocol],
+                              channelConfigs: java.util.Map[String, Object],
+                              numProcessorThreads: Int,
+                              maxQueuedRequests: Int,
+                              maxRequestSize: Int,
+                              connectionsMaxIdleMs: Long,
+                              metrics: Metrics,
+                              time: Time,
+                              brokerId: Int) extends AbstractServerThread(connectionQuotas) {
   val nioSelector = java.nio.channels.Selector.open()
   val serverChannel = openServerSocket(host, port)
+  private val processors = new Array[Processor](numProcessorThreads)
   portToProtocol.put(serverChannel.socket().getLocalPort, protocol)
+  this.synchronized {
+    for (i <- 0 until numProcessorThreads) {
+        processors(i) = new Processor(i,
+          time,
+          maxRequestSize,
+          numProcessorThreads,
+          requestChannel,
+          connectionQuotas,
+          connectionsMaxIdleMs,
+          protocol,
+          channelConfigs,
+          metrics
+          )
+        Utils.newThread("kafka-network-thread-%d-%s-%d".format(brokerId, protocol.name, i), processors(i), false).start()
+      }
+  }
+
+  // register the processor threads for notification of responses
+  requestChannel.addResponseListener((id:Int) => processors(id).wakeup())
 
   /**
    * Accept loop that checks for new connection attempts
@@ -259,12 +270,12 @@ private[kafka] class Acceptor(val host: String,
     swallowError(nioSelector.close())
     shutdownComplete()
   }
-  
+
   /*
    * Create a server socket to listen for connections on.
    */
   def openServerSocket(host: String, port: Int): ServerSocketChannel = {
-    val socketAddress = 
+    val socketAddress =
       if(host == null || host.trim.isEmpty)
         new InetSocketAddress(port)
       else
@@ -276,7 +287,7 @@ private[kafka] class Acceptor(val host: String,
       serverChannel.socket.bind(socketAddress)
       info("Awaiting socket connections on %s:%d.".format(socketAddress.getHostName, serverChannel.socket.getLocalPort))
     } catch {
-      case e: SocketException => 
+      case e: SocketException =>
         throw new KafkaException("Socket server failed to bind to %s:%d: %s.".format(socketAddress.getHostName, port, e.getMessage), e)
     }
     serverChannel
@@ -314,6 +325,12 @@ private[kafka] class Acceptor(val host: String,
   @Override
   def wakeup = nioSelector.wakeup()
 
+
+  override def shutdown() = {
+    processors.foreach(_.shutdown)
+    super.shutdown
+  }
+
 }
 
 /**
@@ -327,15 +344,17 @@ private[kafka] class Processor(val id: Int,
                                val requestChannel: RequestChannel,
                                connectionQuotas: ConnectionQuotas,
                                val connectionsMaxIdleMs: Long,
-                               val portToProtocol: ConcurrentHashMap[Int,SecurityProtocol],
+                               val protocol: SecurityProtocol,
+                               val channelConfigs: java.util.Map[String, Object],
                                val metrics: Metrics) extends AbstractServerThread(connectionQuotas) with KafkaMetricsGroup {
 
   private val newConnections = new ConcurrentLinkedQueue[SocketChannel]()
   private val inflightResponses = mutable.Map[String, RequestChannel.Response]()
-
+  private val channelBuilder = createChannelBuilder
   private val metricTags = new util.HashMap[String, String]()
   metricTags.put("networkProcessor", id.toString)
 
+
   newGauge("IdlePercent",
     new Gauge[Double] {
       def value = {
@@ -352,7 +371,8 @@ private[kafka] class Processor(val id: Int,
     time,
     "socket-server",
     metricTags,
-    false)
+    false,
+    channelBuilder)
 
   override def run() {
     startupComplete()
@@ -458,6 +478,15 @@ private[kafka] class Processor(val id: Int,
     }
   }
 
+  private def createChannelBuilder():ChannelBuilder = {
+    var channelBuilder:ChannelBuilder = new PlainTextChannelBuilder()
+    if (protocol == SecurityProtocol.SSL) {
+      channelBuilder = new SSLChannelBuilder(SSLFactory.Mode.SERVER)
+    }
+    channelBuilder.configure(channelConfigs)
+    channelBuilder
+  }
+
   /**
    * Close all open connections
    */
@@ -476,7 +505,7 @@ private[kafka] class Processor(val id: Int,
 class ConnectionQuotas(val defaultMax: Int, overrideQuotas: Map[String, Int]) {
   private val overrides = overrideQuotas.map(entry => (InetAddress.getByName(entry._1), entry._2))
   private val counts = mutable.Map[InetAddress, Int]()
-  
+
   def inc(addr: InetAddress) {
     counts synchronized {
       val count = counts.getOrElse(addr, 0)
@@ -486,7 +515,7 @@ class ConnectionQuotas(val defaultMax: Int, overrideQuotas: Map[String, Int]) {
         throw new TooManyConnectionsException(addr, max)
     }
   }
-  
+
   def dec(addr: InetAddress) {
     counts synchronized {
       val count = counts.get(addr).get
@@ -496,7 +525,7 @@ class ConnectionQuotas(val defaultMax: Int, overrideQuotas: Map[String, Int]) {
         counts.put(addr, count - 1)
     }
   }
-  
+
 }
 
 class TooManyConnectionsException(val ip: InetAddress, val count: Int) extends KafkaException("Too many connections from %s (maximum = %d)".format(ip, count))
diff --git a/core/src/main/scala/kafka/server/KafkaConfig.scala b/core/src/main/scala/kafka/server/KafkaConfig.scala
index 2d75186..9d83921 100755
--- a/core/src/main/scala/kafka/server/KafkaConfig.scala
+++ b/core/src/main/scala/kafka/server/KafkaConfig.scala
@@ -26,9 +26,11 @@ import kafka.consumer.ConsumerConfig
 import kafka.message.{BrokerCompressionCodec, CompressionCodec, Message, MessageSet}
 import kafka.utils.CoreUtils
 import org.apache.kafka.clients.CommonClientConfigs
+import org.apache.kafka.common.config.SSLConfigs
 import org.apache.kafka.common.config.ConfigDef
 import org.apache.kafka.common.metrics.MetricsReporter
 import org.apache.kafka.common.protocol.SecurityProtocol
+import org.apache.kafka.common.security.auth.PrincipalBuilder
 import scala.collection.{mutable, immutable, JavaConversions, Map}
 
 object Defaults {
@@ -137,6 +139,23 @@ object Defaults {
   val MetricNumSamples = 2
   val MetricSampleWindowMs = 1000
   val MetricReporterClasses = ""
+
+  /** ********* SSL configuration ***********/
+  val PrincipalBuilderClass = SSLConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS
+  val SSLProtocol = SSLConfigs.DEFAULT_SSL_PROTOCOL
+  val SSLEnabledProtocols = SSLConfigs.DEFAULT_ENABLED_PROTOCOLS
+  val SSLKeystoreType = SSLConfigs.DEFAULT_SSL_KEYSTORE_TYPE
+  val SSLKeystoreLocation = "/tmp/ssl.keystore.jks"
+  val SSLKeystorePassword = "keystore_password"
+  val SSLKeyPassword = "key_password"
+  val SSLTruststoreType = SSLConfigs.DEFAULT_SSL_TRUSTSTORE_TYPE
+  val SSLTruststoreLocation = SSLConfigs.DEFAULT_TRUSTSTORE_LOCATION
+  val SSLTruststorePassword = SSLConfigs.DEFAULT_TRUSTSTORE_PASSWORD
+  val SSLKeyManagerAlgorithm = SSLConfigs.DEFAULT_SSL_KEYMANGER_ALGORITHM
+  val SSLTrustManagerAlgorithm = SSLConfigs.DEFAULT_SSL_TRUSTMANAGER_ALGORITHM
+  val SSLNeedClientAuth = false
+  val SSLWantClientAuth = false
+
 }
 
 object KafkaConfig {
@@ -251,6 +270,25 @@ object KafkaConfig {
   val MetricNumSamplesProp: String = CommonClientConfigs.METRICS_NUM_SAMPLES_CONFIG
   val MetricReporterClassesProp: String = CommonClientConfigs.METRIC_REPORTER_CLASSES_CONFIG
 
+  /** ********* SSL Configuration ****************/
+  val PrincipalBuilderClassProp = SSLConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG
+  val SSLProtocolProp = SSLConfigs.SSL_PROTOCOL_CONFIG
+  val SSLProviderProp = SSLConfigs.SSL_PROVIDER_CONFIG
+  val SSLCipherSuitesProp = SSLConfigs.SSL_CIPHER_SUITES_CONFIG
+  val SSLEnabledProtocolsProp = SSLConfigs.SSL_ENABLED_PROTOCOLS_CONFIG
+  val SSLKeystoreTypeProp = SSLConfigs.SSL_KEYSTORE_TYPE_CONFIG
+  val SSLKeystoreLocationProp = SSLConfigs.SSL_KEYSTORE_LOCATION_CONFIG
+  val SSLKeystorePasswordProp = SSLConfigs.SSL_KEYSTORE_PASSWORD_CONFIG
+  val SSLKeyPasswordProp = SSLConfigs.SSL_KEY_PASSWORD_CONFIG
+  val SSLTruststoreTypeProp = SSLConfigs.SSL_TRUSTSTORE_TYPE_CONFIG
+  val SSLTruststoreLocationProp = SSLConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG
+  val SSLTruststorePasswordProp = SSLConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG
+  val SSLKeyManagerAlgorithmProp = SSLConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG
+  val SSLTrustManagerAlgorithmProp = SSLConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG
+  val SSLEndpointIdentificationAlgorithmProp = SSLConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG
+  val SSLNeedClientAuthProp = SSLConfigs.SSL_NEED_CLIENT_AUTH_CONFIG
+  val SSLWantClientAuthProp = SSLConfigs.SSL_WANT_CLIENT_AUTH_CONFIG
+
 
   /* Documentation */
   /** ********* Zookeeper Configuration ***********/
@@ -389,6 +427,25 @@ object KafkaConfig {
   val MetricNumSamplesDoc = CommonClientConfigs.METRICS_NUM_SAMPLES_DOC
   val MetricReporterClassesDoc = CommonClientConfigs.METRIC_REPORTER_CLASSES_DOC
 
+  /** ********* SSL Configuration ****************/
+  val PrincipalBuilderClassDoc = SSLConfigs.PRINCIPAL_BUILDER_CLASS_DOC
+  val SSLProtocolDoc = SSLConfigs.SSL_PROTOCOL_DOC
+  val SSLProviderDoc = SSLConfigs.SSL_PROVIDER_DOC
+  val SSLCipherSuitesDoc = SSLConfigs.SSL_CIPHER_SUITES_DOC
+  val SSLEnabledProtocolsDoc = SSLConfigs.SSL_ENABLED_PROTOCOLS_DOC
+  val SSLKeystoreTypeDoc = SSLConfigs.SSL_KEYSTORE_TYPE_DOC
+  val SSLKeystoreLocationDoc = SSLConfigs.SSL_KEYSTORE_LOCATION_DOC
+  val SSLKeystorePasswordDoc = SSLConfigs.SSL_KEYSTORE_PASSWORD_DOC
+  val SSLKeyPasswordDoc = SSLConfigs.SSL_KEY_PASSWORD_DOC
+  val SSLTruststoreTypeDoc = SSLConfigs.SSL_TRUSTSTORE_TYPE_DOC
+  val SSLTruststorePasswordDoc = SSLConfigs.SSL_TRUSTSTORE_PASSWORD_DOC
+  val SSLTruststoreLocationDoc = SSLConfigs.SSL_TRUSTSTORE_LOCATION_DOC
+  val SSLKeyManagerAlgorithmDoc = SSLConfigs.SSL_KEYMANAGER_ALGORITHM_DOC
+  val SSLTrustManagerAlgorithmDoc = SSLConfigs.SSL_TRUSTMANAGER_ALGORITHM_DOC
+  val SSLEndpointIdentificationAlgorithmDoc = SSLConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_DOC
+  val SSLNeedClientAuthDoc = SSLConfigs.SSL_NEED_CLIENT_AUTH_DOC
+  val SSLWantClientAuthDoc = SSLConfigs.SSL_WANT_CLIENT_AUTH_DOC
+
 
   private val configDef = {
     import ConfigDef.Range._
@@ -512,6 +569,23 @@ object KafkaConfig {
       .define(MetricNumSamplesProp, INT, Defaults.MetricNumSamples, atLeast(1), LOW, MetricNumSamplesDoc)
       .define(MetricSampleWindowMsProp, LONG, Defaults.MetricSampleWindowMs, atLeast(1), LOW, MetricSampleWindowMsDoc)
       .define(MetricReporterClassesProp, LIST, Defaults.MetricReporterClasses, LOW, MetricReporterClassesDoc)
+
+      /** ********* SSL Configuration ****************/
+      .define(PrincipalBuilderClassProp, STRING, Defaults.PrincipalBuilderClass, MEDIUM, PrincipalBuilderClassDoc)
+      .define(SSLProtocolProp, STRING, Defaults.SSLProtocol, MEDIUM, SSLProtocolDoc)
+      .define(SSLProviderProp, STRING, MEDIUM, SSLProviderDoc, false)
+      .define(SSLEnabledProtocolsProp, LIST, Defaults.SSLEnabledProtocols, MEDIUM, SSLEnabledProtocolsDoc)
+      .define(SSLKeystoreTypeProp, STRING, Defaults.SSLKeystoreType, MEDIUM, SSLKeystoreTypeDoc)
+      .define(SSLKeystoreLocationProp, STRING, Defaults.SSLKeystoreLocation, MEDIUM, SSLKeystoreLocationDoc)
+      .define(SSLKeystorePasswordProp, STRING, Defaults.SSLKeystorePassword, MEDIUM, SSLKeystorePasswordDoc)
+      .define(SSLKeyPasswordProp, STRING, Defaults.SSLKeyPassword, MEDIUM, SSLKeyPasswordDoc)
+      .define(SSLTruststoreTypeProp, STRING, Defaults.SSLTruststoreType, MEDIUM, SSLTruststoreTypeDoc)
+      .define(SSLTruststoreLocationProp, STRING, Defaults.SSLTruststoreLocation, MEDIUM, SSLTruststoreLocationDoc)
+      .define(SSLTruststorePasswordProp, STRING, Defaults.SSLTruststorePassword, MEDIUM, SSLTruststorePasswordDoc)
+      .define(SSLKeyManagerAlgorithmProp, STRING, Defaults.SSLKeyManagerAlgorithm, MEDIUM, SSLKeyManagerAlgorithmDoc)
+      .define(SSLTrustManagerAlgorithmProp, STRING, Defaults.SSLTrustManagerAlgorithm, MEDIUM, SSLTrustManagerAlgorithmDoc)
+      .define(SSLNeedClientAuthProp, BOOLEAN, Defaults.SSLNeedClientAuth, MEDIUM, SSLNeedClientAuthDoc)
+      .define(SSLWantClientAuthProp, BOOLEAN, Defaults.SSLWantClientAuth, MEDIUM, SSLWantClientAuthDoc)
   }
 
   def configNames() = {
@@ -639,7 +713,24 @@ object KafkaConfig {
       compressionType = parsed.get(CompressionTypeProp).asInstanceOf[String],
       metricNumSamples = parsed.get(MetricNumSamplesProp).asInstanceOf[Int],
       metricSampleWindowMs = parsed.get(MetricSampleWindowMsProp).asInstanceOf[Long],
-      _metricReporterClasses = parsed.get(MetricReporterClassesProp).asInstanceOf[java.util.List[String]]
+      _metricReporterClasses = parsed.get(MetricReporterClassesProp).asInstanceOf[java.util.List[String]],
+
+      /** *************** SSL configuration *****************/
+      principalBuilderClass = parsed.get(PrincipalBuilderClassProp).asInstanceOf[String],
+      sslProtocol = parsed.get(SSLProtocolProp).asInstanceOf[String],
+      _sslProvider = Option(parsed.get(SSLProviderProp)).map(_.asInstanceOf[String]),
+      sslEnabledProtocols = parsed.get(SSLEnabledProtocolsProp).asInstanceOf[java.util.List[String]],
+      sslKeystoreType = parsed.get(SSLKeystoreTypeProp).asInstanceOf[String],
+      sslKeystoreLocation = parsed.get(SSLKeystoreLocationProp).asInstanceOf[String],
+      sslKeystorePassword = parsed.get(SSLKeystorePasswordProp).asInstanceOf[String],
+      sslKeyPassword = parsed.get(SSLKeyPasswordProp).asInstanceOf[String],
+      sslTruststoreType = parsed.get(SSLTruststoreTypeProp).asInstanceOf[String],
+      sslTruststoreLocation = parsed.get(SSLTruststoreLocationProp).asInstanceOf[String],
+      sslTruststorePassword = parsed.get(SSLTruststorePasswordProp).asInstanceOf[String],
+      sslKeyManagerAlgorithm = parsed.get(SSLKeyManagerAlgorithmProp).asInstanceOf[String],
+      sslTrustManagerAlgorithm = parsed.get(SSLTrustManagerAlgorithmProp).asInstanceOf[String],
+      sslNeedClientAuth = parsed.get(SSLNeedClientAuthProp).asInstanceOf[Boolean],
+      sslWantClientAuth = parsed.get(SSLWantClientAuthProp).asInstanceOf[Boolean]
     )
   }
 
@@ -791,7 +882,24 @@ class KafkaConfig (/** ********* Zookeeper Configuration ***********/
 
                   val metricSampleWindowMs: Long = Defaults.MetricSampleWindowMs,
                   val metricNumSamples: Int = Defaults.MetricNumSamples,
-                  private val _metricReporterClasses: java.util.List[String] = util.Arrays.asList(Defaults.MetricReporterClasses)
+                  private val _metricReporterClasses: java.util.List[String] = util.Arrays.asList(Defaults.MetricReporterClasses),
+
+                  /** ********** SSL Configuration ************/
+                  val principalBuilderClass: String = Defaults.PrincipalBuilderClass,
+                  val sslProtocol: String = Defaults.SSLProtocol,
+                  private val _sslProvider: Option[String] = None,
+                  val sslEnabledProtocols: java.util.List[String] = util.Arrays.asList(Defaults.SSLEnabledProtocols),
+                  val sslKeystoreType: String = Defaults.SSLKeystoreType,
+                  val sslKeystoreLocation: String = Defaults.SSLKeystoreLocation,
+                  val sslKeystorePassword: String = Defaults.SSLKeystorePassword,
+                  val sslKeyPassword: String = Defaults.SSLKeyPassword,
+                  val sslTruststoreType: String = Defaults.SSLTruststoreType,
+                  val sslTruststoreLocation: String = Defaults.SSLTruststoreLocation,
+                  val sslTruststorePassword: String = Defaults.SSLTruststorePassword,
+                  val sslKeyManagerAlgorithm: String = Defaults.SSLKeyManagerAlgorithm,
+                  val sslTrustManagerAlgorithm: String = Defaults.SSLTrustManagerAlgorithm,
+                  val sslNeedClientAuth: Boolean = Defaults.SSLNeedClientAuth,
+                  val sslWantClientAuth: Boolean = Defaults.SSLWantClientAuth
                    ) {
 
   val zkConnectionTimeoutMs: Int = _zkConnectionTimeoutMs.getOrElse(zkSessionTimeoutMs)
@@ -812,6 +920,7 @@ class KafkaConfig (/** ********* Zookeeper Configuration ***********/
     getMap(KafkaConfig.MaxConnectionsPerIpOverridesProp, _maxConnectionsPerIpOverrides).map { case (k, v) => (k, v.toInt)}
 
   val metricReporterClasses: java.util.List[MetricsReporter] = getMetricClasses(_metricReporterClasses)
+  val sslProvider = _sslProvider.getOrElse("")
 
   private def getLogRetentionTimeMillis: Long = {
     val millisInMinute = 60L * 1000L
@@ -895,7 +1004,9 @@ class KafkaConfig (/** ********* Zookeeper Configuration ***********/
 
   }
 
-
+  private def getPrincipalBuilderClass(principalBuilderClass: String): PrincipalBuilder = {
+    CoreUtils.createObject[PrincipalBuilder](principalBuilderClass)
+  }
 
   validateValues()
 
@@ -1041,6 +1152,42 @@ class KafkaConfig (/** ********* Zookeeper Configuration ***********/
     props.put(MetricSampleWindowMsProp, metricSampleWindowMs.toString)
     props.put(MetricReporterClassesProp, JavaConversions.collectionAsScalaIterable(_metricReporterClasses).mkString(","))
 
+    /** ********* SSL configuration ***********/
+    props.put(PrincipalBuilderClassProp, principalBuilderClass)
+    props.put(SSLProtocolProp, sslProtocol)
+    props.put(SSLProviderProp, sslProvider)
+    props.put(SSLEnabledProtocolsProp, JavaConversions.collectionAsScalaIterable(sslEnabledProtocols).mkString(","))
+    props.put(SSLKeystoreTypeProp, sslKeystoreType)
+    props.put(SSLKeystoreLocationProp, sslKeystoreLocation)
+    props.put(SSLKeystorePasswordProp, sslKeystorePassword)
+    props.put(SSLKeyPasswordProp, sslKeyPassword)
+    props.put(SSLTruststoreTypeProp, sslTruststoreType)
+    props.put(SSLTruststoreLocationProp, sslTruststoreLocation)
+    props.put(SSLTruststorePasswordProp, sslTruststorePassword)
+    props.put(SSLKeyManagerAlgorithmProp, sslKeyManagerAlgorithm)
+    props.put(SSLTrustManagerAlgorithmProp, sslTrustManagerAlgorithm)
+    props.put(SSLNeedClientAuthProp, sslNeedClientAuth.toString)
+    props.put(SSLWantClientAuthProp, sslWantClientAuth.toString)
     props
   }
+
+  def channelConfigs: java.util.Map[String, Object] = {
+    val channelConfigs = new java.util.HashMap[String, Object]()
+    import kafka.server.KafkaConfig._
+    channelConfigs.put(PrincipalBuilderClassProp, Class.forName(principalBuilderClass))
+    channelConfigs.put(SSLProtocolProp, sslProtocol)
+    channelConfigs.put(SSLEnabledProtocolsProp, sslEnabledProtocols)
+    channelConfigs.put(SSLKeystoreTypeProp, sslKeystoreType)
+    channelConfigs.put(SSLKeystoreLocationProp, sslKeystoreLocation)
+    channelConfigs.put(SSLKeystorePasswordProp, sslKeystorePassword)
+    channelConfigs.put(SSLKeyPasswordProp, sslKeyPassword)
+    channelConfigs.put(SSLTruststoreTypeProp, sslTruststoreType)
+    channelConfigs.put(SSLTruststoreLocationProp, sslTruststoreLocation)
+    channelConfigs.put(SSLTruststorePasswordProp, sslTruststorePassword)
+    channelConfigs.put(SSLKeyManagerAlgorithmProp, sslKeyManagerAlgorithm)
+    channelConfigs.put(SSLTrustManagerAlgorithmProp, sslTrustManagerAlgorithm)
+    channelConfigs.put(SSLNeedClientAuthProp, sslNeedClientAuth: java.lang.Boolean)
+    channelConfigs.put(SSLWantClientAuthProp, sslWantClientAuth: java.lang.Boolean)
+    channelConfigs
+  }
 }
diff --git a/core/src/main/scala/kafka/server/KafkaServer.scala b/core/src/main/scala/kafka/server/KafkaServer.scala
index b320ce9..898cbf6 100755
--- a/core/src/main/scala/kafka/server/KafkaServer.scala
+++ b/core/src/main/scala/kafka/server/KafkaServer.scala
@@ -134,7 +134,7 @@ class KafkaServer(val config: KafkaConfig, time: Time = SystemTime) extends Logg
         this.logIdent = "[Kafka Server " + config.brokerId + "], "
 
         val metrics = new Metrics(metricConfig, reporters, socketServerTime)
-
+        val channelConfigs = config.channelConfigs
 
         socketServer = new SocketServer(config.brokerId,
                                         config.listeners,
@@ -146,6 +146,7 @@ class KafkaServer(val config: KafkaConfig, time: Time = SystemTime) extends Logg
                                         config.maxConnectionsPerIp,
                                         config.connectionsMaxIdleMs,
                                         config.maxConnectionsPerIpOverrides,
+                                        channelConfigs,
                                         socketServerTime,
                                         metrics)
           socketServer.startup()
diff --git a/core/src/test/scala/unit/kafka/integration/UncleanLeaderElectionTest.scala b/core/src/test/scala/unit/kafka/integration/UncleanLeaderElectionTest.scala
index e4bf2df..1d31dd7 100755
--- a/core/src/test/scala/unit/kafka/integration/UncleanLeaderElectionTest.scala
+++ b/core/src/test/scala/unit/kafka/integration/UncleanLeaderElectionTest.scala
@@ -110,9 +110,9 @@ class UncleanLeaderElectionTest extends JUnit3Suite with ZooKeeperTestHarness {
   }
 
   def testUncleanLeaderElectionDisabled {
-	// disable unclean leader election
-	configProps1.put("unclean.leader.election.enable", String.valueOf(false))
-	configProps2.put("unclean.leader.election.enable", String.valueOf(false))
+	  // disable unclean leader election
+	  configProps1.put("unclean.leader.election.enable", String.valueOf(false))
+  	configProps2.put("unclean.leader.election.enable", String.valueOf(false))
     startBrokers(Seq(configProps1, configProps2))
 
