Comments (30)
jcolethornton
commented on September 22, 2024
1
same issue here for me
from snowflake-kafka-connector.
meusman1
commented on September 22, 2024
I am facing similar issue
from snowflake-kafka-connector.
sfc-gh-gjachimko
commented on September 22, 2024
Let me check with the team how can we address it.
from snowflake-kafka-connector.
sfc-gh-wfateem
commented on September 22, 2024
@meusman1 @jcolethornton @andrecowie did this issue just start occurring for you? Can you provide us with a date and timestamp in UTC of when you started noticing the problem?
That error is from the Java runtime saying that the client and the server couldn't agree on a cipher to use, or the client is using an older SSL version that's not supported. The latter is highly unlikely unless you're using an ancient JDK version. Can you add the following JVM argument to debug the problem?
-Djavax.net.debug=ssl,handshake
from snowflake-kafka-connector.
sfc-gh-wfateem
commented on September 22, 2024
To provide a bit more of an explanation on why I'm suggesting you use that JVM argument:
This is going to provide traces from the JVM that show details of the handshake taking place between the client (i.e. the JDBC driver used by the Kafka Connector) and the server (i.e. Snowflake). You're going to want to find the client hello message sent by the client to review what ciphers were included in the list of ciphers it's telling the server it supports. Here's an example of what you're going to see in those logs:
javax.net.ssl|DEBUG|01|main|2024-04-25 08:57:54.977 CDT|ClientHello.java:651|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
...
"cipher suites" : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_G
CM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C),
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_
RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_C
BC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_
RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CB
C_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013),
TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032)]",
The server then responds with a Server Hello message indicating the cipher it picked from that list:
javax.net.ssl|DEBUG|01|main|2024-04-25 08:57:55.015 CDT|ServerHello.java:866|Consuming ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2",
...
"cipher suite" : "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F)",
from snowflake-kafka-connector.
andrecowie
commented on September 22, 2024
Thanks @sfc-gh-wfateem:
Apr 26 10:42:50 hostname connect-distributed[396254]: [2024-04-26 10:42:50,460] INFO [SF_KAFKA_CONNECTOR] Establishing a JDBC connection with url:jdbc:snowflake://account_name.region_name.snowflakecomputing.com:443 (com.snowflake.kafka.connector.internal.SnowflakeConnectionServiceV1:46)
Apr 26 10:42:50 hostname connect-distributed[396254]: javax.net.ssl|DEBUG|08|pool-4-thread-4|2024-04-26 10:42:50.787 NZST|Utilities.java:120|account_name.region_name.snowflakecomputing.com" is not a legal HostName for server name indication
Apr 26 10:42:50 hostname connect-distributed[396254]: javax.net.ssl|DEBUG|08|pool-4-thread-4|2024-04-26 10:42:50.787 NZST|HandshakeContext.java:305|No available cipher suite for TLSv1.2
Apr 26 10:42:50 hostname connect-distributed[396254]: javax.net.ssl|ERROR|08|pool-4-thread-4|2024-04-26 10:42:50.788 NZST|TransportContext.java:370|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking (
Apr 26 10:42:50 hostname connect-distributed[396254]: "throwable" : {
Apr 26 10:42:50 hostname connect-distributed[396254]: at java.base/sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:103)
Apr 26 10:42:50 hostname connect-distributed[396254]: at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:247)
Apr 26 10:42:50 hostname connect-distributed[396254]: at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:448)
Apr 26 10:42:50 hostname connect-distributed[396254]: at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
Apr 26 10:42:50 hostname connect-distributed[396254]: at net.snowflake.client.jdbc.internal.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
Apr 26 10:42:50 hostname connect-distributed[396254]: at net.snowflake.client.jdbc.internal.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
Apr 26 10:42:50 hostname connect-distributed[396254]: at net.snowflake.client.jdbc.internal.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
Apr 26 10:42:50 hostname connect-distributed[396254]: at net.snowflake.client.jdbc.internal.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
Apr 26 10:42:50 hostname connect-distributed[396254]: at net.snowflake.client.jdbc.internal.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
Apr 26 10:42:50 hostname connect-distributed[396254]: at net.snowflake.client.jdbc.internal.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
Apr 26 10:42:50 hostname connect-distributed[396254]: at net.snowflake.client.jdbc.internal.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
Apr 26 10:42:50 hostname connect-distributed[396254]: at net.snowflake.client.jdbc.internal.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
Apr 26 10:42:50 hostname connect-distributed[396254]: at net.snowflake.client.jdbc.internal.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
Apr 26 10:42:50 hostname connect-distributed[396254]: at net.snowflake.client.jdbc.internal.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
Apr 26 10:42:50 hostname connect-distributed[396254]: at net.snowflake.client.jdbc.internal.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
Apr 26 10:42:50 hostname connect-distributed[396254]: at net.snowflake.client.jdbc.internal.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
Apr 26 10:42:50 hostname connect-distributed[396254]: at net.snowflake.client.jdbc.RestRequest.execute(RestRequest.java:207)
Apr 26 10:42:50 hostname connect-distributed[396254]: at net.snowflake.client.jdbc.RestRequest.execute(RestRequest.java:66)
Apr 26 10:42:50 hostname connect-distributed[396254]: at net.snowflake.client.core.HttpUtil.executeRequestInternal(HttpUtil.java:742)
Any ideas on how to resolve: No available cipher suite for TLSv1.2 in our jvm?
