Skip to content

enable.ssl.certificate.verification must be a string and not a boolean #1633

New issue
New issue
Open
Open
enable.ssl.certificate.verification must be a string and not a boolean#1633
Assignees
pranavrth
Labels
bugReporting an unexpected or problematic behavior of the codebasecode:pythonIssues that are specific to Python or versions of Python independent of library logicpriority:highMaintainer triage tag for indicating high impact or criticality issues
@yzhan289

Description

@yzhan289
yzhan289
opened on Aug 28, 2023

Description

The enable.ssl.certificate.verification configuration for AdminClient only takes strings "true"/"false" rather than the Python booleans True/False. We noticed that even though we would set enable.ssl.certificate.verification: False in our configuration, we would end up with the following error:

%3|1692896138.459|FAIL|dd-agent#producer-1| [thrd:sasl_ssl://192.168.36.20:9071/bootstrap]: sasl_ssl://192.168.36.20:9071/bootstrap: SSL handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed: broker certificate could not be verified, verify that ssl.ca.location is correctly configured or root CA certificates are installed (install ca-certificates package) (after 2ms in state SSL_HANDSHAKE)

The default value of enable.ssl.certificate.verification (according to librdkafka's configuration) is true, so maybe after the config is passed from confluent-kafka-python to librdkafka, the boolean False is converted to the default string "true"?

Based on #1346, one could assume that enable.ssl.certificate.verification should take Python booleans, although from #938 and #1494, other users might be running into this issue too.

The library should either clarify that enable.ssl.certificate.verification should be a string or update the implementation to accept a boolean.

How to reproduce

  1. Configure a kafka cluster that requires SSL but doesn't have a server cert signed by a CA (can be self signed).
  2. Create an AdminClient connection that uses SSL but set enable.ssl.certificate.verification: False (Python boolean not string).

Checklist

Please provide the following information:

  • confluent-kafka-python and librdkafka version: 2.2.0 2.0.2
  • Apache Kafka broker version: N/A
  • Client configuration:
    security.protocol: "sasl_ssl", sasl.mechanism: "PLAIN", enable.ssl.certificate.verification: False, sasl.username: "<username>", sasl.password: "<password>", sasl.kerberos.principal: "kafka@localhost", sasl.kerberos.service.name: "kafka"
  • Operating system: N/A
  • Provide client logs (with 'debug': '..' as necessary)
  • Provide broker log excerpts
  • Critical issue

Metadata

Metadata

Assignees

Labels

bugReporting an unexpected or problematic behavior of the codebasecode:pythonIssues that are specific to Python or versions of Python independent of library logicpriority:highMaintainer triage tag for indicating high impact or criticality issues

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    pFad - Phonifier reborn

    Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

    Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


    Alternative Proxies:

    Alternative Proxy

    pFad Proxy

    pFad v3 Proxy

    pFad v4 Proxy