     // create topic with 1 partition, 2 replicas, one on each broker
diff --git a/core/src/test/scala/unit/kafka/network/SocketServerTest.scala b/core/src/test/scala/unit/kafka/network/SocketServerTest.scala
deleted file mode 100644
index 7dc2fad..0000000
--- a/core/src/test/scala/unit/kafka/network/SocketServerTest.scala
+++ /dev/null
@@ -1,202 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *    http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package kafka.network;
-
-import java.net._
-import java.io._
-import kafka.cluster.EndPoint
-import org.apache.kafka.common.metrics.Metrics
-import org.apache.kafka.common.network.NetworkSend
-import org.apache.kafka.common.protocol.SecurityProtocol
-import org.apache.kafka.common.utils.SystemTime
-import org.junit._
-import org.scalatest.junit.JUnitSuite
-import java.util.Random
-import junit.framework.Assert._
-import kafka.producer.SyncProducerConfig
-import kafka.api.ProducerRequest
-import java.nio.ByteBuffer
-import kafka.common.TopicAndPartition
-import kafka.message.ByteBufferMessageSet
-import java.nio.channels.SelectionKey
-import kafka.utils.TestUtils
-import scala.collection.Map
-
-class SocketServerTest extends JUnitSuite {
-
-  val server: SocketServer = new SocketServer(0,
-                                              Map(SecurityProtocol.PLAINTEXT -> EndPoint(null, 0, SecurityProtocol.PLAINTEXT),
-                                                  SecurityProtocol.TRACE -> EndPoint(null, 0, SecurityProtocol.TRACE)),
-                                              numProcessorThreads = 1,
-                                              maxQueuedRequests = 50,
-                                              sendBufferSize = 300000,
-                                              recvBufferSize = 300000,
-                                              maxRequestSize = 50,
-                                              maxConnectionsPerIp = 5,
-                                              connectionsMaxIdleMs = 60*1000,
-                                              maxConnectionsPerIpOverrides = Map.empty[String,Int],
-                                              new SystemTime(),
-                                              new Metrics())
-  server.startup()
-
-  def sendRequest(socket: Socket, id: Short, request: Array[Byte]) {
-    val outgoing = new DataOutputStream(socket.getOutputStream)
-    outgoing.writeInt(request.length + 2)
-    outgoing.writeShort(id)
-    outgoing.write(request)
-    outgoing.flush()
-  }
-
-  def receiveResponse(socket: Socket): Array[Byte] = {
-    val incoming = new DataInputStream(socket.getInputStream)
-    val len = incoming.readInt()
-    val response = new Array[Byte](len)
-    incoming.readFully(response)
-    response
-  }
-
-  /* A simple request handler that just echos back the response */
-  def processRequest(channel: RequestChannel) {
-    val request = channel.receiveRequest
-    val byteBuffer = ByteBuffer.allocate(request.requestObj.sizeInBytes)
-    request.requestObj.writeTo(byteBuffer)
-    byteBuffer.rewind()
-    val send = new NetworkSend(request.connectionId, byteBuffer)
-    channel.sendResponse(new RequestChannel.Response(request.processor, request, send))
-  }
-
-  def connect(s:SocketServer = server, protocol: SecurityProtocol = SecurityProtocol.PLAINTEXT) = {
-    new Socket("localhost", server.boundPort(protocol))
-  }
-
-
-  @After
-  def cleanup() {
-    server.shutdown()
-  }
-  @Test
-  def simpleRequest() {
-    val plainSocket = connect(protocol = SecurityProtocol.PLAINTEXT)
-    val traceSocket = connect(protocol = SecurityProtocol.TRACE)
-    val correlationId = -1
-    val clientId = SyncProducerConfig.DefaultClientId
-    val ackTimeoutMs = SyncProducerConfig.DefaultAckTimeoutMs
-    val ack = SyncProducerConfig.DefaultRequiredAcks
-    val emptyRequest =
-      new ProducerRequest(correlationId, clientId, ack, ackTimeoutMs, collection.mutable.Map[TopicAndPartition, ByteBufferMessageSet]())
-
-    val byteBuffer = ByteBuffer.allocate(emptyRequest.sizeInBytes)
-    emptyRequest.writeTo(byteBuffer)
-    byteBuffer.rewind()
-    val serializedBytes = new Array[Byte](byteBuffer.remaining)
-    byteBuffer.get(serializedBytes)
-
-    // Test PLAINTEXT socket
-    sendRequest(plainSocket, 0, serializedBytes)
-    processRequest(server.requestChannel)
-    assertEquals(serializedBytes.toSeq, receiveResponse(plainSocket).toSeq)
-
-    // Test TRACE socket
-    sendRequest(traceSocket, 0, serializedBytes)
-    processRequest(server.requestChannel)
-    assertEquals(serializedBytes.toSeq, receiveResponse(traceSocket).toSeq)
-  }
-
-  @Test
-  def tooBigRequestIsRejected() {
-    val tooManyBytes = new Array[Byte](server.maxRequestSize + 1)
-    new Random().nextBytes(tooManyBytes)
-    val socket = connect()
-    sendRequest(socket, 0, tooManyBytes)
-    try {
-      receiveResponse(socket)
-    } catch {
-      case e: IOException => // thats fine
-    }
-  }
-
-  @Test
-  def testSocketsCloseOnShutdown() {
-    // open a connection
-    val plainSocket = connect(protocol = SecurityProtocol.PLAINTEXT)
-    val traceSocket = connect(protocol = SecurityProtocol.TRACE)
-    val bytes = new Array[Byte](40)
-    // send a request first to make sure the connection has been picked up by the socket server
-    sendRequest(plainSocket, 0, bytes)
-    sendRequest(traceSocket, 0, bytes)
-    processRequest(server.requestChannel)
-
-    // make sure the sockets are open
-    server.acceptors.values.map(acceptor => assertFalse(acceptor.serverChannel.socket.isClosed))
-    // then shutdown the server
-    server.shutdown()
-
-    val largeChunkOfBytes = new Array[Byte](1000000)
-    // doing a subsequent send should throw an exception as the connection should be closed.
-    // send a large chunk of bytes to trigger a socket flush
-    try {
-      sendRequest(plainSocket, 0, largeChunkOfBytes)
-      fail("expected exception when writing to closed plain socket")
-    } catch {
-      case e: IOException => // expected
-    }
-
-    try {
-      sendRequest(traceSocket, 0, largeChunkOfBytes)
-      fail("expected exception when writing to closed trace socket")
-    } catch {
-      case e: IOException => // expected
-    }
-  }
-
-  @Test
-  def testMaxConnectionsPerIp() {
-    // make the maximum allowable number of connections and then leak them
-    val conns = (0 until server.maxConnectionsPerIp).map(i => connect())
-    // now try one more (should fail)
-    val conn = connect()
-    conn.setSoTimeout(3000)
-    assertEquals(-1, conn.getInputStream().read())
-  }
-
-  @Test
-  def testMaxConnectionsPerIPOverrides(): Unit = {
-    val overrideNum = 6
-    val overrides: Map[String, Int] = Map("localhost" -> overrideNum)
-    val overrideServer: SocketServer = new SocketServer(0,
-                                                Map(SecurityProtocol.PLAINTEXT -> EndPoint(null, 0, SecurityProtocol.PLAINTEXT)),
-                                                numProcessorThreads = 1,
-                                                maxQueuedRequests = 50,
-                                                sendBufferSize = 300000,
-                                                recvBufferSize = 300000,
-                                                maxRequestSize = 50,
-                                                maxConnectionsPerIp = 5,
-                                                connectionsMaxIdleMs = 60*1000,
-                                                maxConnectionsPerIpOverrides = overrides,
-                                                new SystemTime(),
-                                                new Metrics())
-    overrideServer.startup()
-    // make the maximum allowable number of connections and then leak them
-    val conns = ((0 until overrideNum).map(i => connect(overrideServer)))
-    // now try one more (should fail)
-    val conn = connect(overrideServer)
-    conn.setSoTimeout(3000)
-    assertEquals(-1, conn.getInputStream.read())
-    overrideServer.shutdown()
-  }
-}
diff --git a/core/src/test/scala/unit/kafka/server/KafkaConfigConfigDefTest.scala b/core/src/test/scala/unit/kafka/server/KafkaConfigConfigDefTest.scala
index ace6321..fe5ac8b 100644
--- a/core/src/test/scala/unit/kafka/server/KafkaConfigConfigDefTest.scala
+++ b/core/src/test/scala/unit/kafka/server/KafkaConfigConfigDefTest.scala
@@ -249,11 +249,29 @@ class KafkaConfigConfigDefTest extends JUnit3Suite {
         case KafkaConfig.MetricSampleWindowMsProp => expected.setProperty(name, "1000")
         case KafkaConfig.MetricReporterClassesProp => expected.setProperty(name, "")
 
+        //SSL Configs
+        case KafkaConfig.PrincipalBuilderClassProp => expected.setProperty(name, "")
+        case KafkaConfig.SSLProtocolProp => expected.setProperty(name, "SSL")
+        case KafkaConfig.SSLProviderProp => expected.setProperty(name, "")
+        case KafkaConfig.SSLEnabledProtocolsProp => expected.setProperty(name, "SSLv2,SSLv3")
+        case KafkaConfig.SSLKeystoreTypeProp => expected.setProperty(name, "JKS")
+        case KafkaConfig.SSLKeystoreLocationProp => expected.setProperty(name, "/tmp/keystore.jks")
+        case KafkaConfig.SSLKeystorePasswordProp => expected.setProperty(name, "password")
+        case KafkaConfig.SSLKeyPasswordProp => expected.setProperty(name, "kpassword")
+        case KafkaConfig.SSLTruststoreTypeProp => expected.setProperty(name, "jks")
+        case KafkaConfig.SSLTruststorePasswordProp => expected.setProperty(name, "tpassword")
+        case KafkaConfig.SSLTruststoreLocationProp => expected.setProperty(name, "/tmp/truststore.jks")
+        case KafkaConfig.SSLKeyManagerAlgorithmProp => expected.setProperty(name, "ssl")
+        case KafkaConfig.SSLTrustManagerAlgorithmProp => expected.setProperty(name, "tls")
+        case KafkaConfig.SSLNeedClientAuthProp => expected.setProperty(name, randFrom("true", "false"))
+        case KafkaConfig.SSLWantClientAuthProp => expected.setProperty(name, randFrom("true", "false"))
         case nonNegativeIntProperty => expected.setProperty(name, nextInt(Int.MaxValue).toString)
       }
     })
 
     val actual = KafkaConfig.fromProps(expected).toProps
+    println(actual)
+    println(expected)
     Assert.assertEquals(expected, actual)
   }
 
@@ -356,6 +374,23 @@ class KafkaConfigConfigDefTest extends JUnit3Suite {
         case KafkaConfig.MetricSampleWindowMsProp => assertPropertyInvalid(getBaseProperties, name, "not_a_number", "-1", "0")
         case KafkaConfig.MetricReporterClassesProp => // ignore string
 
+        //SSL Configs
+        case KafkaConfig.PrincipalBuilderClassProp =>
+        case KafkaConfig.SSLProtocolProp => // ignore string
+        case KafkaConfig.SSLProviderProp => // ignore string
+        case KafkaConfig.SSLEnabledProtocolsProp =>
+        case KafkaConfig.SSLKeystoreTypeProp => // ignore string
+        case KafkaConfig.SSLKeystoreLocationProp => // ignore string
+        case KafkaConfig.SSLKeystorePasswordProp => // ignore string
+        case KafkaConfig.SSLKeyPasswordProp => // ignore string
+        case KafkaConfig.SSLTruststoreTypeProp => // ignore string
+        case KafkaConfig.SSLTruststorePasswordProp => // ignore string
+        case KafkaConfig.SSLTruststoreLocationProp => // ignore string
+        case KafkaConfig.SSLKeyManagerAlgorithmProp =>
+        case KafkaConfig.SSLTrustManagerAlgorithmProp =>
+        case KafkaConfig.SSLNeedClientAuthProp => assertPropertyInvalid(getBaseProperties(), name, "not_a_boolean", "0")
+        case KafkaConfig.SSLWantClientAuthProp => assertPropertyInvalid(getBaseProperties(), name, "not_a_boolean", "0")
+
         case nonNegativeIntProperty => assertPropertyInvalid(getBaseProperties(), name, "not_a_number", "-1")
       }
     })
-- 
2.4.4


From 9328ffa464711a835be8935cb09922230e0e1a58 Mon Sep 17 00:00:00 2001
From: Sriharsha Chintalapani 
Date: Sat, 20 Jun 2015 10:47:01 -0700
Subject: [PATCH 15/19] KAFKA-1684. SSL for socketServer.

---
 build.gradle                                       |   2 +
 .../org/apache/kafka/clients/NetworkClient.java    |  30 +--
 .../apache/kafka/common/network/Authenticator.java |   2 +-
 .../kafka/common/network/ByteBufferSend.java       |   2 +-
 .../org/apache/kafka/common/network/Channel.java   |  21 +-
 .../kafka/common/network/ChannelBuilder.java       |   2 +-
 .../kafka/common/network/DefaultAuthenticator.java |   2 +-
 .../kafka/common/network/NetworkReceive.java       |   3 +-
 .../common/network/PlainTextChannelBuilder.java    |   4 +-
 .../common/network/PlainTextTransportLayer.java    |  15 +-
 .../kafka/common/network/SSLChannelBuilder.java    |   4 +-
 .../kafka/common/network/SSLTransportLayer.java    |  19 +-
 .../org/apache/kafka/common/network/Selector.java  |  15 +-
 .../kafka/common/network/TransportLayer.java       |   7 +-
 .../org/apache/kafka/clients/ClientUtilsTest.java  |   2 +-
 .../kafka/common/network/SSLFactoryTest.java       |   9 +-
 .../kafka/common/network/SSLSelectorTest.java      |   9 +-
 .../java/org/apache/kafka/test/TestSSLUtils.java   |  56 +++---
 .../main/scala/kafka/network/SocketServer.scala    | 115 ++++++-----
 core/src/main/scala/kafka/server/KafkaConfig.scala |   6 +-
 core/src/main/scala/kafka/server/KafkaServer.scala | 124 +++++-------
 .../integration/kafka/api/ProducerSendTest.scala   |   4 +-
 .../kafka/api/SSLProducerSendTest.scala            | 108 +++++++++++
 .../scala/unit/kafka/admin/AddPartitionsTest.scala |   2 +-
 .../unit/kafka/network/SocketServerTest.scala      | 211 +++++++++++++++++++++
 .../test/scala/unit/kafka/utils/TestUtils.scala    |  68 ++++++-
 26 files changed, 604 insertions(+), 238 deletions(-)
 create mode 100644 core/src/test/scala/integration/kafka/api/SSLProducerSendTest.scala
 create mode 100644 core/src/test/scala/unit/kafka/network/SocketServerTest.scala

diff --git a/build.gradle b/build.gradle
index 673f2dc..6355c56 100644
--- a/build.gradle
+++ b/build.gradle
@@ -216,7 +216,9 @@ project(':core') {
     testCompile 'junit:junit:4.6'
     testCompile 'org.easymock:easymock:3.0'
     testCompile 'org.objenesis:objenesis:1.2'
+    testCompile 'org.bouncycastle:bcpkix-jdk15on:1.52'
     testCompile project(':clients')
+    testCompile project(':clients').sourceSets.test.output
     if (scalaVersion.startsWith('2.10')) {
       testCompile 'org.scalatest:scalatest_2.10:1.9.1'
     } else if (scalaVersion.startsWith('2.11')) {
diff --git a/clients/src/main/java/org/apache/kafka/clients/NetworkClient.java b/clients/src/main/java/org/apache/kafka/clients/NetworkClient.java
index 48fe796..d90daa4 100644
--- a/clients/src/main/java/org/apache/kafka/clients/NetworkClient.java
+++ b/clients/src/main/java/org/apache/kafka/clients/NetworkClient.java
@@ -3,9 +3,9 @@
  * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file
  * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the
  * License. You may obtain a copy of the License at
- * 
+ *
  * http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
  * specific language governing permissions and limitations under the License.
@@ -101,7 +101,7 @@ public class NetworkClient implements KafkaClient {
 
     /**
      * Begin connecting to the given node, return true if we are already connected and ready to send to that node.
-     * 
+     *
      * @param node The node to check
      * @param now The current timestamp
      * @return True if we are ready to send to the given node
@@ -122,7 +122,7 @@ public class NetworkClient implements KafkaClient {
      * Returns the number of milliseconds to wait, based on the connection state, before attempting to send data. When
      * disconnected, this respects the reconnect backoff time. When connecting or connected, this handles slow/stalled
      * connections.
-     * 
+     *
      * @param node The node to check
      * @param now The current timestamp
      * @return The number of milliseconds to wait.
@@ -147,7 +147,7 @@ public class NetworkClient implements KafkaClient {
 
     /**
      * Check if the node with the given id is ready to send more requests.
-     * 
+     *
      * @param node The node
      * @param now The current time in ms
      * @return true if the node is ready
@@ -166,7 +166,7 @@ public class NetworkClient implements KafkaClient {
 
     /**
      * Are we connected and ready and able to send more requests to the given connection?
-     * 
+     *
      * @param node The node
      */
     private boolean isSendable(String node) {
@@ -175,7 +175,7 @@ public class NetworkClient implements KafkaClient {
 
     /**
      * Return the state of the connection to the given node
-     * 
+     *
      * @param node The node to check
      * @return The connection state
      */
@@ -185,7 +185,7 @@ public class NetworkClient implements KafkaClient {
 
     /**
      * Queue up the given request for sending. Requests can only be sent out to ready nodes.
-     * 
+     *
      * @param request The request
      */
     @Override
@@ -200,7 +200,7 @@ public class NetworkClient implements KafkaClient {
 
     /**
      * Do actual reads and writes to sockets.
-     * 
+     *
      * @param timeout The maximum amount of time to wait (in ms) for responses if there are none immediately
      * @param now The current time in milliseconds
      * @return The list of responses received
@@ -246,7 +246,7 @@ public class NetworkClient implements KafkaClient {
 
     /**
      * Await all the outstanding responses for requests on the given connection
-     * 
+     *
      * @param node The node to block on
      * @param now The current time in ms
      * @return All the collected responses
@@ -294,7 +294,7 @@ public class NetworkClient implements KafkaClient {
 
     /**
      * Generate a request header for the given API key
-     * 
+     *
      * @param key The api key
      * @return A request header with the appropriate client id and correlation id
      */
@@ -324,7 +324,7 @@ public class NetworkClient implements KafkaClient {
      * prefer a node with an existing connection, but will potentially choose a node for which we don't yet have a
      * connection if all existing connections are in use. This method will never choose a node for which there is no
      * existing connection and from which we have disconnected within the reconnect backoff period.
-     * 
+     *
      * @return The node with the fewest in-flight requests.
      */
     public Node leastLoadedNode(long now) {
@@ -349,7 +349,7 @@ public class NetworkClient implements KafkaClient {
 
     /**
      * Handle any completed request send. In particular if no response is expected consider the request complete.
-     * 
+     *
      * @param responses The list of responses to update
      * @param now The current time
      */
@@ -366,7 +366,7 @@ public class NetworkClient implements KafkaClient {
 
     /**
      * Handle any completed receives and update the response list with the responses received.
-     * 
+     *
      * @param responses The list of responses to update
      * @param now The current time
      */
@@ -407,7 +407,7 @@ public class NetworkClient implements KafkaClient {
 
     /**
      * Handle any disconnected connections
-     * 
+     *
      * @param responses The list of responses that completed with the disconnection
      * @param now The current time
      */
diff --git a/clients/src/main/java/org/apache/kafka/common/network/Authenticator.java b/clients/src/main/java/org/apache/kafka/common/network/Authenticator.java
index 8ab004f..b3f574b 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/Authenticator.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/Authenticator.java
@@ -49,6 +49,6 @@ public interface Authenticator {
     /**
      * returns true if authentication is complete otherwise returns false;
      */
-    boolean isComplete();
+    boolean complete();
 
 }
diff --git a/clients/src/main/java/org/apache/kafka/common/network/ByteBufferSend.java b/clients/src/main/java/org/apache/kafka/common/network/ByteBufferSend.java
index 85babbd..86fc6f7 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/ByteBufferSend.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/ByteBufferSend.java
@@ -26,7 +26,7 @@ public class ByteBufferSend implements Send {
     protected final ByteBuffer[] buffers;
     private int remaining;
     private int size;
-    private boolean pending;
+    private boolean pending = false;
 
     public ByteBufferSend(String destination, ByteBuffer... buffers) {
         super();
diff --git a/clients/src/main/java/org/apache/kafka/common/network/Channel.java b/clients/src/main/java/org/apache/kafka/common/network/Channel.java
index 9f76319..0085402 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/Channel.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/Channel.java
@@ -32,15 +32,17 @@ import org.slf4j.LoggerFactory;
 public class Channel {
     private static final Logger log = LoggerFactory.getLogger(Channel.class);
     private final String id;
-    private TransportLayer transportLayer;
+    public TransportLayer transportLayer;
     private Authenticator authenticator;
     private NetworkReceive receive;
     private Send send;
+    private int maxReceiveSize;
 