from snowflake-kafka-connector.
sfc-gh-wfateem
commented on September 22, 2024
@andrecowie so there are two things going on here, and I'm unsure if they're related or not:
account_name.region_name.snowflakecomputing.com" is not a legal HostName for server name indication
You can test to see if you run into the same problem or not by replacing the underscore characters in your account URL to hyphens instead, so change:
account_name.region.snowflakecomputing.com
To:
account-name.region.snowflakecomputing.com
This is a bigger issue when you're on AWS, and you have firewall rules that inspect a certificate's SNI extension. In those scenarios, because of the error above, that will break that functionality. If you're running on-prem then it's not typically an issue.
The second error requires more information:
No available cipher suite for TLSv1.2
Refer to my comment here and the kind of output I'm looking for.
from snowflake-kafka-connector.
andrecowie
commented on September 22, 2024
Sorry I just changed the account name and region name for security reasons, they do have hyphens I am only seeing ClientHellos and ServerHello's after the error for client-telemetry.snowflakecomputing.com and they don't look like they are failing, this is the output from the first time snowflake gets mentioned in the log. FYI I have been able to get this exact config working on another kafka cluster so no issue with the account name or anything, it's definitely the ssl cipher.
[2024-04-26 10:42:50,460] INFO [SF_KAFKA_CONNECTOR] Using provided role ROLENAME for JDBC connection. (com.snowflake.kafka.connector.internal.InternalUtils:46)
[2024-04-26 10:42:50,460] INFO [SF_KAFKA_CONNECTOR] Establishing a JDBC connection with url:jdbc:snowflake://redacted.aws-region-x.snowflakecomputing.com:443 (com.snowflake.kafka.connector.internal.SnowflakeConnectionServiceV1:46)
javax.net.ssl|DEBUG|08|pool-4-thread-4|2024-04-26 10:42:50.787 NZST|Utilities.java:120|redacted.aws-region-x.snowflakecomputing.com" is not a legal HostName for server name indication
javax.net.ssl|DEBUG|08|pool-4-thread-4|2024-04-26 10:42:50.787 NZST|HandshakeContext.java:305|No available cipher suite for TLSv1.2
javax.net.ssl|ERROR|08|pool-4-thread-4|2024-04-26 10:42:50.788 NZST|TransportContext.java:370|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking (
"throwable" : {
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at java.base/sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:172)
at java.base/sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:103)
at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:247)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:448)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
at net.snowflake.client.jdbc.internal.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
at net.snowflake.client.jdbc.internal.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
at net.snowflake.client.jdbc.internal.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at net.snowflake.client.jdbc.internal.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
at net.snowflake.client.jdbc.internal.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at net.snowflake.client.jdbc.internal.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at net.snowflake.client.jdbc.internal.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at net.snowflake.client.jdbc.internal.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at net.snowflake.client.jdbc.internal.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at net.snowflake.client.jdbc.internal.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at net.snowflake.client.jdbc.internal.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at net.snowflake.client.jdbc.internal.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at net.snowflake.client.jdbc.RestRequest.execute(RestRequest.java:207)
at net.snowflake.client.jdbc.RestRequest.execute(RestRequest.java:66)
at net.snowflake.client.core.HttpUtil.executeRequestInternal(HttpUtil.java:742)
at net.snowflake.client.core.HttpUtil.executeRequest(HttpUtil.java:677)
at net.snowflake.client.core.HttpUtil.executeGeneralRequest(HttpUtil.java:599)
at net.snowflake.client.core.SessionUtil.newSession(SessionUtil.java:610)
at net.snowflake.client.core.SessionUtil.openSession(SessionUtil.java:291)
at net.snowflake.client.core.SFSession.open(SFSession.java:477)
at net.snowflake.client.jdbc.DefaultSFConnectionHandler.initialize(DefaultSFConnectionHandler.java:104)
at net.snowflake.client.jdbc.DefaultSFConnectionHandler.initializeConnection(DefaultSFConnectionHandler.java:79)
