ssl_endpoint_identification_algorithm handling regression introduced in 10.1.0 in output
colinsurprenant opened this issue · 6 comments
It looks like #8 introduced a regression, by not setting the truststore options anymore when ssl_endpoint_identification_algorithm s empty.
when a cert does not match the hostname, prior to #8 it was possible to set:
security_protocol => "SSL"
ssl_endpoint_identification_algorithm => ""
ssl_truststore_location => "..."
ssl_truststore_password => "..."
ssl_keystore_location => "..."
ssl_keystore_password => "..."
ssl_key_password => "..."
but after #8 (in 10.1.0) this fails with
[ERROR][org.apache.kafka.clients.NetworkClient][elastiflow] [Producer clientId=producer-1] Connection to node -1 (...) failed authentication due to: SSL handshake failed
/cc @kares @robcowart
💥 #8 seemed to make sense but I guess if there's users complaining the only thing left is to revert @robcowart's changes
I'm experiencing the same problem, which doesn't happen in the input plugin.
We are having the same issue when updating Logstash from version 7.6.1 to 7.9.2. We are using internal self-signed certificates where the CN does not necessarily match the broker hostname so we have set ssl_endpoint_identification_algorithm to "".
As a workaround we have been forced to downgrade the logstash-integration-kafka plugin to version 10.0.0.
Would love to see this fixed soon so that we are not force to run on outdated version of this plugin.
Experiencing this issue as well - although truststore is configured, it is no longer used and results in SSL handshake errors. Only experienced on Kafka output plugin; Kafka input plugin is not impacted as breaking change mentioned was only made to Kafka output plugin.
Our workaround was to downgrade logstash-integration-kafka to 10.0.1 as well as we cannot enable enable endpoint identification validation at this time to work around the issue.
Will be fixed by #60