-    public Channel(String id, TransportLayer transportLayer, Authenticator authenticator) throws IOException {
+    public Channel(String id, TransportLayer transportLayer, Authenticator authenticator, int maxReceiveSize) throws IOException {
         this.id = id;
         this.transportLayer = transportLayer;
         this.authenticator = authenticator;
+        this.maxReceiveSize = maxReceiveSize;
     }
 
     public void close() throws IOException {
@@ -61,11 +63,11 @@ public class Channel {
      * Does handshake of transportLayer and Authentication using configured authenticator
      */
     public void prepare() throws IOException {
-        if (transportLayer.isReady() && authenticator.isComplete())
+        if (transportLayer.ready() && authenticator.complete())
             return;
-        if (!transportLayer.isReady())
+        if (!transportLayer.ready())
             transportLayer.handshake();
-        if (transportLayer.isReady() && !authenticator.isComplete())
+        if (transportLayer.ready() && !authenticator.complete())
             authenticator.authenticate();
     }
 
@@ -90,8 +92,8 @@ public class Channel {
         transportLayer.addInterestOps(SelectionKey.OP_READ);
     }
 
-    public boolean isReady() {
-        return transportLayer.isReady() && authenticator.isComplete();
+    public boolean ready() {
+        return transportLayer.ready() && authenticator.complete();
     }
 
     public String socketDescription() {
@@ -115,9 +117,10 @@ public class Channel {
         NetworkReceive result = null;
 
         if (receive == null) {
-            receive = new NetworkReceive(id);
+            receive = new NetworkReceive(maxReceiveSize, id);
         }
-        receive(receive);
+
+        long x = receive(receive);
         if (receive.complete()) {
             receive.payload().rewind();
             result = receive;
diff --git a/clients/src/main/java/org/apache/kafka/common/network/ChannelBuilder.java b/clients/src/main/java/org/apache/kafka/common/network/ChannelBuilder.java
index a9a88db..e0ff4e8 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/ChannelBuilder.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/ChannelBuilder.java
@@ -33,7 +33,7 @@ public interface ChannelBuilder {
      * @param  id  channel id
      * @param  key SelectionKey
      */
-    public Channel buildChannel(String id, SelectionKey key) throws KafkaException;
+    public Channel buildChannel(String id, SelectionKey key, int maxReceiveSize) throws KafkaException;
 
 
     /**
diff --git a/clients/src/main/java/org/apache/kafka/common/network/DefaultAuthenticator.java b/clients/src/main/java/org/apache/kafka/common/network/DefaultAuthenticator.java
index d5e24ad..371c97d 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/DefaultAuthenticator.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/DefaultAuthenticator.java
@@ -56,7 +56,7 @@ public class DefaultAuthenticator implements Authenticator {
      * DefaultAuthenticator doesn't implement any additional authentication.
      * @returns true
      */
-    public boolean isComplete() {
+    public boolean complete() {
         return true;
     }
 
diff --git a/clients/src/main/java/org/apache/kafka/common/network/NetworkReceive.java b/clients/src/main/java/org/apache/kafka/common/network/NetworkReceive.java
index 4fbc53c..6444453 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/NetworkReceive.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/NetworkReceive.java
@@ -87,8 +87,9 @@ public class NetworkReceive implements Receive {
                 int receiveSize = size.getInt();
                 if (receiveSize < 0)
                     throw new InvalidReceiveException("Invalid receive (size = " + receiveSize + ")");
-                if (maxSize != UNLIMITED && receiveSize > maxSize)
+                if (maxSize != UNLIMITED && receiveSize > maxSize) {
                     throw new InvalidReceiveException("Invalid receive (size = " + receiveSize + " larger than " + maxSize + ")");
+                }
                 this.buffer = ByteBuffer.allocate(receiveSize);
             }
         }
diff --git a/clients/src/main/java/org/apache/kafka/common/network/PlainTextChannelBuilder.java b/clients/src/main/java/org/apache/kafka/common/network/PlainTextChannelBuilder.java
index eb2cbf3..4b9837a 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/PlainTextChannelBuilder.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/PlainTextChannelBuilder.java
@@ -37,12 +37,12 @@ public class PlainTextChannelBuilder implements ChannelBuilder {
         }
     }
 
-    public Channel buildChannel(String id, SelectionKey key) throws KafkaException {
+    public Channel buildChannel(String id, SelectionKey key, int maxReceiveSize) throws KafkaException {
         Channel channel = null;
         try {
             PlainTextTransportLayer transportLayer = new PlainTextTransportLayer(key);
             Authenticator authenticator = new DefaultAuthenticator(transportLayer, this.principalBuilder);
-            channel = new Channel(id, transportLayer, authenticator);
+            channel = new Channel(id, transportLayer, authenticator, maxReceiveSize);
         } catch (Exception e) {
             log.warn("Failed to create channel due to ", e);
             throw new KafkaException(e);
diff --git a/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java
index b7529a7..2390f03 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java
@@ -44,7 +44,7 @@ public class PlainTextTransportLayer implements TransportLayer {
         this.socketChannel = (SocketChannel) key.channel();
     }
 
-    public boolean isReady() {
+    public boolean ready() {
         return true;
     }
 
@@ -79,17 +79,6 @@ public class PlainTextTransportLayer implements TransportLayer {
         socketChannel.close();
     }
 
-
-
-    /**
-     * There won't be any pending bytes to written socketChannel once write method is called.
-     * This will always return false.
-     */
-    public boolean pending() {
-        return false;
-    }
-
-
     /**
      * Performs SSL handshake hence is a no-op for the non-secure
      * implementation
@@ -97,7 +86,6 @@ public class PlainTextTransportLayer implements TransportLayer {
     */
     public void handshake() throws IOException {}
 
-
     /**
     * Reads a sequence of bytes from this channel into the given buffer.
     *
@@ -107,6 +95,7 @@ public class PlainTextTransportLayer implements TransportLayer {
     */
 
     public int read(ByteBuffer dst) throws IOException {
+        System.out.println("in read " + dst.remaining());
         return socketChannel.read(dst);
     }
 
diff --git a/clients/src/main/java/org/apache/kafka/common/network/SSLChannelBuilder.java b/clients/src/main/java/org/apache/kafka/common/network/SSLChannelBuilder.java
index 8ba9f00..0a74a2b 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/SSLChannelBuilder.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/SSLChannelBuilder.java
@@ -44,7 +44,7 @@ public class SSLChannelBuilder implements ChannelBuilder {
         }
     }
 
-    public Channel buildChannel(String id, SelectionKey key) throws KafkaException {
+    public Channel buildChannel(String id, SelectionKey key, int maxReceiveSize) throws KafkaException {
         Channel channel = null;
         try {
             SocketChannel socketChannel = (SocketChannel) key.channel();
@@ -52,7 +52,7 @@ public class SSLChannelBuilder implements ChannelBuilder {
                                                                      sslFactory.createSSLEngine(socketChannel.socket().getInetAddress().getHostName(),
                                                                                                 socketChannel.socket().getPort()));
             Authenticator authenticator = new DefaultAuthenticator(transportLayer, this.principalBuilder);
-            channel = new Channel(id, transportLayer, authenticator);
+            channel = new Channel(id, transportLayer, authenticator, maxReceiveSize);
         } catch (Exception e) {
             log.info("Failed to create channel due to ", e);
             throw new KafkaException(e);
diff --git a/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
index b9f57aa..8e88b7a 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
@@ -66,6 +66,7 @@ public class SSLTransportLayer implements TransportLayer {
         this.netWriteBuffer = ByteBuffer.allocateDirect(packetBufferSize());
         this.appReadBuffer = ByteBuffer.allocateDirect(applicationBufferSize());
         this.socketSendBufferSize = this.socketChannel.socket().getSendBufferSize();
+        startHandshake();
     }
 
     /**
@@ -80,6 +81,7 @@ public class SSLTransportLayer implements TransportLayer {
         handshakeComplete = false;
         closed = false;
         closing = false;
+        addInterestOps(SelectionKey.OP_READ);
         //initiate handshake
         sslEngine.beginHandshake();
         handshakeStatus = sslEngine.getHandshakeStatus();
@@ -88,7 +90,7 @@ public class SSLTransportLayer implements TransportLayer {
     }
 
 
-    public boolean isReady() {
+    public boolean ready() {
         return handshakeComplete;
     }
 
@@ -98,9 +100,7 @@ public class SSLTransportLayer implements TransportLayer {
     public void finishConnect() throws IOException {
         socketChannel.finishConnect();
         removeInterestOps(SelectionKey.OP_CONNECT);
-        addInterestOps(SelectionKey.OP_READ);
         key.interestOps(key.interestOps() & ~SelectionKey.OP_CONNECT | SelectionKey.OP_READ);
-        startHandshake();
     }
 
     /**
@@ -177,7 +177,6 @@ public class SSLTransportLayer implements TransportLayer {
         boolean write = key.isWritable();
         handshakeComplete = false;
         handshakeStatus = sslEngine.getHandshakeStatus();
-
         if (!flush(netWriteBuffer)) {
             key.interestOps(SelectionKey.OP_WRITE);
             return;
@@ -368,13 +367,11 @@ public class SSLTransportLayer implements TransportLayer {
         }
 
         if (dst.remaining() > 0) {
-            boolean canRead = true;
             netReadBuffer = Utils.ensureCapacity(netReadBuffer, packetBufferSize());
-            if (canRead && netReadBuffer.remaining() > 0) {
+            if (netReadBuffer.remaining() > 0) {
                 int netread = socketChannel.read(netReadBuffer);
-                canRead = netread > 0;
+                if (netread == 0) return netread;
             }
-
             do {
                 netReadBuffer.flip();
                 SSLEngineResult unwrapResult = sslEngine.unwrap(netReadBuffer, appReadBuffer);
@@ -401,13 +398,16 @@ public class SSLTransportLayer implements TransportLayer {
                 } else if (unwrapResult.getStatus() == Status.BUFFER_UNDERFLOW) {
                     int currentPacketBufferSize = packetBufferSize();
                     netReadBuffer = Utils.ensureCapacity(netReadBuffer, currentPacketBufferSize);
+                    if (netReadBuffer.position() >= currentPacketBufferSize) {
+                        throw new IllegalStateException("Buffer underflow when available data (" + netReadBuffer.position() +
+                                                        ") > packet buffer size (" + currentPacketBufferSize + ")");
+                    }
                     break;
                 } else if (unwrapResult.getStatus() == Status.CLOSED) {
                     throw new EOFException();
                 }
             } while (netReadBuffer.position() != 0);
         }
-
         return read;
     }
 
@@ -516,7 +516,6 @@ public class SSLTransportLayer implements TransportLayer {
                     totalWritten += written;
                 }
             }
-
             if (!srcs[i].hasRemaining()) {
                 i++;
             } else {
diff --git a/clients/src/main/java/org/apache/kafka/common/network/Selector.java b/clients/src/main/java/org/apache/kafka/common/network/Selector.java
index 4187276..64237e5 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/Selector.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/Selector.java
@@ -154,7 +154,7 @@ public class Selector implements Selectable {
             throw e;
         }
         SelectionKey key = socketChannel.register(nioSelector, SelectionKey.OP_CONNECT);
-        Channel channel = channelBuilder.buildChannel(id, key);
+        Channel channel = channelBuilder.buildChannel(id, key, maxReceiveSize);
         key.attach(channel);
         this.channels.put(id, channel);
     }
@@ -166,7 +166,7 @@ public class Selector implements Selectable {
      */
     public void register(String id, SocketChannel socketChannel) throws ClosedChannelException {
         SelectionKey key = socketChannel.register(nioSelector, SelectionKey.OP_READ);
-        Channel channel = channelBuilder.buildChannel(id, key);
+        Channel channel = channelBuilder.buildChannel(id, key, maxReceiveSize);
         key.attach(channel);
         this.channels.put(id, channel);
     }
@@ -269,12 +269,12 @@ public class Selector implements Selectable {
                     }
 
                     /* if channel is not ready finish prepare */
-                    if (!channel.isReady()) {
+                    if (!channel.ready()) {
                         channel.prepare();
                     }
 
-                     /* if channel is ready read from any connections that have readable data */
-                    if (channel.isReady() && key.isReadable()) {
+                    /* if channel is ready read from any connections that have readable data */
+                    if (channel.ready() && key.isReadable()) {
                         NetworkReceive networkReceive;
                         try {
                             if ((networkReceive = channel.read()) != null) {
@@ -289,7 +289,7 @@ public class Selector implements Selectable {
                     }
 
                     /* if channel is ready write to any sockets that have space in their buffer and for which we have data */
-                    if (key.isWritable() && channel.isReady()) {
+                    if (channel.ready() && key.isWritable()) {
                         Send send = channel.write();
                         if (send != null) {
                             this.completedSends.add(send);
@@ -423,7 +423,8 @@ public class Selector implements Selectable {
      */
     public void close(String id) {
         Channel channel = this.channels.get(id);
-        close(channel);
+        if (channel != null)
+            close(channel);
     }
 
     /**
diff --git a/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java
index 6a085c6..2fa4437 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/TransportLayer.java
@@ -33,7 +33,7 @@ public interface TransportLayer extends ScatteringByteChannel, GatheringByteChan
     /**
      * Returns true if the channel has handshake and authenticaiton done.
      */
-    boolean isReady();
+    boolean ready();
 
     /**
      * Finishes the process of connecting a socket channel.
@@ -52,11 +52,6 @@ public interface TransportLayer extends ScatteringByteChannel, GatheringByteChan
 
 
     /**
-     * returns true if there are any pending bytes needs to be written to channel.
-     */
-    boolean pending();
-
-    /**
      * Performs SSL handshake hence is a no-op for the non-secure
      * implementation
      * @throws IOException
diff --git a/clients/src/test/java/org/apache/kafka/clients/ClientUtilsTest.java b/clients/src/test/java/org/apache/kafka/clients/ClientUtilsTest.java
index 13ce519..d6a4019 100644
--- a/clients/src/test/java/org/apache/kafka/clients/ClientUtilsTest.java
+++ b/clients/src/test/java/org/apache/kafka/clients/ClientUtilsTest.java
@@ -39,4 +39,4 @@ public class ClientUtilsTest {
     private void check(String... url) {
         ClientUtils.parseAndValidateAddresses(Arrays.asList(url));
     }
-}
\ No newline at end of file
+}
diff --git a/clients/src/test/java/org/apache/kafka/common/network/SSLFactoryTest.java b/clients/src/test/java/org/apache/kafka/common/network/SSLFactoryTest.java
index 9e3926c..a2cf302 100644
--- a/clients/src/test/java/org/apache/kafka/common/network/SSLFactoryTest.java
+++ b/clients/src/test/java/org/apache/kafka/common/network/SSLFactoryTest.java
@@ -14,6 +14,7 @@ package org.apache.kafka.common.network;
 
 import javax.net.ssl.*;
 
+import java.io.File;
 import java.util.Map;
 
 import org.apache.kafka.test.TestSSLUtils;
@@ -33,8 +34,8 @@ public class SSLFactoryTest {
 
     @Test
     public void testSSLFactoryConfiguration() throws Exception {
-        Map> sslConfigs = TestSSLUtils.createSSLConfigs(false, true);
-        Map serverSSLConfig = sslConfigs.get(SSLFactory.Mode.SERVER);
+        File trustStoreFile = File.createTempFile("truststore", ".jks");
+        Map serverSSLConfig = TestSSLUtils.createSSLConfig(false, true, SSLFactory.Mode.SERVER, trustStoreFile, "server");
         SSLFactory sslFactory = new SSLFactory(SSLFactory.Mode.SERVER);
         sslFactory.configure(serverSSLConfig);
         //host and port are hints
@@ -47,8 +48,8 @@ public class SSLFactoryTest {
 
     @Test
     public void testClientMode() throws Exception {
-        Map> sslConfigs = TestSSLUtils.createSSLConfigs(false, true);
-        Map clientSSLConfig = sslConfigs.get(SSLFactory.Mode.CLIENT);
+        File trustStoreFile = File.createTempFile("truststore", ".jks");
+        Map clientSSLConfig = TestSSLUtils.createSSLConfig(false, true, SSLFactory.Mode.CLIENT, trustStoreFile, "client");
         SSLFactory sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT);
         sslFactory.configure(clientSSLConfig);
         //host and port are hints
diff --git a/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java b/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java
index 1a8cc27..478afbb 100644
--- a/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java
+++ b/clients/src/test/java/org/apache/kafka/common/network/SSLSelectorTest.java
@@ -19,6 +19,7 @@ import java.util.LinkedHashMap;
 import java.util.Map;
 
 import java.io.IOException;
+import java.io.File;
 import java.net.InetSocketAddress;
 import java.nio.ByteBuffer;
 
@@ -46,12 +47,13 @@ public class SSLSelectorTest {
 
     @Before
     public void setup() throws Exception {
-        Map> sslConfigs = TestSSLUtils.createSSLConfigs(false, true);
-        Map sslServerConfigs = sslConfigs.get(SSLFactory.Mode.SERVER);
+        File trustStoreFile = File.createTempFile("truststore", ".jks");
+
+        Map sslServerConfigs = TestSSLUtils.createSSLConfig(false, true, SSLFactory.Mode.SERVER, trustStoreFile, "server");
         sslServerConfigs.put(SSLConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Class.forName(SSLConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS));
         this.server = new EchoServer(sslServerConfigs);
         this.server.start();
-        Map sslClientConfigs = sslConfigs.get(SSLFactory.Mode.CLIENT);
+        Map sslClientConfigs = TestSSLUtils.createSSLConfig(false, false, SSLFactory.Mode.SERVER, trustStoreFile, "client");
         sslClientConfigs.put(SSLConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Class.forName(SSLConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS));
 
         this.channelBuilder = new SSLChannelBuilder(SSLFactory.Mode.CLIENT);
@@ -209,7 +211,6 @@ public class SSLSelectorTest {
     //     }
     // }
 
-
     private String blockingRequest(String node, String s) throws IOException {
         selector.send(createSend(node, s));
         while (true) {
diff --git a/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java b/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java
index 1930cc2..08cd598 100644
--- a/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java
+++ b/clients/src/test/java/org/apache/kafka/test/TestSSLUtils.java
@@ -23,7 +23,9 @@ import org.apache.kafka.clients.CommonClientConfigs;
 
 import java.io.File;
 import java.io.FileOutputStream;
+import java.io.FileInputStream;
 import java.io.IOException;
+import java.io.EOFException;
 import java.math.BigInteger;
 import javax.net.ssl.TrustManagerFactory;
 import java.security.*;
@@ -153,7 +155,14 @@ public class TestSSLUtils {
 
     public static  void createTrustStore(
             String filename, String password, Map certs) throws GeneralSecurityException, IOException {
-        KeyStore ks = createEmptyKeyStore();
+        KeyStore ks = KeyStore.getInstance("JKS");
+        try {
+            FileInputStream in = new FileInputStream(filename);
+            ks.load(in, password.toCharArray());
+            in.close();
+        } catch (EOFException e) {
+            ks = createEmptyKeyStore();
+        }
         for (Map.Entry cert : certs.entrySet()) {
             ks.setCertificateEntry(cert.getKey(), cert.getValue());
         }
@@ -194,42 +203,41 @@ public class TestSSLUtils {
         return sslConfigs;
     }
 
-    public static Map> createSSLConfigs(boolean useClientCert, boolean trustStore)
+    public static  Map createSSLConfig(boolean useClientCert, boolean trustStore, SSLFactory.Mode mode, File trustStoreFile, String certAlias)
         throws IOException, GeneralSecurityException {
-        Map> sslConfigs = new HashMap>();
         Map certs = new HashMap();
-        File trustStoreFile = File.createTempFile("truststore", ".jks");
-        File clientKeyStoreFile = null;
-        File serverKeyStoreFile = File.createTempFile("serverKS", ".jks");
-        String clientPassword = "ClientPassword";
-        String serverPassword = "ServerPassword";
+        File keyStoreFile;
+        String password;
+
+        if (mode == SSLFactory.Mode.SERVER)
+            password = "ServerPassword";
+        else
+            password = "ClientPassword";
+
         String trustStorePassword = "TrustStorePassword";
 
         if (useClientCert) {
-            clientKeyStoreFile = File.createTempFile("clientKS", ".jks");
+            keyStoreFile = File.createTempFile("clientKS", ".jks");
             KeyPair cKP = generateKeyPair("RSA");
             X509Certificate cCert = generateCertificate("CN=localhost, O=client", cKP, 30, "SHA1withRSA");
-            createKeyStore(clientKeyStoreFile.getPath(), clientPassword, "client", cKP.getPrivate(), cCert);
-            certs.put("client", cCert);
+            createKeyStore(keyStoreFile.getPath(), password, "client", cKP.getPrivate(), cCert);
+            certs.put(certAlias, cCert);
+        } else {
+            keyStoreFile = File.createTempFile("serverKS", ".jks");
+            KeyPair sKP = generateKeyPair("RSA");
+            X509Certificate sCert = generateCertificate("CN=localhost, O=server", sKP, 30,
+                                                        "SHA1withRSA");
+            createKeyStore(keyStoreFile.getPath(), password, password, "server", sKP.getPrivate(), sCert);
+            certs.put(certAlias, sCert);
         }
 
-        KeyPair sKP = generateKeyPair("RSA");
-        X509Certificate sCert = generateCertificate("CN=localhost, O=server", sKP, 30,
-                                                    "SHA1withRSA");
-        createKeyStore(serverKeyStoreFile.getPath(), serverPassword, serverPassword, "server", sKP.getPrivate(), sCert);
-        certs.put("server", sCert);
-
         if (trustStore) {
             createTrustStore(trustStoreFile.getPath(), trustStorePassword, certs);
         }
 
-        Map clientSSLConfig = createSSLConfig(SSLFactory.Mode.CLIENT, clientKeyStoreFile, clientPassword,
-                                                              clientPassword, trustStoreFile, trustStorePassword, useClientCert);
-        Map serverSSLConfig = createSSLConfig(SSLFactory.Mode.SERVER, serverKeyStoreFile, serverPassword,
-                                                              serverPassword, trustStoreFile, trustStorePassword, useClientCert);
-        sslConfigs.put(SSLFactory.Mode.CLIENT, clientSSLConfig);
-        sslConfigs.put(SSLFactory.Mode.SERVER, serverSSLConfig);
-        return sslConfigs;
+        Map sslConfig = createSSLConfig(mode, keyStoreFile, password,
+                                                        password, trustStoreFile, trustStorePassword, useClientCert);
+        return sslConfig;
     }
 