at net.snowflake.client.jdbc.SnowflakeConnectionV1.initConnectionWithImpl(SnowflakeConnectionV1.java:116)
at net.snowflake.client.jdbc.SnowflakeConnectionV1.<init>(SnowflakeConnectionV1.java:96)
at net.snowflake.client.jdbc.SnowflakeDriver.connect(SnowflakeDriver.java:180)
at com.snowflake.kafka.connector.internal.SnowflakeConnectionServiceV1.<init>(SnowflakeConnectionServiceV1.java:89)
at com.snowflake.kafka.connector.internal.SnowflakeConnectionServiceFactory$SnowflakeConnectionServiceBuilder.build(SnowflakeConnectionServiceFactory.java:82)
at com.snowflake.kafka.connector.SnowflakeSinkConnector.validate(SnowflakeSinkConnector.java:225)
at org.apache.kafka.connect.runtime.AbstractHerder.validateConnectorConfig(AbstractHerder.java:592)
at org.apache.kafka.connect.runtime.AbstractHerder.lambda$validateConnectorConfig$6(AbstractHerder.java:470)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:840)}
)
javax.net.ssl|DEBUG|08|pool-4-thread-4|2024-04-26 10:42:50.789 NZST|SSLSocketImpl.java:1759|close the underlying socket
javax.net.ssl|DEBUG|08|pool-4-thread-4|2024-04-26 10:42:50.789 NZST|SSLSocketImpl.java:1785|close the SSL connection (passive)
[2024-04-26 10:42:50,796] ERROR [SF_KAFKA_CONNECTOR] Validate: Error connecting to snowflake:[SF_KAFKA_CONNECTOR] Exception: Failed to connect to Snowflake Server
Error Code: 1001
Detail: Snowflake connection issue, reported by Snowflake JDBC
Message: JDBC driver encountered communication error. Message: No appropriate protocol (protocol is disabled or cipher suites are inappropriate).
net.snowflake.client.jdbc.RestRequest.execute(RestRequest.java:221)
net.snowflake.client.jdbc.RestRequest.execute(RestRequest.java:66)
net.snowflake.client.core.HttpUtil.executeRequestInternal(HttpUtil.java:742)
net.snowflake.client.core.HttpUtil.executeRequest(HttpUtil.java:677)
net.snowflake.client.core.HttpUtil.executeGeneralRequest(HttpUtil.java:599)
net.snowflake.client.core.SessionUtil.newSession(SessionUtil.java:610)
net.snowflake.client.core.SessionUtil.openSession(SessionUtil.java:291)
net.snowflake.client.core.SFSession.open(SFSession.java:477)
net.snowflake.client.jdbc.DefaultSFConnectionHandler.initialize(DefaultSFConnectionHandler.java:104)
net.snowflake.client.jdbc.DefaultSFConnectionHandler.initializeConnection(DefaultSFConnectionHandler.java:79)
net.snowflake.client.jdbc.SnowflakeConnectionV1.initConnectionWithImpl(SnowflakeConnectionV1.java:116)
net.snowflake.client.jdbc.SnowflakeConnectionV1.<init>(SnowflakeConnectionV1.java:96)
net.snowflake.client.jdbc.SnowflakeDriver.connect(SnowflakeDriver.java:180)
com.snowflake.kafka.connector.internal.SnowflakeConnectionServiceV1.<init>(SnowflakeConnectionServiceV1.java:89)
com.snowflake.kafka.connector.internal.SnowflakeConnectionServiceFactory$SnowflakeConnectionServiceBuilder.build(SnowflakeConnectionServiceFactory.java:82)
com.snowflake.kafka.connector.SnowflakeSinkConnector.validate(SnowflakeSinkConnector.java:225)
org.apache.kafka.connect.runtime.AbstractHerder.validateConnectorConfig(AbstractHerder.java:592)
org.apache.kafka.connect.runtime.AbstractHerder.lambda$validateConnectorConfig$6(AbstractHerder.java:470)
java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
java.base/java.lang.Thread.run(Thread.java:840), errorCode:1001 (com.snowflake.kafka.connector.SnowflakeSinkConnector:94)
[2024-04-26 10:42:50,800] INFO redacted-ip - - [25/Apr/2024:22:42:50 +0000] "PUT /connector-plugins/com.snowflake.kafka.connector.SnowflakeSinkConnector/config/validate HTTP/1.1" 200 25441 "https://hostname:9021/clusters/mDt-MV2JT-GfoFEftBVslA/management/connect/connect-cluster/connectors/new-sink/com.snowflake.kafka.connector.SnowflakeSinkConnector" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" 351 (org.apache.kafka.connect.runtime.rest.RestServer:62)
javax.net.ssl|INFO|18|pool-11-thread-6|2024-04-26 10:42:51.088 NZST|AlpnExtension.java:182|No available application protocols
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.089 NZST|SSLExtensions.java:272|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.089 NZST|SessionTicketExtension.java:410|Stateless resumption supported
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.089 NZST|SSLExtensions.java:272|Ignore, context unavailable extension: cookie
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.092 NZST|SSLExtensions.java:272|Ignore, context unavailable extension: renegotiation_info
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.093 NZST|PreSharedKeyExtension.java:661|No session to resume.
