Skip to content

Issue with null values for Kafka when using SslBundles #44726

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
patpatpat123 opened this issue Mar 17, 2025 · 3 comments
Closed

Issue with null values for Kafka when using SslBundles #44726

patpatpat123 opened this issue Mar 17, 2025 · 3 comments
Labels
status: declined A suggestion or change that we don't feel we should currently apply

Comments

@patpatpat123
Copy link

Hello team,

Just wanted to reach out with a small issue observed using SslBundle (in favor of the "old" way)

BEFORE:

Before (the very cool by he way) SslBundle, I would use this with my Kafka configuration:

        final Map<String, Object> properties = new HashMap<>();
        properties.put("security.protocol", "SSL");
        properties.put(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG, "/path/to/keystore.p12");
        properties.put(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, "abc");
        properties.put(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, "/path/to/truststore.p12");
        properties.put(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, "xyz");

And I would see a "correct" kafka output:

sasl.oauthbearer.sub.claim.name = sub
	sasl.oauthbearer.token.endpoint.url = null
	security.protocol = SSL
	security.providers = null
	send.buffer.bytes = 131072
	session.timeout.ms = 45000
	socket.connection.setup.timeout.max.ms = 30000
	socket.connection.setup.timeout.ms = 10000
	ssl.cipher.suites = null
	ssl.enabled.protocols = [TLSv1.2, TLSv1.3]
	ssl.endpoint.identification.algorithm = https
	ssl.engine.factory.class = null
	ssl.key.password = null
	ssl.keymanager.algorithm = SunX509
	ssl.keystore.certificate.chain = null
	ssl.keystore.key = null
	ssl.keystore.location = /path/to/keystore.p12
	ssl.keystore.password = [hidden]
	ssl.keystore.type = JKS
	ssl.protocol = TLSv1.3
	ssl.provider = null
	ssl.secure.random.implementation = null
	ssl.trustmanager.algorithm = PKIX
	ssl.truststore.certificates = null
	ssl.truststore.location = /path/to/truststore.p12
	ssl.truststore.password = [hidden]
	ssl.truststore.type = JKS
	value.deserializer = class org.apache.kafka.common.serialization.StringDeserializer

Note we can clearly see:

	ssl.engine.factory.class = null
ssl.keystore.location = /path/to/keystore.p12
	ssl.keystore.password = [hidden]
	ssl.truststore.location = /path/to/truststore.p12
	ssl.truststore.password = [hidden]

AFTER

Now using the SslBundle:

        final Map<String, Object> properties = new HashMap<>();
        properties.put("security.protocol", "SSL");
        properties.put(SslConfigs.SSL_ENGINE_FACTORY_CLASS_CONFIG, SslBundleSslEngineFactory.class.getName());
        properties.put(SslBundle.class.getName(), sslBundles.getBundle("mycoolclient"));

I omit the application properties configuration for the keystore ans trustore, because it is just the same.

However, the result is:

sasl.oauthbearer.sub.claim.name = sub
	sasl.oauthbearer.token.endpoint.url = null
	security.protocol = SSL
	security.providers = null
	send.buffer.bytes = 131072
	session.timeout.ms = 45000
	socket.connection.setup.timeout.max.ms = 30000
	socket.connection.setup.timeout.ms = 10000
	ssl.cipher.suites = null
	ssl.enabled.protocols = [TLSv1.2, TLSv1.3]
	ssl.endpoint.identification.algorithm = https
	ssl.engine.factory.class = class org.springframework.boot.autoconfigure.kafka.SslBundleSslEngineFactory
	ssl.key.password = null
	ssl.keymanager.algorithm = SunX509
	ssl.keystore.certificate.chain = null
	ssl.keystore.key = null
	ssl.keystore.location = null
	ssl.keystore.password = null
	ssl.keystore.type = JKS
	ssl.protocol = TLSv1.3
	ssl.provider = null
	ssl.secure.random.implementation = null
	ssl.trustmanager.algorithm = PKIX
	ssl.truststore.certificates = null
	ssl.truststore.location = null
	ssl.truststore.password = null
	ssl.truststore.type = JKS
	value.deserializer = class org.apache.kafka.common.serialization.StringDeserializer

Please note:

	ssl.engine.factory.class = class org.springframework.boot.autoconfigure.kafka.SslBundleSslEngineFactory
ssl.keystore.key = null
	ssl.keystore.location = null
	ssl.keystore.password = null
ssl.truststore.certificates = null
	ssl.truststore.location = null
	ssl.truststore.password = null

To avoid misunderstanding, both solutions are working. I tried adding a bad certificate, but I would get the SSL error. Both approaches are working; I am able to consume the messages.

Issue:

It seems with the new SslBundle construct, values are null, while not.

Thank you for your time reading me.

Wishing you a good day!
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Mar 17, 2025
@mhalbritter
Copy link
Contributor

mhalbritter commented Mar 17, 2025
edited
Loading

Hey,

why is it an issue that some values are null? When using an SSL bundle, we create the SslEngine which Kafka then uses. Not every SslBundle has to be backed by a keystore, so it's fine that ssl.keystore.location is null.

@mhalbritter mhalbritter added the status: waiting-for-feedback We need additional information before we can continue label Mar 17, 2025
@patpatpat123
Copy link
Author

Hey @mhalbritter ,

Thank you for looking into this.

I am going to use a "me" scenario here. The purpose is not to make it a "me" situation, but to provide an example.

Not every SslBundle has to be backed by a keystore

Agree, but in my case, it is backed by a keystore, with a real location. In this case, since it is backed by a keystore, can the location be populated accordingly, and not be null?

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Mar 17, 2025
@mhalbritter
Copy link
Contributor

No, that's not possible. The SslBundle has been created to abstract away such things. If you want the keystore in the kafka properties, you have to use those properties:

properties.put(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG, "/path/to/keystore.p12");
properties.put(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, "abc");
properties.put(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, "/path/to/truststore.p12");
properties.put(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, "xyz");

@mhalbritter mhalbritter closed this as not planned Won't fix, can't repro, duplicate, stale Mar 17, 2025
@mhalbritter mhalbritter added status: declined A suggestion or change that we don't feel we should currently apply and removed status: waiting-for-triage An issue we've not yet triaged status: feedback-provided Feedback has been provided labels Mar 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: declined A suggestion or change that we don't feel we should currently apply
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@spring-projects-issues @patpatpat123 @mhalbritter