 }
diff --git a/core/src/main/scala/kafka/network/SocketServer.scala b/core/src/main/scala/kafka/network/SocketServer.scala
index 6cf1a8d..a09ed84 100644
--- a/core/src/main/scala/kafka/network/SocketServer.scala
+++ b/core/src/main/scala/kafka/network/SocketServer.scala
@@ -28,9 +28,10 @@ import com.yammer.metrics.core.Gauge
 import kafka.cluster.EndPoint
 import kafka.common.KafkaException
 import kafka.metrics.KafkaMetricsGroup
+import kafka.server.KafkaConfig
 import kafka.utils._
 import org.apache.kafka.common.MetricName
-import org.apache.kafka.common.metrics.Metrics
+import org.apache.kafka.common.metrics._
 import org.apache.kafka.common.network.{InvalidReceiveException, ChannelBuilder,
                                         PlainTextChannelBuilder, SSLChannelBuilder, SSLFactory}
 import org.apache.kafka.common.protocol.SecurityProtocol
@@ -45,25 +46,42 @@ import scala.collection._
  *   Acceptor has N Processor threads that each have their own selector and read requests from sockets
  *   M Handler threads that handle requests and produce responses back to the processor threads for writing.
  */
-class SocketServer(val brokerId: Int,
-                   val endpoints: Map[SecurityProtocol, EndPoint],
-                   val numProcessorThreads: Int,
-                   val maxQueuedRequests: Int,
-                   val sendBufferSize: Int,
-                   val recvBufferSize: Int,
-                   val maxRequestSize: Int = Int.MaxValue,
-                   val maxConnectionsPerIp: Int = Int.MaxValue,
-                   val connectionsMaxIdleMs: Long,
-                   val maxConnectionsPerIpOverrides: Map[String, Int],
-                   val channelConfigs: java.util.Map[String, Object],
-                   val time: Time,
-                   val metrics: Metrics) extends Logging with KafkaMetricsGroup {
-  this.logIdent = "[Socket Server on Broker " + brokerId + "], "
-  val requestChannel = new RequestChannel(numProcessorThreads, maxQueuedRequests)
+class SocketServer(val config: KafkaConfig) extends Logging with KafkaMetricsGroup {
+
+  private val jmxPrefix: String = "kafka.server"
+  private val reporters: java.util.List[MetricsReporter] =  config.metricReporterClasses
+  reporters.add(new JmxReporter(jmxPrefix))
+
+  private val metricConfig: MetricConfig = new MetricConfig()
+    .samples(config.metricNumSamples)
+    .timeWindow(config.metricSampleWindowMs, TimeUnit.MILLISECONDS)
+
+  val channelConfigs = config.channelConfigs
+
+  // This exists so SocketServer (which uses Client libraries) can use the client Time objects without having to convert all of Kafka to use them
+  // Once we get rid of kafka.utils.time, we can get rid of this too
+  private val time: org.apache.kafka.common.utils.Time = new org.apache.kafka.common.utils.SystemTime()
+
+  val endpoints = config.listeners
+  val numProcessorThreads = config.numNetworkThreads
+  val maxQueuedRequests = config.queuedMaxRequests
+  val sendBufferSize = config.socketSendBufferBytes
+  val recvBufferSize = config.socketReceiveBufferBytes
+  val maxRequestSize = config.socketRequestMaxBytes
+  val maxConnectionsPerIp = config.maxConnectionsPerIp
+  val connectionsMaxIdleMs = config.connectionsMaxIdleMs
+  val maxConnectionsPerIpOverrides = config.maxConnectionsPerIpOverrides
+  val totalProcessorThreads = numProcessorThreads * endpoints.size
+
+  this.logIdent = "[Socket Server on Broker " + config.brokerId + "], "
+
+  val requestChannel = new RequestChannel(totalProcessorThreads, maxQueuedRequests)
+  val processors = new Array[Processor](totalProcessorThreads)
+
   private[network] var acceptors =  mutable.Map[EndPoint,Acceptor]()
 
 
-  private val allMetricNames = (0 until numProcessorThreads).map { i =>
+  private val allMetricNames = (0 until totalProcessorThreads).map { i =>
     val tags = new util.HashMap[String, String]()
     tags.put("networkProcessor", i.toString)
     new MetricName("io-wait-ratio", "socket-server-metrics", tags)
@@ -83,32 +101,25 @@ class SocketServer(val brokerId: Int,
   def startup() {
     val quotas = new ConnectionQuotas(maxConnectionsPerIp, maxConnectionsPerIpOverrides)
 
-    newGauge("NetworkProcessorAvgIdlePercent",
-      new Gauge[Double] {
-        def value = allMetricNames.map( metricName =>
-          metrics.metrics().get(metricName).value()).sum / numProcessorThreads
-      }
-    )
-
-
-
-    // start accepting connections
-    // right now we will use the same processors for all ports, since we didn't implement different protocols
-    // in the future, we may implement different processors for SSL and Kerberos
-
     this.synchronized {
+      var processorIndex = 0
       endpoints.values.foreach(endpoint => {
-        val acceptor = new Acceptor(endpoint.host, endpoint.port, sendBufferSize, recvBufferSize, requestChannel, quotas, endpoint.protocolType,
-           portToProtocol, channelConfigs, numProcessorThreads, maxQueuedRequests, maxRequestSize, connectionsMaxIdleMs, metrics, time, brokerId)
+        val acceptor = new Acceptor(endpoint.host, endpoint.port, sendBufferSize, recvBufferSize, requestChannel, processors, quotas, endpoint.protocolType,
+          portToProtocol, channelConfigs, numProcessorThreads + processorIndex, maxQueuedRequests, maxRequestSize, connectionsMaxIdleMs, new Metrics(metricConfig, reporters, time),
+          allMetricNames, time, config.brokerId, processorIndex)
         acceptors.put(endpoint, acceptor)
         Utils.newThread("kafka-socket-acceptor-%s-%d".format(endpoint.protocolType.toString, endpoint.port), acceptor, false).start()
         acceptor.awaitStartup
+        processorIndex += numProcessorThreads
       })
     }
 
     info("Started " + acceptors.size + " acceptor threads")
   }
 
+  // register the processor threads for notification of responses
+  requestChannel.addResponseListener((id:Int) => processors(id).wakeup())
+
   /**
    * Shutdown the socket server
    */
@@ -116,6 +127,7 @@ class SocketServer(val brokerId: Int,
     info("Shutting down")
     this.synchronized {
       acceptors.values.foreach(_.shutdown)
+      processors.foreach(_.shutdown)
     }
     info("Shutdown completed")
   }
@@ -200,6 +212,7 @@ private[kafka] class Acceptor(val host: String,
                               val sendBufferSize: Int,
                               val recvBufferSize: Int,
                               requestChannel: RequestChannel,
+                              processors: Array[Processor],
                               connectionQuotas: ConnectionQuotas,
                               protocol: SecurityProtocol,
                               portToProtocol: ConcurrentHashMap[Int, SecurityProtocol],
@@ -209,14 +222,25 @@ private[kafka] class Acceptor(val host: String,
                               maxRequestSize: Int,
                               connectionsMaxIdleMs: Long,
                               metrics: Metrics,
+                              allMetricNames: Seq[MetricName],
                               time: Time,
-                              brokerId: Int) extends AbstractServerThread(connectionQuotas) {
+                              brokerId: Int,
+                              processorIndex: Int) extends AbstractServerThread(connectionQuotas) with KafkaMetricsGroup {
   val nioSelector = java.nio.channels.Selector.open()
   val serverChannel = openServerSocket(host, port)
-  private val processors = new Array[Processor](numProcessorThreads)
+
   portToProtocol.put(serverChannel.socket().getLocalPort, protocol)
+
+  newGauge("NetworkProcessorAvgIdlePercent",
+    new Gauge[Double] {
+      def value = allMetricNames.map( metricName =>
+        metrics.metrics().get(metricName).value()).sum / numProcessorThreads
+    }
+  )
+
+  println("processorIndex " + processorIndex + " numProcessorThreads " + numProcessorThreads)
   this.synchronized {
-    for (i <- 0 until numProcessorThreads) {
+    for (i <- processorIndex until numProcessorThreads) {
         processors(i) = new Processor(i,
           time,
           maxRequestSize,
@@ -229,19 +253,16 @@ private[kafka] class Acceptor(val host: String,
           metrics
           )
         Utils.newThread("kafka-network-thread-%d-%s-%d".format(brokerId, protocol.name, i), processors(i), false).start()
-      }
+    }
   }
 
-  // register the processor threads for notification of responses
-  requestChannel.addResponseListener((id:Int) => processors(id).wakeup())
-
   /**
    * Accept loop that checks for new connection attempts
    */
   def run() {
     serverChannel.register(nioSelector, SelectionKey.OP_ACCEPT);
     startupComplete()
-    var currentProcessor = 0
+    var currentProcessor = processorIndex
     while(isRunning) {
       val ready = nioSelector.select(500)
       if(ready > 0) {
@@ -258,7 +279,9 @@ private[kafka] class Acceptor(val host: String,
                throw new IllegalStateException("Unrecognized key state for acceptor thread.")
 
             // round robin to the next processor thread
-            currentProcessor = (currentProcessor + 1) % processors.length
+            currentProcessor = (currentProcessor + 1) % numProcessorThreads
+            if (currentProcessor < processorIndex) currentProcessor = processorIndex
+            println("current Processor " + currentProcessor + " protocol " + protocol)
           } catch {
             case e: Throwable => error("Error while accepting connection", e)
           }
@@ -325,12 +348,6 @@ private[kafka] class Acceptor(val host: String,
   @Override
   def wakeup = nioSelector.wakeup()
 
-
-  override def shutdown() = {
-    processors.foreach(_.shutdown)
-    super.shutdown
-  }
-
 }
 
 /**
@@ -397,7 +414,7 @@ private[kafka] class Processor(val id: Int,
       }
       collection.JavaConversions.collectionAsScalaIterable(selector.completedReceives).foreach( receive => {
         try {
-          val req = RequestChannel.Request(processor = id, connectionId = receive.source, buffer = receive.payload, startTimeMs = time.milliseconds, securityProtocol = SecurityProtocol.PLAINTEXT)
+          val req = RequestChannel.Request(processor = id, connectionId = receive.source, buffer = receive.payload, startTimeMs = time.milliseconds, securityProtocol = protocol)
           requestChannel.sendRequest(req)
         } catch {
           case e @ (_: InvalidRequestException | _: SchemaException) => {
@@ -436,7 +453,7 @@ private[kafka] class Processor(val id: Int,
             selector.unmute(curr.request.connectionId)
           }
           case RequestChannel.SendAction => {
-            trace("Socket server received response to send, registering for write and sending data: " + curr)
+            println("Socket server received response to send, registering for write and sending data: " + protocol + " id  " + id)
             selector.send(curr.responseSend)
             inflightResponses += (curr.request.connectionId -> curr)
           }
diff --git a/core/src/main/scala/kafka/server/KafkaConfig.scala b/core/src/main/scala/kafka/server/KafkaConfig.scala
index 9d83921..ebb3555 100755
--- a/core/src/main/scala/kafka/server/KafkaConfig.scala
+++ b/core/src/main/scala/kafka/server/KafkaConfig.scala
@@ -954,10 +954,12 @@ class KafkaConfig (/** ********* Zookeeper Configuration ***********/
     } catch {
       case e: Exception => throw new IllegalArgumentException("Error creating broker listeners from '%s': %s".format(listeners, e.getMessage))
     }
-    val distinctPorts = endpoints.map(ep => ep.port).distinct
+    // filter port 0 for unit tests
+    val endpointsWithoutZeroPort = endpoints.map(ep => ep.port).filter(_ != 0)
+    val distinctPorts = endpointsWithoutZeroPort.distinct
     val distinctProtocols = endpoints.map(ep => ep.protocolType).distinct
 
-    require(distinctPorts.size == endpoints.size, "Each listener must have a different port")
+    require(distinctPorts.size == endpointsWithoutZeroPort.size, "Each listener must have a different port")
     require(distinctProtocols.size == endpoints.size, "Each listener must have a different protocol")
   }
 
diff --git a/core/src/main/scala/kafka/server/KafkaServer.scala b/core/src/main/scala/kafka/server/KafkaServer.scala
index 898cbf6..4977ba6 100755
--- a/core/src/main/scala/kafka/server/KafkaServer.scala
+++ b/core/src/main/scala/kafka/server/KafkaServer.scala
@@ -28,6 +28,7 @@ import java.io.File
 import kafka.utils._
 import org.apache.kafka.common.metrics._
 import org.apache.kafka.common.network.NetworkReceive
+import org.apache.kafka.common.protocol.SecurityProtocol
 
 import scala.collection.{JavaConversions, mutable}
 import org.I0Itec.zkclient.ZkClient
@@ -51,19 +52,6 @@ class KafkaServer(val config: KafkaConfig, time: Time = SystemTime) extends Logg
 
   private var shutdownLatch = new CountDownLatch(1)
 
-  private val metricConfig: MetricConfig = new MetricConfig()
-          .samples(config.metricNumSamples)
-          .timeWindow(config.metricSampleWindowMs, TimeUnit.MILLISECONDS)
-  private val jmxPrefix: String = "kafka.server"
-  private val reporters: java.util.List[MetricsReporter] =  config.metricReporterClasses
-  reporters.add(new JmxReporter(jmxPrefix))
-
-
-
-  // This exists so SocketServer (which uses Client libraries) can use the client Time objects without having to convert all of Kafka to use them
-  // Once we get rid of kafka.utils.time, we can get rid of this too
-  private val socketServerTime: org.apache.kafka.common.utils.Time = new org.apache.kafka.common.utils.SystemTime()
-
   val brokerState: BrokerState = new BrokerState
 
   var apis: KafkaApis = null
@@ -87,8 +75,6 @@ class KafkaServer(val config: KafkaConfig, time: Time = SystemTime) extends Logg
   var kafkaHealthcheck: KafkaHealthcheck = null
   val metadataCache: MetadataCache = new MetadataCache(config.brokerId)
 
-
-
   var zkClient: ZkClient = null
   val correlationId: AtomicInteger = new AtomicInteger(0)
   val brokerMetaPropsFile = "meta.properties"
@@ -133,68 +119,54 @@ class KafkaServer(val config: KafkaConfig, time: Time = SystemTime) extends Logg
         config.brokerId =  getBrokerId
         this.logIdent = "[Kafka Server " + config.brokerId + "], "
 
-        val metrics = new Metrics(metricConfig, reporters, socketServerTime)
-        val channelConfigs = config.channelConfigs
-
-        socketServer = new SocketServer(config.brokerId,
-                                        config.listeners,
-                                        config.numNetworkThreads,
-                                        config.queuedMaxRequests,
-                                        config.socketSendBufferBytes,
-                                        config.socketReceiveBufferBytes,
-                                        config.socketRequestMaxBytes,
-                                        config.maxConnectionsPerIp,
-                                        config.connectionsMaxIdleMs,
-                                        config.maxConnectionsPerIpOverrides,
-                                        channelConfigs,
-                                        socketServerTime,
-                                        metrics)
-          socketServer.startup()
-
-          /* start replica manager */
-          replicaManager = new ReplicaManager(config, time, zkClient, kafkaScheduler, logManager, isShuttingDown)
-          replicaManager.startup()
-
-          /* start offset manager */
-          offsetManager = createOffsetManager()
-
-          /* start kafka controller */
-          kafkaController = new KafkaController(config, zkClient, brokerState)
-          kafkaController.startup()
-
-          /* start kafka coordinator */
-          consumerCoordinator = new ConsumerCoordinator(config, zkClient, offsetManager)
-          consumerCoordinator.startup()
-
-          /* start processing requests */
-          apis = new KafkaApis(socketServer.requestChannel, replicaManager, offsetManager, consumerCoordinator,
-            kafkaController, zkClient, config.brokerId, config, metadataCache)
-          requestHandlerPool = new KafkaRequestHandlerPool(config.brokerId, socketServer.requestChannel, apis, config.numIoThreads)
-          brokerState.newState(RunningAsBroker)
-
-          Mx4jLoader.maybeLoad()
-
-          /* start topic config manager */
-          topicConfigManager = new TopicConfigManager(zkClient, logManager)
-          topicConfigManager.startup()
-
-          /* tell everyone we are alive */
-          val listeners = config.advertisedListeners.map {case(protocol, endpoint) =>
-            if (endpoint.port == 0)
-              (protocol, EndPoint(endpoint.host, socketServer.boundPort(), endpoint.protocolType))
-            else
-              (protocol, endpoint)
-          }
-          kafkaHealthcheck = new KafkaHealthcheck(config.brokerId, listeners, config.zkSessionTimeoutMs, zkClient)
-          kafkaHealthcheck.startup()
 
-          /* register broker metrics */
-          registerStats()
+        socketServer = new SocketServer(config)
+        socketServer.startup()
+
+        /* start replica manager */
+        replicaManager = new ReplicaManager(config, time, zkClient, kafkaScheduler, logManager, isShuttingDown)
+        replicaManager.startup()
+
+        /* start offset manager */
+        offsetManager = createOffsetManager()
 
-          shutdownLatch = new CountDownLatch(1)
-          startupComplete.set(true)
-          isStartingUp.set(false)
-          info("started")
+        /* start kafka controller */
+        kafkaController = new KafkaController(config, zkClient, brokerState)
+        kafkaController.startup()
+
+        /* start kafka coordinator */
+        consumerCoordinator = new ConsumerCoordinator(config, zkClient, offsetManager)
+        consumerCoordinator.startup()
+
+        /* start processing requests */
+        apis = new KafkaApis(socketServer.requestChannel, replicaManager, offsetManager, consumerCoordinator,
+          kafkaController, zkClient, config.brokerId, config, metadataCache)
+        requestHandlerPool = new KafkaRequestHandlerPool(config.brokerId, socketServer.requestChannel, apis, config.numIoThreads)
+        brokerState.newState(RunningAsBroker)
+
+        Mx4jLoader.maybeLoad()
+
+        /* start topic config manager */
+        topicConfigManager = new TopicConfigManager(zkClient, logManager)
+        topicConfigManager.startup()
+
+        /* tell everyone we are alive */
+        val listeners = config.advertisedListeners.map {case(protocol, endpoint) =>
+          if (endpoint.port == 0)
+            (protocol, EndPoint(endpoint.host, socketServer.boundPort(), endpoint.protocolType))
+          else
+            (protocol, endpoint)
+        }
+        kafkaHealthcheck = new KafkaHealthcheck(config.brokerId, listeners, config.zkSessionTimeoutMs, zkClient)
+        kafkaHealthcheck.startup()
+
+        /* register broker metrics */
+        registerStats()
+
+        shutdownLatch = new CountDownLatch(1)
+        startupComplete.set(true)
+        isStartingUp.set(false)
+        info("started")
       }
     }
     catch {
@@ -386,7 +358,7 @@ class KafkaServer(val config: KafkaConfig, time: Time = SystemTime) extends Logg
 
   def getLogManager(): LogManager = logManager
 
-  def boundPort(): Int = socketServer.boundPort()
+  def boundPort(protocol: SecurityProtocol = SecurityProtocol.PLAINTEXT): Int = socketServer.boundPort(protocol)
 
   private def createLogManager(zkClient: ZkClient, brokerState: BrokerState): LogManager = {
     val defaultLogConfig = LogConfig(segmentSize = config.logSegmentBytes,
diff --git a/core/src/test/scala/integration/kafka/api/ProducerSendTest.scala b/core/src/test/scala/integration/kafka/api/ProducerSendTest.scala
index 9ce4bd5..8a8216d 100644
--- a/core/src/test/scala/integration/kafka/api/ProducerSendTest.scala
+++ b/core/src/test/scala/integration/kafka/api/ProducerSendTest.scala
@@ -74,7 +74,7 @@ class ProducerSendTest extends JUnit3Suite with KafkaServerTestHarness {
   def testSendOffset() {
     var producer = TestUtils.createNewProducer(brokerList)
     val partition = new Integer(0)
-    
+
     object callback extends Callback {
       var offset = 0L
       def onCompletion(metadata: RecordMetadata, exception: Exception) {
@@ -298,7 +298,7 @@ class ProducerSendTest extends JUnit3Suite with KafkaServerTestHarness {
       }
     }
   }
-  
+
   /**
    * Test that flush immediately sends all accumulated requests.
    */
diff --git a/core/src/test/scala/integration/kafka/api/SSLProducerSendTest.scala b/core/src/test/scala/integration/kafka/api/SSLProducerSendTest.scala
new file mode 100644
index 0000000..2208cca
--- /dev/null
+++ b/core/src/test/scala/integration/kafka/api/SSLProducerSendTest.scala
@@ -0,0 +1,108 @@
+/**
+  * Licensed to the Apache Software Foundation (ASF) under one or more
+  * contributor license agreements.  See the NOTICE file distributed with
+  * this work for additional information regarding copyright ownership.
+  * The ASF licenses this file to You under the Apache License, Version 2.0
+  * (the "License"); you may not use this file except in compliance with
+  * the License.  You may obtain a copy of the License at
+  *
+  *    http://www.apache.org/licenses/LICENSE-2.0
+  *
+  * Unless required by applicable law or agreed to in writing, software
+  * distributed under the License is distributed on an "AS IS" BASIS,
+  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  * See the License for the specific language governing permissions and
+  * limitations under the License.
+  */
+
+package kafka.api
+
+import java.util.Properties
+import java.util.concurrent.TimeUnit
+import java.io.File
+
+import kafka.consumer.SimpleConsumer
+import kafka.integration.KafkaServerTestHarness
+import kafka.message.Message
+import kafka.server.KafkaConfig
+import kafka.utils.TestUtils
+import org.apache.kafka.clients.producer._
+import org.apache.kafka.common.config.ConfigException
+import org.apache.kafka.common.errors.SerializationException
+import org.apache.kafka.common.serialization.ByteArraySerializer
+import org.junit.Assert._
+import org.junit.Test
+import org.scalatest.junit.JUnit3Suite
+
+
+class SSLProducerSendTest extends JUnit3Suite with KafkaServerTestHarness {
+  val numServers = 1
+  val trustStoreFile = File.createTempFile("truststore", ".jks")
+  val overridingProps = new Properties()
+  overridingProps.put(KafkaConfig.NumPartitionsProp, 4.toString)
+  def generateConfigs() =
+    TestUtils.createBrokerConfigs(numServers, zkConnect, false, enableSSL=true, trustStoreFile=Some(trustStoreFile)).map(KafkaConfig.fromProps(_, overridingProps))
+
+  private var consumer1: SimpleConsumer = null
+  private var consumer2: SimpleConsumer = null
+
+  private val topic = "topic"
+  private val numRecords = 100
+
+  override def setUp() {
+    super.setUp()
+
+    // TODO: we need to migrate to new consumers when 0.9 is final
+    consumer1 = new SimpleConsumer("localhost", servers(0).boundPort(), 100, 1024*1024, "")
+    consumer2 = new SimpleConsumer("localhost", servers(0).boundPort(), 100, 1024*1024, "")
+
+  }
+
+  override def tearDown() {
+    consumer1.close()
+    consumer2.close()
+    super.tearDown()
+  }
+
+  /**
+    * testSendOffset checks the basic send API behavior
+    *
+    * 1. Send with null key/value/partition-id should be accepted; send with null topic should be rejected.
+    * 2. Last message of the non-blocking send should return the correct offset metadata
+    */
+  @Test
+  def testSendOffset() {
+    var producer = TestUtils.createNewProducer(TestUtils.getSSLBrokerListStrFromServers(servers), enableSSL=true, trustStoreFile=Some(trustStoreFile))
+    val partition = new Integer(0)
+
+    object callback extends Callback {
+      var offset = 0L
+      def onCompletion(metadata: RecordMetadata, exception: Exception) {
+        if (exception == null) {
+          assertEquals(offset, metadata.offset())
+          assertEquals(topic, metadata.topic())
+          assertEquals(partition, metadata.partition())
+          offset += 1
+        } else {
+          fail("Send callback returns the following exception", exception)
+        }
+      }
+    }
+
+    try {
+      // create topic
+      TestUtils.createTopic(zkClient, topic, 1, 1, servers)
+
+      // send a normal record
+      val record0 = new ProducerRecord[Array[Byte],Array[Byte]](topic, partition, "key".getBytes, "value".getBytes)
+      assertEquals("Should have offset 0", 0L, producer.send(record0, callback).get.offset)
+
+
+    } finally {
+      if (producer != null) {
+        producer.close()
+        producer = null
+      }
+    }
+  }
+}
diff --git a/core/src/test/scala/unit/kafka/admin/AddPartitionsTest.scala b/core/src/test/scala/unit/kafka/admin/AddPartitionsTest.scala
index df5c6ba..76aa9af 100755
--- a/core/src/test/scala/unit/kafka/admin/AddPartitionsTest.scala
+++ b/core/src/test/scala/unit/kafka/admin/AddPartitionsTest.scala
@@ -45,7 +45,7 @@ class AddPartitionsTest extends JUnit3Suite with ZooKeeperTestHarness {
     configs = (0 until 4).map(i => KafkaConfig.fromProps(TestUtils.createBrokerConfig(i, zkConnect, enableControlledShutdown = false)))
     // start all the servers
     servers = configs.map(c => TestUtils.createServer(c))
-    brokers = servers.map(s => new Broker(s.config.brokerId, s.config.hostName, s.boundPort))
+    brokers = servers.map(s => new Broker(s.config.brokerId, s.config.hostName, s.boundPort()))
 