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.093 NZST|SSLExtensions.java:272|Ignore, context unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.094 NZST|ClientHello.java:641|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "y",
"session id" : "x",
"cipher suites" : "[TLS_AES_256_GCM_SHA384(0x1302), TLS_AES_128_GCM_SHA256(0x1301), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA9), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA8), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"server_name (0)": {
type=host_name (0), value=client-telemetry.snowflakecomputing.com
},
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"supported_groups (10)": {
"versions": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"status_request_v2 (17)": {
"cert status request": {
"certificate status type": ocsp_multi
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
}
},
"extended_master_secret (23)": {
<empty>
},
"session_ticket (35)": {
<empty>
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"supported_versions (43)": {
"versions": [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1]
},
"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"key_share (51)": {
"client_shares": [
{
"named group": x25519
"key_exchange": {
}
},
{
"named group": secp256r1
"key_exchange": {
}
},
]
}
]
}
)
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.253 NZST|ServerHello.java:888|Consuming ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2",
"random" : "y",
"session id" : "x",
"cipher suite" : "TLS_AES_256_GCM_SHA384(0x1302)",
"compression methods" : "00",
"extensions" : [
"key_share (51)": {
"server_share": {
"named group": x25519
"key_exchange": {
}
},
},
"supported_versions (43)": {
"selected version": [TLSv1.3]
}
]
}
)
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.254 NZST|SSLExtensions.java:204|Consumed extension: supported_versions
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.254 NZST|ServerHello.java:984|Negotiated protocol version: TLSv1.3
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.254 NZST|SSLExtensions.java:175|Ignore unsupported extension: server_name
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.254 NZST|SSLExtensions.java:175|Ignore unsupported extension: max_fragment_length
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.254 NZST|SSLExtensions.java:175|Ignore unsupported extension: status_request
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.254 NZST|SSLExtensions.java:175|Ignore unsupported extension: ec_point_formats
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.254 NZST|SSLExtensions.java:175|Ignore unsupported extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.254 NZST|SSLExtensions.java:175|Ignore unsupported extension: status_request_v2
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.254 NZST|SSLExtensions.java:175|Ignore unsupported extension: extended_master_secret
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.254 NZST|SSLExtensions.java:175|Ignore unsupported extension: session_ticket
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.254 NZST|SSLExtensions.java:204|Consumed extension: supported_versions
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.254 NZST|SSLExtensions.java:204|Consumed extension: key_share
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.254 NZST|SSLExtensions.java:175|Ignore unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.254 NZST|PreSharedKeyExtension.java:924|Handling pre_shared_key absence.
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.255 NZST|SSLExtensions.java:219|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.255 NZST|SSLExtensions.java:219|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.255 NZST|SSLExtensions.java:219|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.255 NZST|SSLExtensions.java:219|Ignore unavailable extension: ec_point_formats
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.255 NZST|SSLExtensions.java:219|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.255 NZST|SSLExtensions.java:219|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.255 NZST|SSLExtensions.java:219|Ignore unavailable extension: extended_master_secret
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.255 NZST|SSLExtensions.java:219|Ignore unavailable extension: session_ticket
javax.net.ssl|WARNING|18|pool-11-thread-6|2024-04-26 10:42:51.255 NZST|SSLExtensions.java:227|Ignore impact of unsupported extension: supported_versions
javax.net.ssl|WARNING|18|pool-11-thread-6|2024-04-26 10:42:51.255 NZST|SSLExtensions.java:227|Ignore impact of unsupported extension: key_share
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.255 NZST|SSLExtensions.java:219|Ignore unavailable extension: renegotiation_info
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.255 NZST|SSLExtensions.java:219|Ignore unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.256 NZST|SSLCipher.java:1870|KeyLimit read side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.256 NZST|SSLCipher.java:2024|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.256 NZST|ChangeCipherSpec.java:246|Consuming ChangeCipherSpec message
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.257 NZST|EncryptedExtensions.java:171|Consuming EncryptedExtensions handshake message (
"EncryptedExtensions": [
<no extension>
]
)
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.257 NZST|SSLExtensions.java:185|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.257 NZST|SSLExtensions.java:185|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.257 NZST|SSLExtensions.java:185|Ignore unavailable extension: supported_groups
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.257 NZST|SSLExtensions.java:219|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.257 NZST|SSLExtensions.java:219|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.257 NZST|SSLExtensions.java:219|Ignore unavailable extension: supported_groups
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.257 NZST|SSLExtensions.java:219|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.258 NZST|CertificateMessage.java:1166|Consuming server Certificate handshake message (
"Certificate": {
"certificate_request_context": "",
"certificate_list": [
{
"certificate" : {
"version" : "v3",
"serial number" : "0B02C4A70C4B5E8FA80497503F80874A",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US",
"not before" : "2024-03-22 13:00:00.000 NZDT",
"not after" : "2025-03-23 12:59:59.000 NZDT",
"subject" : "CN=client-telemetry.snowflakecomputing.com, O=Snowflake Inc., L=San Mateo, ST=California, C=US",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
},
{
ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.com
,
accessMethod: caIssuers
accessLocation: URIName: http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt
]
]
},
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
....
