From abe2f87a09f38fae21e9bbf5f5b63a1245080b8b Mon Sep 17 00:00:00 2001 From: Chris Egerton Date: Wed, 25 Mar 2020 16:45:12 -0700 Subject: [PATCH 1/2] KAFKA-9771: Port patch for inter-worker Connect SSL from Jetty 9.4.25 --- .../connect/runtime/rest/util/SSLUtils.java | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java index 6b391d96adaa7..b2aa3e5629dce 100644 --- a/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java +++ b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java @@ -20,8 +20,10 @@ import org.apache.kafka.common.config.internals.BrokerSecurityConfigs; import org.apache.kafka.common.config.types.Password; import org.apache.kafka.connect.runtime.WorkerConfig; +import org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager; import org.eclipse.jetty.util.ssl.SslContextFactory; +import javax.net.ssl.X509ExtendedKeyManager; import java.util.Arrays; import java.util.List; import java.util.Map; @@ -64,7 +66,20 @@ public static SslContextFactory createServerSideSslContextFactory(WorkerConfig c public static SslContextFactory createClientSideSslContextFactory(WorkerConfig config) { Map sslConfigValues = config.valuesWithPrefixAllOrNothing("listeners.https."); - final SslContextFactory.Client ssl = new SslContextFactory.Client(); + // Override this method in order to avoid running into + // https://github.com/eclipse/jetty.project/issues/4385, which would otherwise cause this to + // break when the keystore contains multiple certificates. + // The override here matches the bug fix in Jetty for that issue: + // https://github.com/eclipse/jetty.project/pull/4404/files#diff-58640db0f8f2cd84b7e653d1c1540913R2188-R2193 + // TODO: Remove this override when the version of Jetty for the framework is bumped to + // 9.4.25 or later + final SslContextFactory.Client ssl = new SslContextFactory.Client() { + @Override + @SuppressWarnings("deprecation") + protected X509ExtendedKeyManager newSniX509ExtendedKeyManager(X509ExtendedKeyManager keyManager) { + return keyManager; + } + }; configureSslContextFactoryKeyStore(ssl, sslConfigValues); configureSslContextFactoryTrustStore(ssl, sslConfigValues); From b694735257bb94a63ab894c40fcba0fbfb2ca94b Mon Sep 17 00:00:00 2001 From: Chris Egerton Date: Thu, 26 Mar 2020 15:22:40 -0700 Subject: [PATCH 2/2] KAFKA-9771: Remove unused import --- .../org/apache/kafka/connect/runtime/rest/util/SSLUtils.java | 1 - 1 file changed, 1 deletion(-) diff --git a/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java index b2aa3e5629dce..8e049950afefa 100644 --- a/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java +++ b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java @@ -20,7 +20,6 @@ import org.apache.kafka.common.config.internals.BrokerSecurityConfigs; import org.apache.kafka.common.config.types.Password; import org.apache.kafka.connect.runtime.WorkerConfig; -import org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager; import org.eclipse.jetty.util.ssl.SslContextFactory; import javax.net.ssl.X509ExtendedKeyManager;