     // create topics first
     createTopic(zkClient, topic1, partitionReplicaAssignment = Map(0->Seq(0,1)), servers = servers)
diff --git a/core/src/test/scala/unit/kafka/network/SocketServerTest.scala b/core/src/test/scala/unit/kafka/network/SocketServerTest.scala
new file mode 100644
index 0000000..6fd4a4f
--- /dev/null
+++ b/core/src/test/scala/unit/kafka/network/SocketServerTest.scala
@@ -0,0 +1,211 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package kafka.network;
+
+import java.net._
+import javax.net.ssl._
+import java.io._
+import kafka.cluster.EndPoint
+import org.apache.kafka.common.metrics.Metrics
+import org.apache.kafka.common.network.NetworkSend
+import org.apache.kafka.common.protocol.SecurityProtocol
+import org.apache.kafka.common.utils.SystemTime
+import org.junit._
+import org.scalatest.junit.JUnitSuite
+import java.util.Random
+import junit.framework.Assert._
+import kafka.producer.SyncProducerConfig
+import kafka.api.ProducerRequest
+import java.nio.ByteBuffer
+import kafka.common.TopicAndPartition
+import kafka.message.ByteBufferMessageSet
+import kafka.server.KafkaConfig
+import java.nio.channels.SelectionKey
+import kafka.utils.TestUtils
+import scala.collection.Map
+
+class SocketServerTest extends JUnitSuite {
+  val props = TestUtils.createBrokerConfig(0, TestUtils.MockZkConnect, port = 0)
+  props.put("listeners", "PLAINTEXT://localhost:0,TRACE://localhost:0")
+  props.put("num.network.threads", "1")
+  props.put("socket.send.buffer.bytes", "300000")
+  props.put("socket.receive.buffer.bytes", "300000")
+  props.put("queued.max.requests", "50")
+  props.put("socket.request.max.bytes", "50")
+  props.put("max.connections.per.ip", "5")
+  props.put("connections.max.idle.ms", "60000")
+  val config: KafkaConfig = KafkaConfig.fromProps(props)
+  val server: SocketServer = new SocketServer(config)
+  server.startup()
+
+  def sendRequest(socket: Socket, id: Short, request: Array[Byte]) {
+    val outgoing = new DataOutputStream(socket.getOutputStream)
+    outgoing.writeInt(request.length + 2)
+    outgoing.writeShort(id)
+    outgoing.write(request)
+    outgoing.flush()
+  }
+
+  def receiveResponse(socket: Socket): Array[Byte] = {
+    val incoming = new DataInputStream(socket.getInputStream)
+    val len = incoming.readInt()
+    val response = new Array[Byte](len)
+    incoming.readFully(response)
+    response
+  }
+
+  /* A simple request handler that just echos back the response */
+  def processRequest(channel: RequestChannel) {
+    val request = channel.receiveRequest
+    val byteBuffer = ByteBuffer.allocate(request.requestObj.sizeInBytes)
+    request.requestObj.writeTo(byteBuffer)
+    byteBuffer.rewind()
+    val send = new NetworkSend(request.connectionId, byteBuffer)
+    channel.sendResponse(new RequestChannel.Response(request.processor, request, send))
+  }
+
+  def connect(s:SocketServer = server, protocol: SecurityProtocol = SecurityProtocol.PLAINTEXT) = {
+    new Socket("localhost", server.boundPort(protocol))
+  }
+
+
+  @After
+  def cleanup() {
+    server.shutdown()
+  }
+
+  @Test
+  def simpleRequest() {
+    val plainSocket = connect(protocol = SecurityProtocol.PLAINTEXT)
+    val traceSocket = connect(protocol = SecurityProtocol.TRACE)
+    val correlationId = -1
+    val clientId = SyncProducerConfig.DefaultClientId
+    val ackTimeoutMs = SyncProducerConfig.DefaultAckTimeoutMs
+    val ack = SyncProducerConfig.DefaultRequiredAcks
+    val emptyRequest =
+      new ProducerRequest(correlationId, clientId, ack, ackTimeoutMs, collection.mutable.Map[TopicAndPartition, ByteBufferMessageSet]())
+
+    val byteBuffer = ByteBuffer.allocate(emptyRequest.sizeInBytes)
+    emptyRequest.writeTo(byteBuffer)
+    byteBuffer.rewind()
+    val serializedBytes = new Array[Byte](byteBuffer.remaining)
+    byteBuffer.get(serializedBytes)
+
+    // Test PLAINTEXT socket
+    sendRequest(plainSocket, 0, serializedBytes)
+    processRequest(server.requestChannel)
+    assertEquals(serializedBytes.toSeq, receiveResponse(plainSocket).toSeq)
+
+    // Test TRACE socket
+    sendRequest(traceSocket, 0, serializedBytes)
+    processRequest(server.requestChannel)
+    assertEquals(serializedBytes.toSeq, receiveResponse(traceSocket).toSeq)
+  }
+
+  @Test
+  def tooBigRequestIsRejected() {
+    val tooManyBytes = new Array[Byte](server.maxRequestSize + 1)
+    new Random().nextBytes(tooManyBytes)
+    val socket = connect()
+    sendRequest(socket, 0, tooManyBytes)
+    try {
+      receiveResponse(socket)
+    } catch {
+      case e: IOException => // thats fine
+    }
+  }
+
+  @Test
+  def testSocketsCloseOnShutdown() {
+    // open a connection
+    val plainSocket = connect(protocol = SecurityProtocol.PLAINTEXT)
+    val traceSocket = connect(protocol = SecurityProtocol.TRACE)
+    val bytes = new Array[Byte](40)
+    // send a request first to make sure the connection has been picked up by the socket server
+    sendRequest(plainSocket, 0, bytes)
+    sendRequest(traceSocket, 0, bytes)
+    processRequest(server.requestChannel)
+
+    // make sure the sockets are open
+    server.acceptors.values.map(acceptor => assertFalse(acceptor.serverChannel.socket.isClosed))
+    // then shutdown the server
+    server.shutdown()
+
+    val largeChunkOfBytes = new Array[Byte](1000000)
+    // doing a subsequent send should throw an exception as the connection should be closed.
+    // send a large chunk of bytes to trigger a socket flush
+    try {
+      sendRequest(plainSocket, 0, largeChunkOfBytes)
+      fail("expected exception when writing to closed plain socket")
+    } catch {
+      case e: IOException => // expected
+    }
+
+    try {
+      sendRequest(traceSocket, 0, largeChunkOfBytes)
+      fail("expected exception when writing to closed trace socket")
+    } catch {
+      case e: IOException => // expected
+    }
+  }
+
+  @Test
+  def testMaxConnectionsPerIp() {
+    // make the maximum allowable number of connections and then leak them
+    val conns = (0 until server.maxConnectionsPerIp).map(i => connect())
+    // now try one more (should fail)
+    val conn = connect()
+    conn.setSoTimeout(3000)
+    assertEquals(-1, conn.getInputStream().read())
+  }
+
+  @Test
+  def testMaxConnectionsPerIPOverrides(): Unit = {
+    val overrideNum = 6
+    val overrides: Map[String, Int] = Map("localhost" -> overrideNum)
+    val overrideprops = TestUtils.createBrokerConfig(0, TestUtils.MockZkConnect, port = 0)
+    val overrideServer: SocketServer = new SocketServer(KafkaConfig.fromProps(overrideprops))
+    overrideServer.startup()
+    // make the maximum allowable number of connections and then leak them
+    val conns = ((0 until overrideNum).map(i => connect(overrideServer)))
+    // now try one more (should fail)
+    val conn = connect(overrideServer)
+    conn.setSoTimeout(3000)
+    assertEquals(-1, conn.getInputStream.read())
+    overrideServer.shutdown()
+  }
+
+  @Test
+  def testSSLSocketServer(): Unit = {
+    val trustStoreFile = File.createTempFile("truststore", ".jks")
+    val overrideprops = TestUtils.createBrokerConfig(0, TestUtils.MockZkConnect, port = 0, enableSSL = true, trustStoreFile = Some(trustStoreFile))
+    overrideprops.put("listeners", "SSL://localhost:0")
+
+    val overrideServer: SocketServer = new SocketServer(KafkaConfig.fromProps(overrideprops))
+    overrideServer.startup()
+    val sslContext = SSLContext.getInstance("TLSv1.2")
+    sslContext.init(null, Array(TestUtils.trustAllCerts), new java.security.SecureRandom())
+    val socketFactory = sslContext.getSocketFactory
+    val socket = socketFactory.createSocket("localhost", overrideServer.boundPort(SecurityProtocol.SSL)).asInstanceOf[SSLSocket]
+    socket.setNeedClientAuth(false)
+    val bytes = new Array[Byte](40)
+    sendRequest(socket, 0, bytes)
+    processRequest(overrideServer.requestChannel)
+    overrideServer.shutdown()
+  }
+}
diff --git a/core/src/test/scala/unit/kafka/utils/TestUtils.scala b/core/src/test/scala/unit/kafka/utils/TestUtils.scala
index 17e9fe4..5b95133 100755
--- a/core/src/test/scala/unit/kafka/utils/TestUtils.scala
+++ b/core/src/test/scala/unit/kafka/utils/TestUtils.scala
@@ -22,6 +22,8 @@ import java.nio._
 import java.nio.channels._
 import java.util.Random
 import java.util.Properties
+import java.security.cert.X509Certificate
+import javax.net.ssl.X509TrustManager
 import charset.Charset
 
 import org.apache.kafka.common.protocol.SecurityProtocol
@@ -46,9 +48,14 @@ import kafka.log._
 import junit.framework.AssertionFailedError
 import junit.framework.Assert._
 import org.apache.kafka.clients.producer.KafkaProducer
+import org.apache.kafka.clients.consumer.KafkaConsumer
+import org.apache.kafka.clients.CommonClientConfigs
+import org.apache.kafka.common.network.SSLFactory
+import org.apache.kafka.common.config.SSLConfigs
+import org.apache.kafka.test.TestSSLUtils
 
 import scala.collection.Map
-import org.apache.kafka.clients.consumer.KafkaConsumer
+import scala.collection.JavaConversions._
 
 /**
  * Utility functions to help with testing
@@ -133,24 +140,33 @@ object TestUtils extends Logging {
   def createBrokerConfigs(numConfigs: Int,
     zkConnect: String,
     enableControlledShutdown: Boolean = true,
-    enableDeleteTopic: Boolean = false): Seq[Properties] = {
-    (0 until numConfigs).map(node => createBrokerConfig(node, zkConnect, enableControlledShutdown, enableDeleteTopic))
+    enableDeleteTopic: Boolean = false,
+    enableSSL: Boolean = false,
+    trustStoreFile: Option[File] = None): Seq[Properties] = {
+    (0 until numConfigs).map(node => createBrokerConfig(node, zkConnect, enableControlledShutdown, enableDeleteTopic, enableSSL = enableSSL, trustStoreFile = trustStoreFile))
   }
 
   def getBrokerListStrFromServers(servers: Seq[KafkaServer]): String = {
     servers.map(s => formatAddress(s.config.hostName, s.boundPort())).mkString(",")
   }
 
+  def getSSLBrokerListStrFromServers(servers: Seq[KafkaServer]): String = {
+    servers.map(s => formatAddress(s.config.hostName, s.boundPort(SecurityProtocol.SSL))).mkString(",")
+  }
+
   /**
    * Create a test config for the given node id
    */
   def createBrokerConfig(nodeId: Int, zkConnect: String,
     enableControlledShutdown: Boolean = true,
     enableDeleteTopic: Boolean = false,
-    port: Int = RandomPort): Properties = {
+    port: Int = RandomPort, enableSSL: Boolean = false, trustStoreFile: Option[File] = None): Properties = {
     val props = new Properties
+    var listeners: String = "PLAINTEXT://localhost:"+port.toString
     if (nodeId >= 0) props.put("broker.id", nodeId.toString)
-    props.put("listeners", "PLAINTEXT://localhost:"+port.toString)
+    if (enableSSL)
+      listeners = listeners + "," + "SSL://localhost:"+port.toString
+    props.put("listeners", listeners)
     props.put("log.dir", TestUtils.tempDir().getAbsolutePath)
     props.put("zookeeper.connect", zkConnect)
     props.put("replica.socket.timeout.ms", "1500")
@@ -158,6 +174,9 @@ object TestUtils extends Logging {
     props.put("controlled.shutdown.enable", enableControlledShutdown.toString)
     props.put("delete.topic.enable", enableDeleteTopic.toString)
     props.put("controlled.shutdown.retry.backoff.ms", "100")
+    if (enableSSL) {
+      props.putAll(addSSLConfigs(SSLFactory.Mode.SERVER, true, trustStoreFile, "server"+nodeId))
+    }
     props
   }
 
@@ -381,7 +400,9 @@ object TestUtils extends Logging {
                         blockOnBufferFull: Boolean = true,
                         bufferSize: Long = 1024L * 1024L,
                         retries: Int = 0,
-                        lingerMs: Long = 0) : KafkaProducer[Array[Byte],Array[Byte]] = {
+                        lingerMs: Long = 0,
+                        enableSSL: Boolean = false,
+                        trustStoreFile: Option[File] = None) : KafkaProducer[Array[Byte],Array[Byte]] = {
     import org.apache.kafka.clients.producer.ProducerConfig
 
     val producerProps = new Properties()
@@ -396,6 +417,10 @@ object TestUtils extends Logging {
     producerProps.put(ProducerConfig.LINGER_MS_CONFIG, lingerMs.toString)
     producerProps.put(ProducerConfig.KEY_SERIALIZER_CLASS_CONFIG, "org.apache.kafka.common.serialization.ByteArraySerializer")
     producerProps.put(ProducerConfig.VALUE_SERIALIZER_CLASS_CONFIG, "org.apache.kafka.common.serialization.ByteArraySerializer")
+    if (enableSSL) {
+      producerProps.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SSL")
+      producerProps.putAll(addSSLConfigs(SSLFactory.Mode.CLIENT, false, trustStoreFile, "producer"))
+    }
     new KafkaProducer[Array[Byte],Array[Byte]](producerProps)
   }
 
@@ -873,6 +898,37 @@ object TestUtils extends Logging {
     new String(bytes, encoding)
   }
 
+  def addSSLConfigs(mode: SSLFactory.Mode, clientCert: Boolean, trustStoreFile: Option[File],  certAlias: String): Properties = {
+    var sslConfigs: java.util.Map[String, Object] = new java.util.HashMap[String, Object]()
+    if (!trustStoreFile.isDefined) {
+      throw new Exception("enableSSL set to true but no trustStoreFile provided")
+    }
+    if (mode == SSLFactory.Mode.SERVER)
+      sslConfigs = TestSSLUtils.createSSLConfig(true, true, mode, trustStoreFile.get, certAlias)
+    else
+      sslConfigs = TestSSLUtils.createSSLConfig(false, false, mode, trustStoreFile.get, certAlias)
+
+    val sslProps = new Properties()
+    sslConfigs.foreach(kv =>
+      sslProps.put(kv._1, kv._2)
+    )
+    sslProps
+  }
+
+  // a X509TrustManager to trust self-signed certs for unit tests.
+  def trustAllCerts: X509TrustManager = {
+    val trustManager = new X509TrustManager() {
+      override def getAcceptedIssuers: Array[X509Certificate] = {
+        null
+      }
+      override def checkClientTrusted(certs: Array[X509Certificate], authType: String) {
+      }
+      override def checkServerTrusted(certs: Array[X509Certificate], authType: String) {
+      }
+    }
+    trustManager
+  }
+
 }
 
 class IntEncoder(props: VerifiableProperties = null) extends Encoder[Int] {
-- 
2.4.4


From eda92cb5f9d2ae749903eac5453a6fdb49685964 Mon Sep 17 00:00:00 2001
From: Sriharsha Chintalapani 
Date: Sat, 20 Jun 2015 20:01:30 -0700
Subject: [PATCH 16/19] KAFKA-1690. Added SSLProducerSendTest and fixes to get
 right port for SSL.

---
 .../common/network/PlainTextTransportLayer.java    |   1 -
 .../main/scala/kafka/network/SocketServer.scala    |   4 +-
 core/src/main/scala/kafka/server/KafkaServer.scala |   2 +-
 .../kafka/api/SSLProducerSendTest.scala            | 326 ++++++++++++++++++++-
 .../test/scala/unit/kafka/utils/TestUtils.scala    |   4 +-
 5 files changed, 327 insertions(+), 10 deletions(-)

diff --git a/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java
index 2390f03..1209670 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/PlainTextTransportLayer.java
@@ -95,7 +95,6 @@ public class PlainTextTransportLayer implements TransportLayer {
     */
 
     public int read(ByteBuffer dst) throws IOException {
-        System.out.println("in read " + dst.remaining());
         return socketChannel.read(dst);
     }
 
diff --git a/core/src/main/scala/kafka/network/SocketServer.scala b/core/src/main/scala/kafka/network/SocketServer.scala
index a09ed84..cb125c2 100644
--- a/core/src/main/scala/kafka/network/SocketServer.scala
+++ b/core/src/main/scala/kafka/network/SocketServer.scala
@@ -238,7 +238,6 @@ private[kafka] class Acceptor(val host: String,
     }
   )
 
-  println("processorIndex " + processorIndex + " numProcessorThreads " + numProcessorThreads)
   this.synchronized {
     for (i <- processorIndex until numProcessorThreads) {
         processors(i) = new Processor(i,
@@ -281,7 +280,6 @@ private[kafka] class Acceptor(val host: String,
             // round robin to the next processor thread
             currentProcessor = (currentProcessor + 1) % numProcessorThreads
             if (currentProcessor < processorIndex) currentProcessor = processorIndex
-            println("current Processor " + currentProcessor + " protocol " + protocol)
           } catch {
             case e: Throwable => error("Error while accepting connection", e)
           }
@@ -453,7 +451,7 @@ private[kafka] class Processor(val id: Int,
             selector.unmute(curr.request.connectionId)
           }
           case RequestChannel.SendAction => {
-            println("Socket server received response to send, registering for write and sending data: " + protocol + " id  " + id)
+            trace("Socket server received response to send, registering for write and sending data: " + curr)
             selector.send(curr.responseSend)
             inflightResponses += (curr.request.connectionId -> curr)
           }
diff --git a/core/src/main/scala/kafka/server/KafkaServer.scala b/core/src/main/scala/kafka/server/KafkaServer.scala
index 4977ba6..1f2f59e 100755
--- a/core/src/main/scala/kafka/server/KafkaServer.scala
+++ b/core/src/main/scala/kafka/server/KafkaServer.scala
@@ -153,7 +153,7 @@ class KafkaServer(val config: KafkaConfig, time: Time = SystemTime) extends Logg
         /* tell everyone we are alive */
         val listeners = config.advertisedListeners.map {case(protocol, endpoint) =>
           if (endpoint.port == 0)
-            (protocol, EndPoint(endpoint.host, socketServer.boundPort(), endpoint.protocolType))
+            (protocol, EndPoint(endpoint.host, socketServer.boundPort(protocol), endpoint.protocolType))
           else
             (protocol, endpoint)
         }
diff --git a/core/src/test/scala/integration/kafka/api/SSLProducerSendTest.scala b/core/src/test/scala/integration/kafka/api/SSLProducerSendTest.scala
index 2208cca..73e2d2c 100644
--- a/core/src/test/scala/integration/kafka/api/SSLProducerSendTest.scala
+++ b/core/src/test/scala/integration/kafka/api/SSLProducerSendTest.scala
@@ -36,7 +36,7 @@ import org.scalatest.junit.JUnit3Suite
 
 
 class SSLProducerSendTest extends JUnit3Suite with KafkaServerTestHarness {
-  val numServers = 1
+  val numServers = 2
   val trustStoreFile = File.createTempFile("truststore", ".jks")
   val overridingProps = new Properties()
   overridingProps.put(KafkaConfig.NumPartitionsProp, 4.toString)
@@ -54,7 +54,7 @@ class SSLProducerSendTest extends JUnit3Suite with KafkaServerTestHarness {
 
     // TODO: we need to migrate to new consumers when 0.9 is final
     consumer1 = new SimpleConsumer("localhost", servers(0).boundPort(), 100, 1024*1024, "")
-    consumer2 = new SimpleConsumer("localhost", servers(0).boundPort(), 100, 1024*1024, "")
+    consumer2 = new SimpleConsumer("localhost", servers(1).boundPort(), 100, 1024*1024, "")
 
   }
 
@@ -91,12 +91,206 @@ class SSLProducerSendTest extends JUnit3Suite with KafkaServerTestHarness {
 
     try {
       // create topic
-      TestUtils.createTopic(zkClient, topic, 1, 1, servers)
+      TestUtils.createTopic(zkClient, topic, 1, 2, servers)
 