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
},
{
ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl]
, DistributionPoint:
[URIName: http://crl4.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl]
]]
},
{
ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.2]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1B 68 74 74 70 3A 2F 2F 77 77 77 2E 64 69 67 ..http://www.dig
0010: 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 icert.com/CPS
]] ]
]
},
{
ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
},
{
ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: client-telemetry.snowflakecomputing.com
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
]
]
}
]}
"extensions": {
<no extension>
}
},
{
"certificate" : {
"version" : "v3",
"serial number" : "",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US",
"not before" : "2021-03-30 13:00:00.000 NZDT",
"not after" : "2031-03-30 12:59:59.000 NZDT",
"subject" : "CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.com
,
accessMethod: caIssuers
accessLocation: URIName: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
]
]
},
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
},
{
ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.digicert.com/DigiCertGlobalRootG2.crl]
]]
},
{
ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.114412.2.1]
[] ]
[CertificatePolicyId: [2.23.140.1.1]
[] ]
[CertificatePolicyId: [2.23.140.1.2.1]
[] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
[CertificatePolicyId: [2.23.140.1.2.3]
[] ]
]
},
{
ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
]
]
}
]}
"extensions": {
<no extension>
}
},
]
}
)
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.258 NZST|SSLExtensions.java:185|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.259 NZST|SSLExtensions.java:185|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.260 NZST|CertificateVerify.java:1166|Consuming CertificateVerify handshake message (
"CertificateVerify": {
"signature algorithm": rsa_pss_rsae_sha256
"signature": {
# HEX
}
}
)
javax.net.ssl|DEBUG|18|pool-11-thread-6|2024-04-26 10:42:51.260 NZST|Finished.java:917|Consuming server Finished handshake message (
"Finished": {
"verify data": {
#HEX
}'}
)
from snowflake-kafka-connector.
sfc-gh-wfateem
commented on September 22, 2024
@andrecowie this is kind of odd. It doesn't seem like it's even sending a client hello message to the snowflakecomputing.com host. The point of interest is here:
at java.base/sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:172)
at java.base/sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:103)
at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:247)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:448)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
Since this is working on another environment, then I would suggest comparing JDK versions and comparing the java.security file between the two JDK installations to see if there are any differences.
I'm assuming the other working environments are also using the Snowflake Kafka Connector version 2.2.1, right?
from snowflake-kafka-connector.
andrecowie
commented on September 22, 2024
Yea @sfc-gh-wfateem Using the same snowflake connector version, however the cluster it is working on is a apache kafka cluster running on java
java -version
openjdk version "11.0.17" 2022-10-18
OpenJDK Runtime Environment (build 11.0.17+8-post-Ubuntu-1ubuntu222.04)
OpenJDK 64-Bit Server VM (build 11.0.17+8-post-Ubuntu-1ubuntu222.04, mixed mode, sharing)
Where as the confluent platform is on:
openjdk version "17.0.10" 2024-01-16
OpenJDK Runtime Environment (build 17.0.10+7-Ubuntu-120.04.1)
OpenJDK 64-Bit Server VM (build 17.0.10+7-Ubuntu-120.04.1, mixed mode, sharing)
Which path do you think takes precedent for the java.security file:
/etc/java-17-openjdk/security/java.security
/usr/lib/jvm/java-17-openjdk-amd64/conf/security/java.security
?
I will compare the confluent java.security with the apache security file
from snowflake-kafka-connector.
sfc-gh-wfateem
commented on September 22, 2024
The following path is where I would expect to find the file:
/usr/lib/jvm/java-17-openjdk-amd64/conf/security/java.security
I don't know about the other /etc/java-17-openjdk/security/java.security
from snowflake-kafka-connector.
andrecowie
commented on September 22, 2024
Have duplicated the java.security file from the working cluster to confluent platform and still not working. Perhaps it could be to do with truststore the connect is using? (Just a guess)
from snowflake-kafka-connector.
sfc-gh-wfateem
commented on September 22, 2024
If that was the case, it would have failed after the server hello message and after the server had presented its certificate. This is failing off the bat where it's not even starting a handshake, so I'm a bit puzzled by that error No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
Now, are you saying that when you go back and downgrade the Snowflake Kafka Connector on that exact same environment, then it starts working again?
If that's the case, then I think I want to see if I'm able to reproduce this using the Snowflake Kafka Connector from Confluent.
