SSL support (Kafka 0.9+) revisit #643
Description
Hi,
SSL support it suppose to be working according to issue #581.
However, I've spent two days trying to get it working with Kafka 0.9.0. I can connect to to my kafka cluster with openssl s_client -connect domain.com:9093 -tls1 so I know it is configured correctly.
But when I try connecting with sarama I get errors:
[Sarama] 2016/04/20 11:16:39 client/metadata retrying after 250ms... (1 attempts remaining)
[Sarama] 2016/04/20 11:16:39 client/metadata fetching metadata for all topics from broker domain.com:9093
[Sarama] 2016/04/20 11:16:39 Failed to connect to broker domain.com:9093: tls: first record does not look like a TLS handshake
[Sarama] 2016/04/20 11:16:39 client/metadata got error from broker while fetching metadata: tls: first record does not look like a TLS handshake
[Sarama] 2016/04/20 11:16:39 client/metadata no available broker to send metadata request to
[Sarama] 2016/04/20 11:16:39 client/brokers resurrecting 1 dead seed brokers
[Sarama] 2016/04/20 11:16:39 Closing Client
panic: kafka: client has run out of available brokers to talk to (Is your cluster reachable?)
In the kafka logs I see the following errors
[2016-04-20 11:16:39,073] DEBUG Connection with a.b.c.d/a.b.c.d disconnected (org.apache.kafka.common.network.Selector)
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1348)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:519)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1200)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1172)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.apache.kafka.common.network.SslTransportLayer.handshakeWrap(SslTransportLayer.java:377)
at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:242)
at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:68)
at org.apache.kafka.common.network.Selector.poll(Selector.java:281)
at kafka.network.Processor.run(SocketServer.scala:413)
at java.lang.Thread.run(Thread.java:745)
Further investigation using Wireshark indicates that the Kafka server does not respond with a ServerHello in the TLS handshake. Which is all due to Sarama and Kafka couldn't agree on common cipher.
This issue is probably not in Sarama, more correctly in Go TLS or in Java, but I'd like to know how people claims this is working.