       // send a normal record
       val record0 = new ProducerRecord[Array[Byte],Array[Byte]](topic, partition, "key".getBytes, "value".getBytes)
       assertEquals("Should have offset 0", 0L, producer.send(record0, callback).get.offset)
 
+      // send a record with null value should be ok
+      val record1 = new ProducerRecord[Array[Byte],Array[Byte]](topic, partition, "key".getBytes, null)
+      assertEquals("Should have offset 1", 1L, producer.send(record1, callback).get.offset)
+
+      // send a record with null key should be ok
+      val record2 = new ProducerRecord[Array[Byte],Array[Byte]](topic, partition, null, "value".getBytes)
+      assertEquals("Should have offset 2", 2L, producer.send(record2, callback).get.offset)
+
+      // send a record with null part id should be ok
+      val record3 = new ProducerRecord[Array[Byte],Array[Byte]](topic, null, "key".getBytes, "value".getBytes)
+      assertEquals("Should have offset 3", 3L, producer.send(record3, callback).get.offset)
+
+
+      // send a record with null topic should fail
+      try {
+        val record4 = new ProducerRecord[Array[Byte],Array[Byte]](null, partition, "key".getBytes, "value".getBytes)
+        producer.send(record4, callback)
+        fail("Should not allow sending a record without topic")
+      } catch {
+        case iae: IllegalArgumentException => // this is ok
+        case e: Throwable => fail("Only expecting IllegalArgumentException", e)
+      }
+
+      // // non-blocking send a list of records
+      // for (i <- 1 to numRecords)
+      //   producer.send(record0, callback)
+
+      // // check that all messages have been acked via offset
+      // assertEquals("Should have offset " + (numRecords + 4), numRecords + 4L, producer.send(record0, callback).get.offset)
+
+    } finally {
+      if (producer != null) {
+        producer.close()
+        producer = null
+      }
+    }
+  }
+
+  @Test
+  def testSerializer() {
+    // send a record with a wrong type should receive a serialization exception
+    try {
+      val producer = createNewProducerWithWrongSerializer(brokerList)
+      val record5 = new ProducerRecord[Array[Byte],Array[Byte]](topic, new Integer(0), "key".getBytes, "value".getBytes)
+      producer.send(record5)
+      fail("Should have gotten a SerializationException")
+    } catch {
+      case se: SerializationException => // this is ok
+    }
+
+    try {
+      createNewProducerWithNoSerializer(brokerList)
+      fail("Instantiating a producer without specifying a serializer should cause a ConfigException")
+    } catch {
+      case ce : ConfigException => // this is ok
+    }
+
+    // create a producer with explicit serializers should succeed
+    createNewProducerWithExplicitSerializer(brokerList)
+  }
+
+  private def createNewProducerWithWrongSerializer(brokerList: String) : KafkaProducer[Array[Byte],Array[Byte]] = {
+    import org.apache.kafka.clients.producer.ProducerConfig
+
+    val producerProps = new Properties()
+    producerProps.put(ProducerConfig.BOOTSTRAP_SERVERS_CONFIG, brokerList)
+    producerProps.put(ProducerConfig.KEY_SERIALIZER_CLASS_CONFIG, "org.apache.kafka.common.serialization.StringSerializer")
+    producerProps.put(ProducerConfig.VALUE_SERIALIZER_CLASS_CONFIG, "org.apache.kafka.common.serialization.StringSerializer")
+    return new KafkaProducer[Array[Byte],Array[Byte]](producerProps)
+  }
+
+  private def createNewProducerWithNoSerializer(brokerList: String) : KafkaProducer[Array[Byte],Array[Byte]] = {
+    import org.apache.kafka.clients.producer.ProducerConfig
+
+    val producerProps = new Properties()
+    producerProps.put(ProducerConfig.BOOTSTRAP_SERVERS_CONFIG, brokerList)
+    return new KafkaProducer[Array[Byte],Array[Byte]](producerProps)
+  }
+
+  private def createNewProducerWithExplicitSerializer(brokerList: String) : KafkaProducer[Array[Byte],Array[Byte]] = {
+    import org.apache.kafka.clients.producer.ProducerConfig
+
+    val producerProps = new Properties()
+    producerProps.put(ProducerConfig.BOOTSTRAP_SERVERS_CONFIG, brokerList)
+    return new KafkaProducer[Array[Byte],Array[Byte]](producerProps, new ByteArraySerializer, new ByteArraySerializer)
+  }
+
+  /**
+    * testClose checks the closing behavior
+    *
+    * After close() returns, all messages should be sent with correct returned offset metadata
+    */
+  @Test
+  def testClose() {
+    var producer = TestUtils.createNewProducer(brokerList)
+
+    try {
+      // create topic
+      TestUtils.createTopic(zkClient, topic, 1, 2, servers)
+
+      // non-blocking send a list of records
+      val record0 = new ProducerRecord[Array[Byte],Array[Byte]](topic, null, "key".getBytes, "value".getBytes)
+      for (i <- 1 to numRecords)
+        producer.send(record0)
+      val response0 = producer.send(record0)
+
+      // close the producer
+      producer.close()
+      producer = null
+
+      // check that all messages have been acked via offset,
+      // this also checks that messages with same key go to the same partition
+      assertTrue("The last message should be acked before producer is shutdown", response0.isDone)
+      assertEquals("Should have offset " + numRecords, numRecords.toLong, response0.get.offset)
+
+    } finally {
+      if (producer != null) {
+        producer.close()
+        producer = null
+      }
+    }
+  }
+
+  /**
+    * testSendToPartition checks the partitioning behavior
+    *
+    * The specified partition-id should be respected
+    */
+  @Test
+  def testSendToPartition() {
+    var producer = TestUtils.createNewProducer(brokerList)
+
+    try {
+      // create topic
+      val leaders = TestUtils.createTopic(zkClient, topic, 2, 2, servers)
+      val partition = 1
+
+      // make sure leaders exist
+      val leader1 = leaders(partition)
+      assertTrue("Leader for topic \"topic\" partition 1 should exist", leader1.isDefined)
+
+      val responses =
+        for (i <- 1 to numRecords)
+        yield producer.send(new ProducerRecord[Array[Byte],Array[Byte]](topic, partition, null, ("value" + i).getBytes))
+      val futures = responses.toList
+      futures.map(_.get)
+      for (future <- futures)
+        assertTrue("Request should have completed", future.isDone)
+
+      // make sure all of them end up in the same partition with increasing offset values
+      for ((future, offset) <- futures zip (0 until numRecords)) {
+        assertEquals(offset.toLong, future.get.offset)
+        assertEquals(topic, future.get.topic)
+        assertEquals(partition, future.get.partition)
+      }
+
+      // make sure the fetched messages also respect the partitioning and ordering
+      val fetchResponse1 = if(leader1.get == configs(0).brokerId) {
+        consumer1.fetch(new FetchRequestBuilder().addFetch(topic, partition, 0, Int.MaxValue).build())
+      } else {
+        consumer2.fetch(new FetchRequestBuilder().addFetch(topic, partition, 0, Int.MaxValue).build())
+      }
+      val messageSet1 = fetchResponse1.messageSet(topic, partition).iterator.toBuffer
+      assertEquals("Should have fetched " + numRecords + " messages", numRecords, messageSet1.size)
+
+      // TODO: also check topic and partition after they are added in the return messageSet
+      for (i <- 0 to numRecords - 1) {
+        assertEquals(new Message(bytes = ("value" + (i + 1)).getBytes), messageSet1(i).message)
+        assertEquals(i.toLong, messageSet1(i).offset)
+      }
+    } finally {
+      if (producer != null) {
+        producer.close()
+        producer = null
+      }
+    }
+  }
+
+  /**
+    * testAutoCreateTopic
+    *
+    * The topic should be created upon sending the first message
+    */
+  @Test
+  def testAutoCreateTopic() {
+    var producer = TestUtils.createNewProducer(brokerList, retries = 5)
+
+    try {
+      // Send a message to auto-create the topic
+      val record = new ProducerRecord[Array[Byte],Array[Byte]](topic, null, "key".getBytes, "value".getBytes)
+      assertEquals("Should have offset 0", 0L, producer.send(record).get.offset)
+
+      // double check that the topic is created with leader elected
+      TestUtils.waitUntilLeaderIsElectedOrChanged(zkClient, topic, 0)
 
     } finally {
       if (producer != null) {
@@ -105,4 +299,130 @@ class SSLProducerSendTest extends JUnit3Suite with KafkaServerTestHarness {
       }
     }
   }
+
+  /**
+    * Test that flush immediately sends all accumulated requests.
+    */
+  @Test
+  def testFlush() {
+    var producer = TestUtils.createNewProducer(brokerList, lingerMs = Long.MaxValue)
+    try {
+      TestUtils.createTopic(zkClient, topic, 2, 2, servers)
+      val record = new ProducerRecord[Array[Byte], Array[Byte]](topic, "value".getBytes)
+      for(i <- 0 until 50) {
+        val responses = (0 until numRecords) map (i => producer.send(record))
+        assertTrue("No request is complete.", responses.forall(!_.isDone()))
+        producer.flush()
+        assertTrue("All requests are complete.", responses.forall(_.isDone()))
+      }
+    } finally {
+      if (producer != null)
+        producer.close()
+    }
+  }
+
+  /**
+    * Test close with zero timeout from caller thread
+    */
+  @Test
+  def testCloseWithZeroTimeoutFromCallerThread() {
+    var producer: KafkaProducer[Array[Byte],Array[Byte]] = null
+    try {
+      // create topic
+      val leaders = TestUtils.createTopic(zkClient, topic, 2, 2, servers)
+      val leader0 = leaders(0)
+      val leader1 = leaders(1)
+
+      // create record
+      val record0 = new ProducerRecord[Array[Byte], Array[Byte]](topic, 0, null, "value".getBytes)
+      val record1 = new ProducerRecord[Array[Byte], Array[Byte]](topic, 1, null, "value".getBytes)
+
+      // Test closing from caller thread.
+      for(i <- 0 until 50) {
+        producer = TestUtils.createNewProducer(brokerList, lingerMs = Long.MaxValue)
+        val responses = (0 until numRecords) map (i => producer.send(record0))
+        assertTrue("No request is complete.", responses.forall(!_.isDone()))
+        producer.close(0, TimeUnit.MILLISECONDS)
+        responses.foreach { future =>
+          try {
+            future.get()
+            fail("No message should be sent successfully.")
+          } catch {
+            case e: Exception =>
+              assertEquals("java.lang.IllegalStateException: Producer is closed forcefully.", e.getMessage)
+          }
+        }
+        val fetchResponse = if (leader0.get == configs(0).brokerId) {
+          consumer1.fetch(new FetchRequestBuilder().addFetch(topic, 0, 0, Int.MaxValue).build())
+        } else {
+          consumer2.fetch(new FetchRequestBuilder().addFetch(topic, 0, 0, Int.MaxValue).build())
+        }
+        assertEquals("Fetch response should have no message returned.", 0, fetchResponse.messageSet(topic, 0).size)
+      }
+    } finally {
+      if (producer != null)
+        producer.close()
+    }
+  }
+
+  /**
+    * Test close with zero and non-zero timeout from sender thread
+    */
+  @Test
+  def testCloseWithZeroTimeoutFromSenderThread() {
+    var producer: KafkaProducer[Array[Byte],Array[Byte]] = null
+    try {
+      // create topic
+      val leaders = TestUtils.createTopic(zkClient, topic, 2, 2, servers)
+      val leader0 = leaders(0)
+      val leader1 = leaders(1)
+
+      // create record
+      val record0 = new ProducerRecord[Array[Byte], Array[Byte]](topic, 0, null, "value".getBytes)
+      val record1 = new ProducerRecord[Array[Byte], Array[Byte]](topic, 1, null, "value".getBytes)
+
+      // Test closing from sender thread.
+      class CloseCallback(producer: KafkaProducer[Array[Byte], Array[Byte]]) extends Callback {
+        override def onCompletion(metadata: RecordMetadata, exception: Exception) {
+          // Trigger another batch in accumulator before close the producer. These messages should
+          // not be sent.
+          (0 until numRecords) map (i => producer.send(record1))
+          // The close call will be called by all the message callbacks. This tests idempotence of the close call.
+          producer.close(0, TimeUnit.MILLISECONDS)
+          // Test close with non zero timeout. Should not block at all.
+          producer.close(Long.MaxValue, TimeUnit.MICROSECONDS)
+        }
+      }
+      for(i <- 0 until 50) {
+        producer = TestUtils.createNewProducer(brokerList, lingerMs = Long.MaxValue)
+        // send message to partition 0
+        var responses = (0 until numRecords) map (i => producer.send(record0))
+        // send message to partition 1
+        responses ++= ((0 until numRecords) map (i => producer.send(record1, new CloseCallback(producer))))
+        assertTrue("No request is complete.", responses.forall(!_.isDone()))
+        // flush the messages.
+        producer.flush()
+        assertTrue("All request are complete.", responses.forall(_.isDone()))
+        // Check the messages received by broker.
+        val fetchResponse0 = if (leader0.get == configs(0).brokerId) {
+          consumer1.fetch(new FetchRequestBuilder().addFetch(topic, 0, 0, Int.MaxValue).build())
+        } else {
+          consumer2.fetch(new FetchRequestBuilder().addFetch(topic, 0, 0, Int.MaxValue).build())
+        }
+        val fetchResponse1 = if (leader1.get == configs(0).brokerId) {
+          consumer1.fetch(new FetchRequestBuilder().addFetch(topic, 1, 0, Int.MaxValue).build())
+        } else {
+          consumer2.fetch(new FetchRequestBuilder().addFetch(topic, 1, 0, Int.MaxValue).build())
+        }
+        val expectedNumRecords = (i + 1) * numRecords
+        assertEquals("Fetch response to partition 0 should have %d messages.".format(expectedNumRecords),
+          expectedNumRecords, fetchResponse0.messageSet(topic, 0).size)
+        assertEquals("Fetch response to partition 1 should have %d messages.".format(expectedNumRecords),
+          expectedNumRecords, fetchResponse1.messageSet(topic, 1).size)
+      }
+    } finally {
+      if (producer != null)
+        producer.close()
+    }
+  }
 }
diff --git a/core/src/test/scala/unit/kafka/utils/TestUtils.scala b/core/src/test/scala/unit/kafka/utils/TestUtils.scala
index 5b95133..7d5cbd1 100755
--- a/core/src/test/scala/unit/kafka/utils/TestUtils.scala
+++ b/core/src/test/scala/unit/kafka/utils/TestUtils.scala
@@ -160,12 +160,12 @@ object TestUtils extends Logging {
   def createBrokerConfig(nodeId: Int, zkConnect: String,
     enableControlledShutdown: Boolean = true,
     enableDeleteTopic: Boolean = false,
-    port: Int = RandomPort, enableSSL: Boolean = false, trustStoreFile: Option[File] = None): Properties = {
+    port: Int = RandomPort, enableSSL: Boolean = false, sslPort: Int = RandomPort, trustStoreFile: Option[File] = None): Properties = {
     val props = new Properties
     var listeners: String = "PLAINTEXT://localhost:"+port.toString
     if (nodeId >= 0) props.put("broker.id", nodeId.toString)
     if (enableSSL)
-      listeners = listeners + "," + "SSL://localhost:"+port.toString
+      listeners = listeners + "," + "SSL://localhost:"+sslPort.toString
     props.put("listeners", listeners)
     props.put("log.dir", TestUtils.tempDir().getAbsolutePath)
     props.put("zookeeper.connect", zkConnect)
-- 
2.4.4


From f60c95273b3b814792d0da9264a75939049dcc5f Mon Sep 17 00:00:00 2001
From: Sriharsha Chintalapani 
Date: Sat, 20 Jun 2015 21:45:58 -0700
Subject: [PATCH 17/19] KAFKA-1690. Post merge fixes.

---
 .../org/apache/kafka/common/network/Selector.java  |   1 -
 .../apache/kafka/common/network/SelectorTest.java  |   3 +-
 core/src/main/scala/kafka/server/KafkaConfig.scala | 253 +++++++++++----------
 3 files changed, 137 insertions(+), 120 deletions(-)

diff --git a/clients/src/main/java/org/apache/kafka/common/network/Selector.java b/clients/src/main/java/org/apache/kafka/common/network/Selector.java
index 6a04166..0bd2e1e 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/Selector.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/Selector.java
@@ -266,7 +266,6 @@ public class Selector implements Selectable {
                         channel.finishConnect();
                         this.connected.add(channel.id());
                         this.sensors.connectionCreated.record();
-                        log.debug("Connection {} created", transmissions.id);
                     }
 
                     /* if channel is not ready finish prepare */
diff --git a/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java b/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java
index 4664156..8ec5bed 100644
--- a/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java
+++ b/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java
@@ -51,9 +51,10 @@ public class SelectorTest {
         configs.put(SSLConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Class.forName(SSLConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS));
         this.server = new EchoServer(configs);
         this.server.start();
+        this.time = new MockTime();
         this.channelBuilder = new PlainTextChannelBuilder();
         this.channelBuilder.configure(configs);
-        this.selector = new Selector(5000, new Metrics(), new MockTime() , "MetricGroup", new LinkedHashMap(), channelBuilder);
+        this.selector = new Selector(5000, new Metrics(), time, "MetricGroup", new LinkedHashMap(), channelBuilder);
     }
 
     @After
diff --git a/core/src/main/scala/kafka/server/KafkaConfig.scala b/core/src/main/scala/kafka/server/KafkaConfig.scala
index 4c03748..755fb85 100755
--- a/core/src/main/scala/kafka/server/KafkaConfig.scala
+++ b/core/src/main/scala/kafka/server/KafkaConfig.scala
@@ -464,136 +464,136 @@ object KafkaConfig {
 
     /** ********* Zookeeper Configuration ***********/
     .define(ZkConnectProp, STRING, HIGH, ZkConnectDoc)
-      .define(ZkSessionTimeoutMsProp, INT, Defaults.ZkSessionTimeoutMs, HIGH, ZkSessionTimeoutMsDoc)
-      .define(ZkConnectionTimeoutMsProp, INT, HIGH, ZkConnectionTimeoutMsDoc, false)
-      .define(ZkSyncTimeMsProp, INT, Defaults.ZkSyncTimeMs, LOW, ZkSyncTimeMsDoc)
+    .define(ZkSessionTimeoutMsProp, INT, Defaults.ZkSessionTimeoutMs, HIGH, ZkSessionTimeoutMsDoc)
+    .define(ZkConnectionTimeoutMsProp, INT, HIGH, ZkConnectionTimeoutMsDoc, false)
+    .define(ZkSyncTimeMsProp, INT, Defaults.ZkSyncTimeMs, LOW, ZkSyncTimeMsDoc)
 
     /** ********* General Configuration ***********/
     .define(MaxReservedBrokerIdProp, INT, Defaults.MaxReservedBrokerId, atLeast(0), MEDIUM, MaxReservedBrokerIdProp)
-      .define(BrokerIdProp, INT, Defaults.BrokerId, HIGH, BrokerIdDoc)
-      .define(MessageMaxBytesProp, INT, Defaults.MessageMaxBytes, atLeast(0), HIGH, MessageMaxBytesDoc)
-      .define(NumNetworkThreadsProp, INT, Defaults.NumNetworkThreads, atLeast(1), HIGH, NumNetworkThreadsDoc)
-      .define(NumIoThreadsProp, INT, Defaults.NumIoThreads, atLeast(1), HIGH, NumIoThreadsDoc)
-      .define(BackgroundThreadsProp, INT, Defaults.BackgroundThreads, atLeast(1), HIGH, BackgroundThreadsDoc)
-      .define(QueuedMaxRequestsProp, INT, Defaults.QueuedMaxRequests, atLeast(1), HIGH, QueuedMaxRequestsDoc)
+    .define(BrokerIdProp, INT, Defaults.BrokerId, HIGH, BrokerIdDoc)
+    .define(MessageMaxBytesProp, INT, Defaults.MessageMaxBytes, atLeast(0), HIGH, MessageMaxBytesDoc)
+    .define(NumNetworkThreadsProp, INT, Defaults.NumNetworkThreads, atLeast(1), HIGH, NumNetworkThreadsDoc)
+    .define(NumIoThreadsProp, INT, Defaults.NumIoThreads, atLeast(1), HIGH, NumIoThreadsDoc)
+    .define(BackgroundThreadsProp, INT, Defaults.BackgroundThreads, atLeast(1), HIGH, BackgroundThreadsDoc)
+    .define(QueuedMaxRequestsProp, INT, Defaults.QueuedMaxRequests, atLeast(1), HIGH, QueuedMaxRequestsDoc)
 
     /** ********* Socket Server Configuration ***********/
     .define(PortProp, INT, Defaults.Port, HIGH, PortDoc)
-      .define(HostNameProp, STRING, Defaults.HostName, HIGH, HostNameDoc)
-      .define(ListenersProp, STRING, HIGH, ListenersDoc, false)
-      .define(AdvertisedHostNameProp, STRING, HIGH, AdvertisedHostNameDoc, false)
-      .define(AdvertisedPortProp, INT, HIGH, AdvertisedPortDoc, false)
-      .define(AdvertisedListenersProp, STRING, HIGH, AdvertisedListenersDoc, false)
-      .define(SocketSendBufferBytesProp, INT, Defaults.SocketSendBufferBytes, HIGH, SocketSendBufferBytesDoc)
-      .define(SocketReceiveBufferBytesProp, INT, Defaults.SocketReceiveBufferBytes, HIGH, SocketReceiveBufferBytesDoc)
-      .define(SocketRequestMaxBytesProp, INT, Defaults.SocketRequestMaxBytes, atLeast(1), HIGH, SocketRequestMaxBytesDoc)
-      .define(MaxConnectionsPerIpProp, INT, Defaults.MaxConnectionsPerIp, atLeast(1), MEDIUM, MaxConnectionsPerIpDoc)
-      .define(MaxConnectionsPerIpOverridesProp, STRING, Defaults.MaxConnectionsPerIpOverrides, MEDIUM, MaxConnectionsPerIpOverridesDoc)
-      .define(ConnectionsMaxIdleMsProp, LONG, Defaults.ConnectionsMaxIdleMs, MEDIUM, ConnectionsMaxIdleMsDoc)
+    .define(HostNameProp, STRING, Defaults.HostName, HIGH, HostNameDoc)
+    .define(ListenersProp, STRING, HIGH, ListenersDoc, false)
+    .define(AdvertisedHostNameProp, STRING, HIGH, AdvertisedHostNameDoc, false)
+    .define(AdvertisedPortProp, INT, HIGH, AdvertisedPortDoc, false)
+    .define(AdvertisedListenersProp, STRING, HIGH, AdvertisedListenersDoc, false)
+    .define(SocketSendBufferBytesProp, INT, Defaults.SocketSendBufferBytes, HIGH, SocketSendBufferBytesDoc)
+    .define(SocketReceiveBufferBytesProp, INT, Defaults.SocketReceiveBufferBytes, HIGH, SocketReceiveBufferBytesDoc)
+    .define(SocketRequestMaxBytesProp, INT, Defaults.SocketRequestMaxBytes, atLeast(1), HIGH, SocketRequestMaxBytesDoc)
+    .define(MaxConnectionsPerIpProp, INT, Defaults.MaxConnectionsPerIp, atLeast(1), MEDIUM, MaxConnectionsPerIpDoc)
+    .define(MaxConnectionsPerIpOverridesProp, STRING, Defaults.MaxConnectionsPerIpOverrides, MEDIUM, MaxConnectionsPerIpOverridesDoc)
+    .define(ConnectionsMaxIdleMsProp, LONG, Defaults.ConnectionsMaxIdleMs, MEDIUM, ConnectionsMaxIdleMsDoc)
 