What is the Confluent Platform version?
from snowflake-kafka-connector.
sfc-gh-wfateem
commented on September 22, 2024
@andrecowie one thought here on why copying over java.security file might not work on its own. If you plugin a security provider, say Bouncy Castle FIPS, then you would also need the appropriate JARs on the classpath.
Can you find the section where the providers are listed and compare that with your Confluent Platform environment?
The configuration will be in the following format: security.provider.<n> where n is an integer starting from 1.
Example:
security.provider.1=SUN
security.provider.2=SunRsaSign
security.provider.3=SunEC
security.provider.4=SunJSSE
security.provider.5=SunJCE
from snowflake-kafka-connector.
sfc-gh-wfateem
commented on September 22, 2024
@andrecowie For your Confluent Platform, are you using the Snowflake Sink Connector provided on Confluent Hub?
That's the version you should be using in case you're not. I took a quick look at it and in that distribution we don't include the Bouncy Castle provider in our JAR, because the one from Confluent Hub include the Bouncy Castle FIPS Jar.
from snowflake-kafka-connector.
andrecowie
commented on September 22, 2024
I installed it with:
confluent-hub install snowflakeinc/snowflake-kafka-connector:2.2.1 so i am assuming yes.
from snowflake-kafka-connector.
sfc-gh-wfateem
commented on September 22, 2024
@andrecowie Yes, that would be the correct one. What's your Confluent Platform version? I'm going to see if I can reproduce this.
from snowflake-kafka-connector.
andrecowie
commented on September 22, 2024
Version 7.6.0 installed via ansible:
SSL and Secrets Enabled as well.
control_center_authentication_type: basic
control_center_basic_users:
admin:
principal: admin
password: "{{ sasl_password_admin }}"
roles: client,developer,admin
secrets_protection_enabled: true
secrets_protection_security_file: ~/ansible-confluent/security.properties
ssl_enabled: true
ssl_custom_certs: true
ssl_custom_certs_remote_src: true
ssl_ca_cert_filepath: /etc/ssl/private/_.ca-bundle.crt
ssl_signed_cert_filepath: /etc/ssl/private/_.crt
ssl_key_filepath:
from snowflake-kafka-connector.
sfc-gh-wfateem
commented on September 22, 2024
@andrecowie I downloaded CP 7.6.0, extracted it and ran it locally. It's working fine for me, but in order to deploy and run it mentions in the documentation, I have to use either JDK 8 or JDK 11. I tested both of those, and they work.
Are you able to run a similar test to see if you can reproduce the issue in local mode as well?
from snowflake-kafka-connector.
andrecowie
commented on September 22, 2024
If you want to use the confluent local commands, you must have Java 11 or 8 installed (version strings 1.11 or 1.8). Java 17 is the recommended Java version for Confluent Platform.
Well this is not a local setup it is a production cluster on JDK 17
from snowflake-kafka-connector.
sfc-gh-wfateem
commented on September 22, 2024
Right. I guess the point I was trying to make is that in theory it works on a Confluent Platform, it should be irrelevant how that's deployed because the problem here is specifically occurring in the JDBC driver, Apache HTTP Client, and core JDK libraries. But certainly the significant downfall of my test here is that I can't use JDK 17.
In any case, I'll take a look at the source code for the HTTP client library to see if I can figure out what might be happening here to tell us where we want to look next. Your failure is basically occurring here.
Unfortunately though, we explicitly turn off the ability to enable debugging for the HTTP client since that can print out sensitive information like credentials and data over the wire. Some of that logging would have been helpful, like here.
I'll work through the code to figure out how these supported ciphers are determined and finally passed to the SSLSocket.
from snowflake-kafka-connector.
andrecowie
commented on September 22, 2024
Thank so much for your help on this issue @sfc-gh-wfateem let me know how your investigation on the ciphers go. I will be eagerly anticipating a reply.
from snowflake-kafka-connector.
sfc-gh-wfateem
commented on September 22, 2024
@andrecowie I'm still working through this, but can you try something out for me and let me know what the outcome is by setting the following JVM arguments, please?
-Djavax.net.debug=ssl,handshake -Dhttps.protocols=TLSv1.2 -Dhttps.cipherSuites=TLS_AES_256_GCM_SHA384
from snowflake-kafka-connector.
sfc-gh-wfateem
commented on September 22, 2024
@andrecowie I would be curious to know what the outcome is from that last test.