     /** ********* Log Configuration ***********/
     .define(NumPartitionsProp, INT, Defaults.NumPartitions, atLeast(1), MEDIUM, NumPartitionsDoc)
-      .define(LogDirProp, STRING, Defaults.LogDir, HIGH, LogDirDoc)
-      .define(LogDirsProp, STRING, HIGH, LogDirsDoc, false)
-      .define(LogSegmentBytesProp, INT, Defaults.LogSegmentBytes, atLeast(Message.MinHeaderSize), HIGH, LogSegmentBytesDoc)
+    .define(LogDirProp, STRING, Defaults.LogDir, HIGH, LogDirDoc)
+    .define(LogDirsProp, STRING, HIGH, LogDirsDoc, false)
+    .define(LogSegmentBytesProp, INT, Defaults.LogSegmentBytes, atLeast(Message.MinHeaderSize), HIGH, LogSegmentBytesDoc)
 
     .define(LogRollTimeMillisProp, LONG, HIGH, LogRollTimeMillisDoc, false)
-      .define(LogRollTimeHoursProp, INT, Defaults.LogRollHours, atLeast(1), HIGH, LogRollTimeHoursDoc)
+    .define(LogRollTimeHoursProp, INT, Defaults.LogRollHours, atLeast(1), HIGH, LogRollTimeHoursDoc)
 
     .define(LogRollTimeJitterMillisProp, LONG, HIGH, LogRollTimeJitterMillisDoc, false)
-      .define(LogRollTimeJitterHoursProp, INT, Defaults.LogRollJitterHours, atLeast(0), HIGH, LogRollTimeJitterHoursDoc)
+    .define(LogRollTimeJitterHoursProp, INT, Defaults.LogRollJitterHours, atLeast(0), HIGH, LogRollTimeJitterHoursDoc)
 
     .define(LogRetentionTimeMillisProp, LONG, HIGH, LogRetentionTimeMillisDoc, false)
-      .define(LogRetentionTimeMinutesProp, INT, HIGH, LogRetentionTimeMinsDoc, false)
-      .define(LogRetentionTimeHoursProp, INT, Defaults.LogRetentionHours, HIGH, LogRetentionTimeHoursDoc)
+    .define(LogRetentionTimeMinutesProp, INT, HIGH, LogRetentionTimeMinsDoc, false)
+    .define(LogRetentionTimeHoursProp, INT, Defaults.LogRetentionHours, HIGH, LogRetentionTimeHoursDoc)
 
     .define(LogRetentionBytesProp, LONG, Defaults.LogRetentionBytes, HIGH, LogRetentionBytesDoc)
-      .define(LogCleanupIntervalMsProp, LONG, Defaults.LogCleanupIntervalMs, atLeast(1), MEDIUM, LogCleanupIntervalMsDoc)
-      .define(LogCleanupPolicyProp, STRING, Defaults.LogCleanupPolicy, in(Defaults.Compact, Defaults.Delete), MEDIUM, LogCleanupPolicyDoc)
-      .define(LogCleanerThreadsProp, INT, Defaults.LogCleanerThreads, atLeast(0), MEDIUM, LogCleanerThreadsDoc)
-      .define(LogCleanerIoMaxBytesPerSecondProp, DOUBLE, Defaults.LogCleanerIoMaxBytesPerSecond, MEDIUM, LogCleanerIoMaxBytesPerSecondDoc)
-      .define(LogCleanerDedupeBufferSizeProp, LONG, Defaults.LogCleanerDedupeBufferSize, MEDIUM, LogCleanerDedupeBufferSizeDoc)
-      .define(LogCleanerIoBufferSizeProp, INT, Defaults.LogCleanerIoBufferSize, atLeast(0), MEDIUM, LogCleanerIoBufferSizeDoc)
-      .define(LogCleanerDedupeBufferLoadFactorProp, DOUBLE, Defaults.LogCleanerDedupeBufferLoadFactor, MEDIUM, LogCleanerDedupeBufferLoadFactorDoc)
-      .define(LogCleanerBackoffMsProp, LONG, Defaults.LogCleanerBackoffMs, atLeast(0), MEDIUM, LogCleanerBackoffMsDoc)
-      .define(LogCleanerMinCleanRatioProp, DOUBLE, Defaults.LogCleanerMinCleanRatio, MEDIUM, LogCleanerMinCleanRatioDoc)
-      .define(LogCleanerEnableProp, BOOLEAN, Defaults.LogCleanerEnable, MEDIUM, LogCleanerEnableDoc)
-      .define(LogCleanerDeleteRetentionMsProp, LONG, Defaults.LogCleanerDeleteRetentionMs, MEDIUM, LogCleanerDeleteRetentionMsDoc)
-      .define(LogIndexSizeMaxBytesProp, INT, Defaults.LogIndexSizeMaxBytes, atLeast(4), MEDIUM, LogIndexSizeMaxBytesDoc)
-      .define(LogIndexIntervalBytesProp, INT, Defaults.LogIndexIntervalBytes, atLeast(0), MEDIUM, LogIndexIntervalBytesDoc)
-      .define(LogFlushIntervalMessagesProp, LONG, Defaults.LogFlushIntervalMessages, atLeast(1), HIGH, LogFlushIntervalMessagesDoc)
-      .define(LogDeleteDelayMsProp, LONG, Defaults.LogDeleteDelayMs, atLeast(0), HIGH, LogDeleteDelayMsDoc)
-      .define(LogFlushSchedulerIntervalMsProp, LONG, Defaults.LogFlushSchedulerIntervalMs, HIGH, LogFlushSchedulerIntervalMsDoc)
-      .define(LogFlushIntervalMsProp, LONG, HIGH, LogFlushIntervalMsDoc, false)
-      .define(LogFlushOffsetCheckpointIntervalMsProp, INT, Defaults.LogFlushOffsetCheckpointIntervalMs, atLeast(0), HIGH, LogFlushOffsetCheckpointIntervalMsDoc)
-      .define(LogPreAllocateProp, BOOLEAN, Defaults.LogPreAllocateEnable, MEDIUM, LogPreAllocateEnableDoc)
-      .define(NumRecoveryThreadsPerDataDirProp, INT, Defaults.NumRecoveryThreadsPerDataDir, atLeast(1), HIGH, NumRecoveryThreadsPerDataDirDoc)
-      .define(AutoCreateTopicsEnableProp, BOOLEAN, Defaults.AutoCreateTopicsEnable, HIGH, AutoCreateTopicsEnableDoc)
-      .define(MinInSyncReplicasProp, INT, Defaults.MinInSyncReplicas, atLeast(1), HIGH, MinInSyncReplicasDoc)
+    .define(LogCleanupIntervalMsProp, LONG, Defaults.LogCleanupIntervalMs, atLeast(1), MEDIUM, LogCleanupIntervalMsDoc)
+    .define(LogCleanupPolicyProp, STRING, Defaults.LogCleanupPolicy, in(Defaults.Compact, Defaults.Delete), MEDIUM, LogCleanupPolicyDoc)
+    .define(LogCleanerThreadsProp, INT, Defaults.LogCleanerThreads, atLeast(0), MEDIUM, LogCleanerThreadsDoc)
+    .define(LogCleanerIoMaxBytesPerSecondProp, DOUBLE, Defaults.LogCleanerIoMaxBytesPerSecond, MEDIUM, LogCleanerIoMaxBytesPerSecondDoc)
+    .define(LogCleanerDedupeBufferSizeProp, LONG, Defaults.LogCleanerDedupeBufferSize, MEDIUM, LogCleanerDedupeBufferSizeDoc)
+    .define(LogCleanerIoBufferSizeProp, INT, Defaults.LogCleanerIoBufferSize, atLeast(0), MEDIUM, LogCleanerIoBufferSizeDoc)
+    .define(LogCleanerDedupeBufferLoadFactorProp, DOUBLE, Defaults.LogCleanerDedupeBufferLoadFactor, MEDIUM, LogCleanerDedupeBufferLoadFactorDoc)
+    .define(LogCleanerBackoffMsProp, LONG, Defaults.LogCleanerBackoffMs, atLeast(0), MEDIUM, LogCleanerBackoffMsDoc)
+    .define(LogCleanerMinCleanRatioProp, DOUBLE, Defaults.LogCleanerMinCleanRatio, MEDIUM, LogCleanerMinCleanRatioDoc)
+    .define(LogCleanerEnableProp, BOOLEAN, Defaults.LogCleanerEnable, MEDIUM, LogCleanerEnableDoc)
+    .define(LogCleanerDeleteRetentionMsProp, LONG, Defaults.LogCleanerDeleteRetentionMs, MEDIUM, LogCleanerDeleteRetentionMsDoc)
+    .define(LogIndexSizeMaxBytesProp, INT, Defaults.LogIndexSizeMaxBytes, atLeast(4), MEDIUM, LogIndexSizeMaxBytesDoc)
+    .define(LogIndexIntervalBytesProp, INT, Defaults.LogIndexIntervalBytes, atLeast(0), MEDIUM, LogIndexIntervalBytesDoc)
+    .define(LogFlushIntervalMessagesProp, LONG, Defaults.LogFlushIntervalMessages, atLeast(1), HIGH, LogFlushIntervalMessagesDoc)
+    .define(LogDeleteDelayMsProp, LONG, Defaults.LogDeleteDelayMs, atLeast(0), HIGH, LogDeleteDelayMsDoc)
+    .define(LogFlushSchedulerIntervalMsProp, LONG, Defaults.LogFlushSchedulerIntervalMs, HIGH, LogFlushSchedulerIntervalMsDoc)
+    .define(LogFlushIntervalMsProp, LONG, HIGH, LogFlushIntervalMsDoc, false)
+    .define(LogFlushOffsetCheckpointIntervalMsProp, INT, Defaults.LogFlushOffsetCheckpointIntervalMs, atLeast(0), HIGH, LogFlushOffsetCheckpointIntervalMsDoc)
+    .define(LogPreAllocateProp, BOOLEAN, Defaults.LogPreAllocateEnable, MEDIUM, LogPreAllocateEnableDoc)
+    .define(NumRecoveryThreadsPerDataDirProp, INT, Defaults.NumRecoveryThreadsPerDataDir, atLeast(1), HIGH, NumRecoveryThreadsPerDataDirDoc)
+    .define(AutoCreateTopicsEnableProp, BOOLEAN, Defaults.AutoCreateTopicsEnable, HIGH, AutoCreateTopicsEnableDoc)
+    .define(MinInSyncReplicasProp, INT, Defaults.MinInSyncReplicas, atLeast(1), HIGH, MinInSyncReplicasDoc)
 
     /** ********* Replication configuration ***********/
     .define(ControllerSocketTimeoutMsProp, INT, Defaults.ControllerSocketTimeoutMs, MEDIUM, ControllerSocketTimeoutMsDoc)
-      .define(DefaultReplicationFactorProp, INT, Defaults.DefaultReplicationFactor, MEDIUM, DefaultReplicationFactorDoc)
-      .define(ReplicaLagTimeMaxMsProp, LONG, Defaults.ReplicaLagTimeMaxMs, HIGH, ReplicaLagTimeMaxMsDoc)
-      .define(ReplicaSocketTimeoutMsProp, INT, Defaults.ReplicaSocketTimeoutMs, HIGH, ReplicaSocketTimeoutMsDoc)
-      .define(ReplicaSocketReceiveBufferBytesProp, INT, Defaults.ReplicaSocketReceiveBufferBytes, HIGH, ReplicaSocketReceiveBufferBytesDoc)
-      .define(ReplicaFetchMaxBytesProp, INT, Defaults.ReplicaFetchMaxBytes, HIGH, ReplicaFetchMaxBytesDoc)
-      .define(ReplicaFetchWaitMaxMsProp, INT, Defaults.ReplicaFetchWaitMaxMs, HIGH, ReplicaFetchWaitMaxMsDoc)
-      .define(ReplicaFetchBackoffMsProp, INT, Defaults.ReplicaFetchBackoffMs, atLeast(0), MEDIUM, ReplicaFetchBackoffMsDoc)
-      .define(ReplicaFetchMinBytesProp, INT, Defaults.ReplicaFetchMinBytes, HIGH, ReplicaFetchMinBytesDoc)
-      .define(NumReplicaFetchersProp, INT, Defaults.NumReplicaFetchers, HIGH, NumReplicaFetchersDoc)
-      .define(ReplicaHighWatermarkCheckpointIntervalMsProp, LONG, Defaults.ReplicaHighWatermarkCheckpointIntervalMs, HIGH, ReplicaHighWatermarkCheckpointIntervalMsDoc)
-      .define(FetchPurgatoryPurgeIntervalRequestsProp, INT, Defaults.FetchPurgatoryPurgeIntervalRequests, MEDIUM, FetchPurgatoryPurgeIntervalRequestsDoc)
-      .define(ProducerPurgatoryPurgeIntervalRequestsProp, INT, Defaults.ProducerPurgatoryPurgeIntervalRequests, MEDIUM, ProducerPurgatoryPurgeIntervalRequestsDoc)
-      .define(AutoLeaderRebalanceEnableProp, BOOLEAN, Defaults.AutoLeaderRebalanceEnable, HIGH, AutoLeaderRebalanceEnableDoc)
-      .define(LeaderImbalancePerBrokerPercentageProp, INT, Defaults.LeaderImbalancePerBrokerPercentage, HIGH, LeaderImbalancePerBrokerPercentageDoc)
-      .define(LeaderImbalanceCheckIntervalSecondsProp, LONG, Defaults.LeaderImbalanceCheckIntervalSeconds, HIGH, LeaderImbalanceCheckIntervalSecondsDoc)
-      .define(UncleanLeaderElectionEnableProp, BOOLEAN, Defaults.UncleanLeaderElectionEnable, HIGH, UncleanLeaderElectionEnableDoc)
-      .define(InterBrokerSecurityProtocolProp, STRING, Defaults.InterBrokerSecurityProtocol, MEDIUM, InterBrokerSecurityProtocolDoc)
-      .define(InterBrokerProtocolVersionProp, STRING, Defaults.InterBrokerProtocolVersion, MEDIUM, InterBrokerProtocolVersionDoc)
+    .define(DefaultReplicationFactorProp, INT, Defaults.DefaultReplicationFactor, MEDIUM, DefaultReplicationFactorDoc)
+    .define(ReplicaLagTimeMaxMsProp, LONG, Defaults.ReplicaLagTimeMaxMs, HIGH, ReplicaLagTimeMaxMsDoc)
+    .define(ReplicaSocketTimeoutMsProp, INT, Defaults.ReplicaSocketTimeoutMs, HIGH, ReplicaSocketTimeoutMsDoc)
+    .define(ReplicaSocketReceiveBufferBytesProp, INT, Defaults.ReplicaSocketReceiveBufferBytes, HIGH, ReplicaSocketReceiveBufferBytesDoc)
+    .define(ReplicaFetchMaxBytesProp, INT, Defaults.ReplicaFetchMaxBytes, HIGH, ReplicaFetchMaxBytesDoc)
+    .define(ReplicaFetchWaitMaxMsProp, INT, Defaults.ReplicaFetchWaitMaxMs, HIGH, ReplicaFetchWaitMaxMsDoc)
+    .define(ReplicaFetchBackoffMsProp, INT, Defaults.ReplicaFetchBackoffMs, atLeast(0), MEDIUM, ReplicaFetchBackoffMsDoc)
+    .define(ReplicaFetchMinBytesProp, INT, Defaults.ReplicaFetchMinBytes, HIGH, ReplicaFetchMinBytesDoc)
+    .define(NumReplicaFetchersProp, INT, Defaults.NumReplicaFetchers, HIGH, NumReplicaFetchersDoc)
+    .define(ReplicaHighWatermarkCheckpointIntervalMsProp, LONG, Defaults.ReplicaHighWatermarkCheckpointIntervalMs, HIGH, ReplicaHighWatermarkCheckpointIntervalMsDoc)
+    .define(FetchPurgatoryPurgeIntervalRequestsProp, INT, Defaults.FetchPurgatoryPurgeIntervalRequests, MEDIUM, FetchPurgatoryPurgeIntervalRequestsDoc)
+    .define(ProducerPurgatoryPurgeIntervalRequestsProp, INT, Defaults.ProducerPurgatoryPurgeIntervalRequests, MEDIUM, ProducerPurgatoryPurgeIntervalRequestsDoc)
+    .define(AutoLeaderRebalanceEnableProp, BOOLEAN, Defaults.AutoLeaderRebalanceEnable, HIGH, AutoLeaderRebalanceEnableDoc)
+    .define(LeaderImbalancePerBrokerPercentageProp, INT, Defaults.LeaderImbalancePerBrokerPercentage, HIGH, LeaderImbalancePerBrokerPercentageDoc)
+    .define(LeaderImbalanceCheckIntervalSecondsProp, LONG, Defaults.LeaderImbalanceCheckIntervalSeconds, HIGH, LeaderImbalanceCheckIntervalSecondsDoc)
+    .define(UncleanLeaderElectionEnableProp, BOOLEAN, Defaults.UncleanLeaderElectionEnable, HIGH, UncleanLeaderElectionEnableDoc)
+    .define(InterBrokerSecurityProtocolProp, STRING, Defaults.InterBrokerSecurityProtocol, MEDIUM, InterBrokerSecurityProtocolDoc)
+    .define(InterBrokerProtocolVersionProp, STRING, Defaults.InterBrokerProtocolVersion, MEDIUM, InterBrokerProtocolVersionDoc)
 
     /** ********* Controlled shutdown configuration ***********/
     .define(ControlledShutdownMaxRetriesProp, INT, Defaults.ControlledShutdownMaxRetries, MEDIUM, ControlledShutdownMaxRetriesDoc)
-      .define(ControlledShutdownRetryBackoffMsProp, LONG, Defaults.ControlledShutdownRetryBackoffMs, MEDIUM, ControlledShutdownRetryBackoffMsDoc)
-      .define(ControlledShutdownEnableProp, BOOLEAN, Defaults.ControlledShutdownEnable, MEDIUM, ControlledShutdownEnableDoc)
+    .define(ControlledShutdownRetryBackoffMsProp, LONG, Defaults.ControlledShutdownRetryBackoffMs, MEDIUM, ControlledShutdownRetryBackoffMsDoc)
+    .define(ControlledShutdownEnableProp, BOOLEAN, Defaults.ControlledShutdownEnable, MEDIUM, ControlledShutdownEnableDoc)
 
     /** ********* Consumer coordinator configuration ***********/
     .define(ConsumerMinSessionTimeoutMsProp, INT, Defaults.ConsumerMinSessionTimeoutMs, MEDIUM, ConsumerMinSessionTimeoutMsDoc)
-      .define(ConsumerMaxSessionTimeoutMsProp, INT, Defaults.ConsumerMaxSessionTimeoutMs, MEDIUM, ConsumerMaxSessionTimeoutMsDoc)
+    .define(ConsumerMaxSessionTimeoutMsProp, INT, Defaults.ConsumerMaxSessionTimeoutMs, MEDIUM, ConsumerMaxSessionTimeoutMsDoc)
 
     /** ********* Offset management configuration ***********/
     .define(OffsetMetadataMaxSizeProp, INT, Defaults.OffsetMetadataMaxSize, HIGH, OffsetMetadataMaxSizeDoc)
-      .define(OffsetsLoadBufferSizeProp, INT, Defaults.OffsetsLoadBufferSize, atLeast(1), HIGH, OffsetsLoadBufferSizeDoc)
-      .define(OffsetsTopicReplicationFactorProp, SHORT, Defaults.OffsetsTopicReplicationFactor, atLeast(1), HIGH, OffsetsTopicReplicationFactorDoc)
-      .define(OffsetsTopicPartitionsProp, INT, Defaults.OffsetsTopicPartitions, atLeast(1), HIGH, OffsetsTopicPartitionsDoc)
-      .define(OffsetsTopicSegmentBytesProp, INT, Defaults.OffsetsTopicSegmentBytes, atLeast(1), HIGH, OffsetsTopicSegmentBytesDoc)
-      .define(OffsetsTopicCompressionCodecProp, INT, Defaults.OffsetsTopicCompressionCodec, HIGH, OffsetsTopicCompressionCodecDoc)
-      .define(OffsetsRetentionMinutesProp, INT, Defaults.OffsetsRetentionMinutes, atLeast(1), HIGH, OffsetsRetentionMinutesDoc)
-      .define(OffsetsRetentionCheckIntervalMsProp, LONG, Defaults.OffsetsRetentionCheckIntervalMs, atLeast(1), HIGH, OffsetsRetentionCheckIntervalMsDoc)
-      .define(OffsetCommitTimeoutMsProp, INT, Defaults.OffsetCommitTimeoutMs, atLeast(1), HIGH, OffsetCommitTimeoutMsDoc)
-      .define(OffsetCommitRequiredAcksProp, SHORT, Defaults.OffsetCommitRequiredAcks, HIGH, OffsetCommitRequiredAcksDoc)
-      .define(DeleteTopicEnableProp, BOOLEAN, Defaults.DeleteTopicEnable, HIGH, DeleteTopicEnableDoc)
-      .define(CompressionTypeProp, STRING, Defaults.CompressionType, HIGH, CompressionTypeDoc)
-      .define(MetricNumSamplesProp, INT, Defaults.MetricNumSamples, atLeast(1), LOW, MetricNumSamplesDoc)
-      .define(MetricSampleWindowMsProp, LONG, Defaults.MetricSampleWindowMs, atLeast(1), LOW, MetricSampleWindowMsDoc)
-      .define(MetricReporterClassesProp, LIST, Defaults.MetricReporterClasses, LOW, MetricReporterClassesDoc)
+    .define(OffsetsLoadBufferSizeProp, INT, Defaults.OffsetsLoadBufferSize, atLeast(1), HIGH, OffsetsLoadBufferSizeDoc)
+    .define(OffsetsTopicReplicationFactorProp, SHORT, Defaults.OffsetsTopicReplicationFactor, atLeast(1), HIGH, OffsetsTopicReplicationFactorDoc)
+    .define(OffsetsTopicPartitionsProp, INT, Defaults.OffsetsTopicPartitions, atLeast(1), HIGH, OffsetsTopicPartitionsDoc)
+    .define(OffsetsTopicSegmentBytesProp, INT, Defaults.OffsetsTopicSegmentBytes, atLeast(1), HIGH, OffsetsTopicSegmentBytesDoc)
+    .define(OffsetsTopicCompressionCodecProp, INT, Defaults.OffsetsTopicCompressionCodec, HIGH, OffsetsTopicCompressionCodecDoc)
+    .define(OffsetsRetentionMinutesProp, INT, Defaults.OffsetsRetentionMinutes, atLeast(1), HIGH, OffsetsRetentionMinutesDoc)
+    .define(OffsetsRetentionCheckIntervalMsProp, LONG, Defaults.OffsetsRetentionCheckIntervalMs, atLeast(1), HIGH, OffsetsRetentionCheckIntervalMsDoc)
+    .define(OffsetCommitTimeoutMsProp, INT, Defaults.OffsetCommitTimeoutMs, atLeast(1), HIGH, OffsetCommitTimeoutMsDoc)
+    .define(OffsetCommitRequiredAcksProp, SHORT, Defaults.OffsetCommitRequiredAcks, HIGH, OffsetCommitRequiredAcksDoc)
+    .define(DeleteTopicEnableProp, BOOLEAN, Defaults.DeleteTopicEnable, HIGH, DeleteTopicEnableDoc)
+    .define(CompressionTypeProp, STRING, Defaults.CompressionType, HIGH, CompressionTypeDoc)
+    .define(MetricNumSamplesProp, INT, Defaults.MetricNumSamples, atLeast(1), LOW, MetricNumSamplesDoc)
+    .define(MetricSampleWindowMsProp, LONG, Defaults.MetricSampleWindowMs, atLeast(1), LOW, MetricSampleWindowMsDoc)
+    .define(MetricReporterClassesProp, LIST, Defaults.MetricReporterClasses, LOW, MetricReporterClassesDoc)
 
     /** ********* SSL Configuration ****************/
     .define(PrincipalBuilderClassProp, STRING, Defaults.PrincipalBuilderClass, MEDIUM, PrincipalBuilderClassDoc)
-      .define(SSLProtocolProp, STRING, Defaults.SSLProtocol, MEDIUM, SSLProtocolDoc)
-      .define(SSLProviderProp, STRING, MEDIUM, SSLProviderDoc, false)
-      .define(SSLEnabledProtocolsProp, LIST, Defaults.SSLEnabledProtocols, MEDIUM, SSLEnabledProtocolsDoc)
-      .define(SSLKeystoreTypeProp, STRING, Defaults.SSLKeystoreType, MEDIUM, SSLKeystoreTypeDoc)
-      .define(SSLKeystoreLocationProp, STRING, Defaults.SSLKeystoreLocation, MEDIUM, SSLKeystoreLocationDoc)
-      .define(SSLKeystorePasswordProp, STRING, Defaults.SSLKeystorePassword, MEDIUM, SSLKeystorePasswordDoc)
-      .define(SSLKeyPasswordProp, STRING, Defaults.SSLKeyPassword, MEDIUM, SSLKeyPasswordDoc)
-      .define(SSLTruststoreTypeProp, STRING, Defaults.SSLTruststoreType, MEDIUM, SSLTruststoreTypeDoc)
-      .define(SSLTruststoreLocationProp, STRING, Defaults.SSLTruststoreLocation, MEDIUM, SSLTruststoreLocationDoc)
-      .define(SSLTruststorePasswordProp, STRING, Defaults.SSLTruststorePassword, MEDIUM, SSLTruststorePasswordDoc)
-      .define(SSLKeyManagerAlgorithmProp, STRING, Defaults.SSLKeyManagerAlgorithm, MEDIUM, SSLKeyManagerAlgorithmDoc)
-      .define(SSLTrustManagerAlgorithmProp, STRING, Defaults.SSLTrustManagerAlgorithm, MEDIUM, SSLTrustManagerAlgorithmDoc)
-      .define(SSLNeedClientAuthProp, BOOLEAN, Defaults.SSLNeedClientAuth, MEDIUM, SSLNeedClientAuthDoc)
-      .define(SSLWantClientAuthProp, BOOLEAN, Defaults.SSLWantClientAuth, MEDIUM, SSLWantClientAuthDoc)
+    .define(SSLProtocolProp, STRING, Defaults.SSLProtocol, MEDIUM, SSLProtocolDoc)
+    .define(SSLProviderProp, STRING, MEDIUM, SSLProviderDoc, false)
+    .define(SSLEnabledProtocolsProp, LIST, Defaults.SSLEnabledProtocols, MEDIUM, SSLEnabledProtocolsDoc)
+    .define(SSLKeystoreTypeProp, STRING, Defaults.SSLKeystoreType, MEDIUM, SSLKeystoreTypeDoc)
+    .define(SSLKeystoreLocationProp, STRING, Defaults.SSLKeystoreLocation, MEDIUM, SSLKeystoreLocationDoc)
+    .define(SSLKeystorePasswordProp, STRING, Defaults.SSLKeystorePassword, MEDIUM, SSLKeystorePasswordDoc)
+    .define(SSLKeyPasswordProp, STRING, Defaults.SSLKeyPassword, MEDIUM, SSLKeyPasswordDoc)
+    .define(SSLTruststoreTypeProp, STRING, Defaults.SSLTruststoreType, MEDIUM, SSLTruststoreTypeDoc)
+    .define(SSLTruststoreLocationProp, STRING, Defaults.SSLTruststoreLocation, MEDIUM, SSLTruststoreLocationDoc)
+    .define(SSLTruststorePasswordProp, STRING, Defaults.SSLTruststorePassword, MEDIUM, SSLTruststorePasswordDoc)
+    .define(SSLKeyManagerAlgorithmProp, STRING, Defaults.SSLKeyManagerAlgorithm, MEDIUM, SSLKeyManagerAlgorithmDoc)
+    .define(SSLTrustManagerAlgorithmProp, STRING, Defaults.SSLTrustManagerAlgorithm, MEDIUM, SSLTrustManagerAlgorithmDoc)
+    .define(SSLNeedClientAuthProp, BOOLEAN, Defaults.SSLNeedClientAuth, MEDIUM, SSLNeedClientAuthDoc)
+    .define(SSLWantClientAuthProp, BOOLEAN, Defaults.SSLWantClientAuth, MEDIUM, SSLWantClientAuthDoc)
   }
 
   def configNames() = {
@@ -622,26 +622,6 @@ object KafkaConfig {
     fromProps(props)
   }
 
-  def channelConfigs: java.util.Map[String, Object] = {
-    val channelConfigs = new java.util.HashMap[String, Object]()
-    import kafka.server.KafkaConfig._
-    channelConfigs.put(PrincipalBuilderClassProp, Class.forName(principalBuilderClass))
-    channelConfigs.put(SSLProtocolProp, sslProtocol)
-    channelConfigs.put(SSLEnabledProtocolsProp, sslEnabledProtocols)
-    channelConfigs.put(SSLKeystoreTypeProp, sslKeystoreType)
-    channelConfigs.put(SSLKeystoreLocationProp, sslKeystoreLocation)
-    channelConfigs.put(SSLKeystorePasswordProp, sslKeystorePassword)
-    channelConfigs.put(SSLKeyPasswordProp, sslKeyPassword)
-    channelConfigs.put(SSLTruststoreTypeProp, sslTruststoreType)
-    channelConfigs.put(SSLTruststoreLocationProp, sslTruststoreLocation)
-    channelConfigs.put(SSLTruststorePasswordProp, sslTruststorePassword)
-    channelConfigs.put(SSLKeyManagerAlgorithmProp, sslKeyManagerAlgorithm)
-    channelConfigs.put(SSLTrustManagerAlgorithmProp, sslTrustManagerAlgorithm)
-    channelConfigs.put(SSLNeedClientAuthProp, sslNeedClientAuth: java.lang.Boolean)
-    channelConfigs.put(SSLWantClientAuthProp, sslWantClientAuth: java.lang.Boolean)
-    channelConfigs
-  }
-
 }
 
 case class KafkaConfig (props: java.util.Map[_, _]) extends AbstractConfig(KafkaConfig.configDef, props) {
@@ -753,6 +733,23 @@ case class KafkaConfig (props: java.util.Map[_, _]) extends AbstractConfig(Kafka
   val metricSampleWindowMs = getLong(KafkaConfig.MetricSampleWindowMsProp)
   val metricReporterClasses: java.util.List[MetricsReporter] = getConfiguredInstances(KafkaConfig.MetricReporterClassesProp, classOf[MetricsReporter])
 
+  /** ********* SSL Configuration **************/
+  val principalBuilderClass = getString(KafkaConfig.PrincipalBuilderClassProp)
+  val sslProtocol = getString(KafkaConfig.SSLProtocolProp)
+  val sslProvider = getString(KafkaConfig.SSLProviderProp)
+  val sslEnabledProtocols = getList(KafkaConfig.SSLEnabledProtocolsProp)
+  val sslKeystoreType = getString(KafkaConfig.SSLKeystoreTypeProp)
+  val sslKeystoreLocation = getString(KafkaConfig.SSLKeystoreLocationProp)
+  val sslKeystorePassword = getString(KafkaConfig.SSLKeystorePasswordProp)
+  val sslKeyPassword = getString(KafkaConfig.SSLKeyPasswordProp)
+  val sslTruststoreType = getString(KafkaConfig.SSLTruststoreTypeProp)
+  val sslTruststoreLocation = getString(KafkaConfig.SSLTruststoreLocationProp)
+  val sslTruststorePassword = getString(KafkaConfig.SSLTruststorePasswordProp)
+  val sslKeyManagerAlgorithm = getString(KafkaConfig.SSLKeyManagerAlgorithmProp)
+  val sslTrustManagerAlgorithm = getString(KafkaConfig.SSLTrustManagerAlgorithmProp)
+  val sslNeedClientAuth = getBoolean(KafkaConfig.SSLNeedClientAuthProp)
+  val sslWantClientAuth = getBoolean(KafkaConfig.SSLWantClientAuthProp)
+
   val deleteTopicEnable = getBoolean(KafkaConfig.DeleteTopicEnableProp)
   val compressionType = getString(KafkaConfig.CompressionTypeProp)
 
@@ -869,4 +866,24 @@ case class KafkaConfig (props: java.util.Map[_, _]) extends AbstractConfig(Kafka
       " Valid options are " + BrokerCompressionCodec.brokerCompressionOptions.mkString(","))
   }
 
+  def channelConfigs: java.util.Map[String, Object] = {
+    val channelConfigs = new java.util.HashMap[String, Object]()
+    import kafka.server.KafkaConfig._
+    channelConfigs.put(PrincipalBuilderClassProp, Class.forName(principalBuilderClass))
+    channelConfigs.put(SSLProtocolProp, sslProtocol)
+    channelConfigs.put(SSLEnabledProtocolsProp, sslEnabledProtocols)
+    channelConfigs.put(SSLKeystoreTypeProp, sslKeystoreType)
+    channelConfigs.put(SSLKeystoreLocationProp, sslKeystoreLocation)
+    channelConfigs.put(SSLKeystorePasswordProp, sslKeystorePassword)
+    channelConfigs.put(SSLKeyPasswordProp, sslKeyPassword)
+    channelConfigs.put(SSLTruststoreTypeProp, sslTruststoreType)
+    channelConfigs.put(SSLTruststoreLocationProp, sslTruststoreLocation)
+    channelConfigs.put(SSLTruststorePasswordProp, sslTruststorePassword)
+    channelConfigs.put(SSLKeyManagerAlgorithmProp, sslKeyManagerAlgorithm)
+    channelConfigs.put(SSLTrustManagerAlgorithmProp, sslTrustManagerAlgorithm)
+    channelConfigs.put(SSLNeedClientAuthProp, sslNeedClientAuth: java.lang.Boolean)
+    channelConfigs.put(SSLWantClientAuthProp, sslWantClientAuth: java.lang.Boolean)
+    channelConfigs
+  }
+
 }
-- 
2.4.4


From 8f7ba892502b09cb7cc05d75270352815fb1c42c Mon Sep 17 00:00:00 2001
From: Sriharsha Chintalapani 
Date: Sun, 21 Jun 2015 15:35:52 -0700
Subject: [PATCH 18/19] KAFKA-1690. Added SSLProducerSendTest.

---
 .../test/scala/integration/kafka/api/SSLProducerSendTest.scala | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/core/src/test/scala/integration/kafka/api/SSLProducerSendTest.scala b/core/src/test/scala/integration/kafka/api/SSLProducerSendTest.scala
index 73e2d2c..3a9239c 100644
--- a/core/src/test/scala/integration/kafka/api/SSLProducerSendTest.scala
+++ b/core/src/test/scala/integration/kafka/api/SSLProducerSendTest.scala
@@ -120,12 +120,12 @@ class SSLProducerSendTest extends JUnit3Suite with KafkaServerTestHarness {
         case e: Throwable => fail("Only expecting IllegalArgumentException", e)
       }
 
-      // // non-blocking send a list of records
-      // for (i <- 1 to numRecords)
-      //   producer.send(record0, callback)
+      // non-blocking send a list of records
+      for (i <- 1 to numRecords)
+        producer.send(record0, callback)
 
-      // // check that all messages have been acked via offset
-      // assertEquals("Should have offset " + (numRecords + 4), numRecords + 4L, producer.send(record0, callback).get.offset)
+      // check that all messages have been acked via offset
+      assertEquals("Should have offset " + (numRecords + 4), numRecords + 4L, producer.send(record0, callback).get.offset)
 
     } finally {
       if (producer != null) {
-- 
2.4.4


From 0dba29f7bd5489163949641030a98c308f25cb67 Mon Sep 17 00:00:00 2001
From: Sriharsha Chintalapani 
Date: Tue, 23 Jun 2015 09:16:29 -0700
Subject: [PATCH 19/19] KAFKA-1690. Minor fixes based on patch review comments.

---
 .../apache/kafka/common/network/SSLFactory.java    |  4 +---
 .../kafka/common/network/SSLTransportLayer.java    | 12 +++++-----
 .../main/scala/kafka/network/SocketServer.scala    | 26 +++++++++++-----------
 3 files changed, 19 insertions(+), 23 deletions(-)

diff --git a/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java b/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java
index ec53b69..b843ee1 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/SSLFactory.java
@@ -74,9 +74,7 @@ public class SSLFactory implements Configurable {
 
         if (configs.containsKey(SSLConfigs.SSL_NEED_CLIENT_AUTH_CONFIG)) {
             this.needClientAuth = (Boolean) configs.get(SSLConfigs.SSL_NEED_CLIENT_AUTH_CONFIG);
-        }
-
-        if (configs.containsKey(SSLConfigs.SSL_WANT_CLIENT_AUTH_CONFIG)) {
+        } else if (configs.containsKey(SSLConfigs.SSL_WANT_CLIENT_AUTH_CONFIG)) {
             this.wantClientAuth = (Boolean) configs.get(SSLConfigs.SSL_WANT_CLIENT_AUTH_CONFIG);
         }
 
diff --git a/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java b/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
index 8e88b7a..f644d44 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java
@@ -56,7 +56,6 @@ public class SSLTransportLayer implements TransportLayer {
     private ByteBuffer appReadBuffer;
     private ByteBuffer emptyBuf = ByteBuffer.allocate(0);
     private int interestOps;
-    private int socketSendBufferSize;
 
     public SSLTransportLayer(SelectionKey key, SSLEngine sslEngine) throws IOException {
         this.key = key;
@@ -65,7 +64,6 @@ public class SSLTransportLayer implements TransportLayer {
         this.netReadBuffer = ByteBuffer.allocateDirect(packetBufferSize());
         this.netWriteBuffer = ByteBuffer.allocateDirect(packetBufferSize());
         this.appReadBuffer = ByteBuffer.allocateDirect(applicationBufferSize());
-        this.socketSendBufferSize = this.socketChannel.socket().getSendBufferSize();
         startHandshake();
     }
 
@@ -192,7 +190,7 @@ public class SSLTransportLayer implements TransportLayer {
                         int currentPacketBufferSize = packetBufferSize();
                         netWriteBuffer = Utils.ensureCapacity(netWriteBuffer, currentPacketBufferSize);
                         if (netWriteBuffer.position() >= currentPacketBufferSize) {
-                            throw new IllegalStateException("Buffer overflow when available data (" + netWriteBuffer.position() +
+                            throw new IllegalStateException("Buffer overflow when available data size (" + netWriteBuffer.position() +
                                                             ") >= network buffer size (" + currentPacketBufferSize + ")");
                         }
                     } else if (handshakeResult.getStatus() == Status.BUFFER_UNDERFLOW) {
@@ -218,7 +216,7 @@ public class SSLTransportLayer implements TransportLayer {
                         int currentAppBufferSize = applicationBufferSize();
                         netReadBuffer = Utils.ensureCapacity(netReadBuffer, currentAppBufferSize);
                         if (netReadBuffer.position() > currentAppBufferSize) {
-                            throw new IllegalStateException("Buffer underflow when available data (" + netReadBuffer.position() +
+                            throw new IllegalStateException("Buffer underflow when available data size (" + netReadBuffer.position() +
                                                             ") > packet buffer size (" + currentAppBufferSize + ")");
                         }
                     } else if (handshakeResult.getStatus() == Status.CLOSED) {
@@ -388,7 +386,7 @@ public class SSLTransportLayer implements TransportLayer {
                     int currentApplicationBufferSize = applicationBufferSize();
                     appReadBuffer = Utils.ensureCapacity(appReadBuffer, currentApplicationBufferSize);
                     if (appReadBuffer.position() >= currentApplicationBufferSize) {
-                        throw new IllegalStateException("Buffer overflow when available data (" + appReadBuffer.position() +
+                        throw new IllegalStateException("Buffer overflow when available data size (" + appReadBuffer.position() +
                                                         ") >= application buffer size (" + currentApplicationBufferSize + ")");
                     }
                     if (dst.hasRemaining())
@@ -399,7 +397,7 @@ public class SSLTransportLayer implements TransportLayer {
                     int currentPacketBufferSize = packetBufferSize();
                     netReadBuffer = Utils.ensureCapacity(netReadBuffer, currentPacketBufferSize);
                     if (netReadBuffer.position() >= currentPacketBufferSize) {
-                        throw new IllegalStateException("Buffer underflow when available data (" + netReadBuffer.position() +
+                        throw new IllegalStateException("Buffer underflow when available data size (" + netReadBuffer.position() +
                                                         ") > packet buffer size (" + currentPacketBufferSize + ")");
                     }
                     break;
@@ -554,7 +552,7 @@ public class SSLTransportLayer implements TransportLayer {
 
     /**
      * returns a SSL Session after the handshake is established
-     * throws IlleagalStateException if the handshake is not established
+     * throws IllegalStateException if the handshake is not established
      */
     public SSLSession sslSession() throws IllegalStateException {
         return sslEngine.getSession();
diff --git a/core/src/main/scala/kafka/network/SocketServer.scala b/core/src/main/scala/kafka/network/SocketServer.scala
index cb125c2..fd4b667 100644
--- a/core/src/main/scala/kafka/network/SocketServer.scala
+++ b/core/src/main/scala/kafka/network/SocketServer.scala
@@ -102,15 +102,14 @@ class SocketServer(val config: KafkaConfig) extends Logging with KafkaMetricsGro
     val quotas = new ConnectionQuotas(maxConnectionsPerIp, maxConnectionsPerIpOverrides)
 
     this.synchronized {
-      var processorIndex = 0
+      var processorBeginIndex = 0
       endpoints.values.foreach(endpoint => {
-        val acceptor = new Acceptor(endpoint.host, endpoint.port, sendBufferSize, recvBufferSize, requestChannel, processors, quotas, endpoint.protocolType,
-          portToProtocol, channelConfigs, numProcessorThreads + processorIndex, maxQueuedRequests, maxRequestSize, connectionsMaxIdleMs, new Metrics(metricConfig, reporters, time),
-          allMetricNames, time, config.brokerId, processorIndex)
+        val acceptor = new Acceptor(endpoint.host, endpoint.port, sendBufferSize, recvBufferSize, config.brokerId, requestChannel, processors, processorBeginIndex, numProcessorThreads, quotas,
+          endpoint.protocolType, portToProtocol, channelConfigs,  maxQueuedRequests, maxRequestSize, connectionsMaxIdleMs, new Metrics(metricConfig, reporters, time), allMetricNames, time)
         acceptors.put(endpoint, acceptor)
         Utils.newThread("kafka-socket-acceptor-%s-%d".format(endpoint.protocolType.toString, endpoint.port), acceptor, false).start()
         acceptor.awaitStartup
-        processorIndex += numProcessorThreads
+        processorBeginIndex += numProcessorThreads
       })
     }
 
@@ -211,23 +210,24 @@ private[kafka] class Acceptor(val host: String,
                               private val port: Int,
                               val sendBufferSize: Int,
                               val recvBufferSize: Int,
+                              brokerId: Int,
                               requestChannel: RequestChannel,
                               processors: Array[Processor],
+                              processorBeginIndex: Int,
+                              numProcessorThreads: Int,
                               connectionQuotas: ConnectionQuotas,
                               protocol: SecurityProtocol,
                               portToProtocol: ConcurrentHashMap[Int, SecurityProtocol],
                               channelConfigs: java.util.Map[String, Object],
-                              numProcessorThreads: Int,
                               maxQueuedRequests: Int,
                               maxRequestSize: Int,
                               connectionsMaxIdleMs: Long,
                               metrics: Metrics,
                               allMetricNames: Seq[MetricName],
-                              time: Time,
-                              brokerId: Int,
-                              processorIndex: Int) extends AbstractServerThread(connectionQuotas) with KafkaMetricsGroup {
+                              time: Time) extends AbstractServerThread(connectionQuotas) with KafkaMetricsGroup {
   val nioSelector = java.nio.channels.Selector.open()
   val serverChannel = openServerSocket(host, port)
+  val processorEndIndex = processorBeginIndex + numProcessorThreads
 
   portToProtocol.put(serverChannel.socket().getLocalPort, protocol)
 
@@ -239,7 +239,7 @@ private[kafka] class Acceptor(val host: String,
   )
 
   this.synchronized {
-    for (i <- processorIndex until numProcessorThreads) {
+    for (i <- processorBeginIndex until processorEndIndex) {
         processors(i) = new Processor(i,
           time,
           maxRequestSize,
@@ -261,7 +261,7 @@ private[kafka] class Acceptor(val host: String,
   def run() {
     serverChannel.register(nioSelector, SelectionKey.OP_ACCEPT);
     startupComplete()
-    var currentProcessor = processorIndex
+    var currentProcessor = processorBeginIndex
     while(isRunning) {
       val ready = nioSelector.select(500)
       if(ready > 0) {
@@ -278,8 +278,8 @@ private[kafka] class Acceptor(val host: String,
                throw new IllegalStateException("Unrecognized key state for acceptor thread.")
 
             // round robin to the next processor thread
-            currentProcessor = (currentProcessor + 1) % numProcessorThreads
-            if (currentProcessor < processorIndex) currentProcessor = processorIndex
+            currentProcessor = (currentProcessor + 1) % processorEndIndex
+            if (currentProcessor < processorBeginIndex) currentProcessor = processorEndIndex
           } catch {
             case e: Throwable => error("Error while accepting connection", e)
           }
-- 
2.4.4