Here we explicitly set the protocol to TLSv1.2, so the argument -Dhttps.protocol=TLSv1.2 is redundant and unnecessary. That's further validated by the fact that we see the following message in the logs:
javax.net.ssl|DEBUG|08|pool-4-thread-4|2024-04-26 10:42:50.787 NZST|HandshakeContext.java:305|No available cipher suite for TLSv1.2
I would like you to run another test after that with the following arguments instead:
-Dhttps.protocols=TLSv1.3 -Dhttps.cipherSuites=TLS_AES_256_GCM_SHA384
Please let me know what the results are.
from snowflake-kafka-connector.
andrecowie
commented on September 22, 2024
Same issue :(
have attempted -Dhttps.protocols=TLSv1.3 & -Dhttps.protocols=TLSv1.2 & -Dhttps.protocols=TLSv1.3,TLSv1.2
all with -Dhttps.cipherSuites=TLS_AES_256_GCM_SHA384
May 08 09:51:10 hostname connect-distributed[1764270]: javax.net.ssl|DEBUG|08|pool-4-thread-2|2024-05-08 09:51:10.600 NZST|HandshakeContext.java:305|No available cipher suite for TLSv1.2
May 08 09:51:10 hostname connect-distributed[1764270]: javax.net.ssl|ERROR|08|pool-4-thread-2|2024-05-08 09:51:10.601 NZST|TransportContext.java:370|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking (
May 08 09:51:10 hostname connect-distributed[1764270]: "throwable" : {
May 08 09:51:10 hostname connect-distributed[1764270]: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
May 08 09:51:10 hostname connect-distributed[1764270]: at java.base/sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:172)
May 08 09:51:10 hostname connect-distributed[1764270]: at java.base/sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:103)
May 08 09:51:10 hostname connect-distributed[1764270]: at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:247)
May 08 09:51:10 hostname connect-distributed[1764270]: at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:448)
May 08 09:51:10 hostname connect-distributed[1764270]: at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
May 08 09:51:10 hostname connect-distributed[1764270]: at net.snowflake.client.jdbc.internal.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
May 08 09:51:10 hostname connect-distributed[1764270]: at net.snowflake.client.jdbc.internal.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
May 08 09:51:10 hostname connect-distributed[1764270]: at net.snowflake.client.jdbc.internal.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
May 08 09:51:10 hostname connect-distributed[1764270]: at net.snowflake.client.jdbc.internal.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
May 08 09:51:10 hostname connect-distributed[1764270]: at net.snowflake.client.jdbc.internal.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
May 08 09:51:10 hostname connect-distributed[1764270]: at net.snowflake.client.jdbc.internal.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
May 08 09:51:10 hostname connect-distributed[1764270]: at net.snowflake.client.jdbc.internal.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
May 08 09:51:10 hostname connect-distributed[1764270]: at net.snowflake.client.jdbc.internal.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
May 08 09:51:10 hostname connect-distributed[1764270]: at net.snowflake.client.jdbc.internal.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
May 08 09:51:10 hostname connect-distributed[1764270]: at net.snowflake.client.jdbc.internal.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
May 08 09:51:10 hostname connect-distributed[1764270]: at net.snowflake.client.jdbc.internal.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
May 08 09:51:10 hostname connect-distributed[1764270]: at net.snowflake.client.jdbc.internal.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
May 08 09:51:10 hostname connect-distributed[1764270]: at net.snowflake.client.jdbc.RestRequest.execute(RestRequest.java:207)
May 08 09:51:10 hostname connect-distributed[1764270]: at net.snowflake.client.jdbc.RestRequest.execute(RestRequest.java:66)
May 08 09:51:10 hostname connect-distributed[1764270]: at net.snowflake.client.core.HttpUtil.executeRequestInternal(HttpUtil.java:742)
May 08 09:51:10 hostname connect-distributed[1764270]: at net.snowflake.client.core.HttpUtil.executeRequest(HttpUtil.java:677)
May 08 09:51:10 hostname connect-distributed[1764270]: at net.snowflake.client.core.HttpUtil.executeGeneralRequest(HttpUtil.java:599)
May 08 09:51:10 hostname connect-distributed[1764270]: at net.snowflake.client.core.SessionUtil.newSession(SessionUtil.java:610)
May 08 09:51:10 hostname connect-distributed[1764270]: at net.snowflake.client.core.SessionUtil.openSession(SessionUtil.java:291)
May 08 09:51:10 hostname connect-distributed[1764270]: at net.snowflake.client.core.SFSession.open(SFSession.java:477)
May 08 09:51:10 hostname connect-distributed[1764270]: at net.snowflake.client.jdbc.DefaultSFConnectionHandler.initialize(DefaultSFConnectionHandler.java:104)
May 08 09:51:10 hostname connect-distributed[1764270]: at net.snowflake.client.jdbc.DefaultSFConnectionHandler.initializeConnection(DefaultSFConnectionHandler.java:79)
May 08 09:51:10 hostname connect-distributed[1764270]: at net.snowflake.client.jdbc.SnowflakeConnectionV1.initConnectionWithImpl(SnowflakeConnectionV1.java:116)
May 08 09:51:10 hostname connect-distributed[1764270]: at net.snowflake.client.jdbc.SnowflakeConnectionV1.<init>(SnowflakeConnectionV1.java:96)
May 08 09:51:10 hostname connect-distributed[1764270]: at net.snowflake.client.jdbc.SnowflakeDriver.connect(SnowflakeDriver.java:180)
May 08 09:51:10 hostname connect-distributed[1764270]: at com.snowflake.kafka.connector.internal.SnowflakeConnectionServiceV1.<init>(SnowflakeConnectionServiceV1.java:89)
May 08 09:51:10 hostname connect-distributed[1764270]: at com.snowflake.kafka.connector.internal.SnowflakeConnectionServiceFactory$SnowflakeConnectionServiceBuilder.build(SnowflakeConnectionServiceFactory.java:82)
May 08 09:51:10 hostname connect-distributed[1764270]: at com.snowflake.kafka.connector.SnowflakeSinkConnector.validate(SnowflakeSinkConnector.java:225)
May 08 09:51:10 hostname connect-distributed[1764270]: at org.apache.kafka.connect.runtime.AbstractHerder.validateConnectorConfig(AbstractHerder.java:592)
May 08 09:51:10 hostname connect-distributed[1764270]: at org.apache.kafka.connect.runtime.AbstractHerder.lambda$validateConnectorConfig$6(AbstractHerder.java:470)
May 08 09:51:10 hostname connect-distributed[1764270]: at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
May 08 09:51:10 hostname connect-distributed[1764270]: at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
May 08 09:51:10 hostname connect-distributed[1764270]: at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
May 08 09:51:10 hostname connect-distributed[1764270]: at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
May 08 09:51:10 hostname connect-distributed[1764270]: at java.base/java.lang.Thread.run(Thread.java:840)}
from snowflake-kafka-connector.
sfc-gh-wfateem
commented on September 22, 2024
Ok, so I want to step back here for a moment and just rule out a few things.
This is the error stack:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at java.base/sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:172)
at java.base/sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:103)
at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:247)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:448)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
at net.snowflake.client.jdbc.internal.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
at net.snowflake.client.jdbc.internal.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
at net.snowflake.client.jdbc.internal.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at net.snowflake.client.jdbc.internal.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
at net.snowflake.client.jdbc.internal.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at net.snowflake.client.jdbc.internal.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at net.snowflake.client.jdbc.internal.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at net.snowflake.client.jdbc.internal.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at net.snowflake.client.jdbc.internal.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at net.snowflake.client.jdbc.internal.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at net.snowflake.client.jdbc.internal.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at net.snowflake.client.jdbc.internal.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at net.snowflake.client.jdbc.RestRequest.execute(RestRequest.java:207)
at net.snowflake.client.jdbc.RestRequest.execute(RestRequest.java:66)
at net.snowflake.client.core.HttpUtil.executeRequestInternal(HttpUtil.java:742)
at net.snowflake.client.core.HttpUtil.executeRequest(HttpUtil.java:677)
at net.snowflake.client.core.HttpUtil.executeGeneralRequest(HttpUtil.java:599)
at net.snowflake.client.core.SessionUtil.newSession(SessionUtil.java:610)
at net.snowflake.client.core.SessionUtil.openSession(SessionUtil.java:291)
at net.snowflake.client.core.SFSession.open(SFSession.java:477)
That's just plain Snowflake JDBC code and that's the path it would take when you try to create a connection. So if I provide you with a Java application that uses the JDBC driver to create a connection. Can you run that separately on the same Confluent Platform environment?
That's just going to help narrow down the problem space, because my gut feeling says this has little to do with the Snowflake Kafka Connector and Confluent Kafka.
from snowflake-kafka-connector.
sfc-gh-wfateem
commented on September 22, 2024
I'm looking at the Confluent system requirements documentation here, and it says that Confluent Platform supports JDK 17, 11, and 8. While 17 is recommended, and we'll still want to figure out what's going on in your environment so that you can go back to using JDK 17, can you at least switch to JDK 11 on that Confluent Platform 7.6 environment to see if things work or not?
from snowflake-kafka-connector.
sfc-gh-wfateem
commented on September 22, 2024
@andrecowie I just wanted to follow up with you.
Were you able to make any progress with this issue?
from snowflake-kafka-connector.
Related Issues (20)
- Streaming Channel Offset Migration (transient exception) HOT 4
- SCHEMA EVOLUTION: Converting a String to Number Column HOT 3
- Ingestion loop when Snowflake Ingestion fails HOT 3
- Log is flooded with INFO messages HOT 1
- Failure to properly deserialize decimal data type HOT 5
- Distribute "slim" version of the connector HOT 3
- Sporadic events causing lags? HOT 3
- Rollback on Prefix with channel name with connector name HOT 1
- Can i point Kafka record to snowflake table's column directly, just like we use snowflaketopic2table, do we have snowflakerecord2column config? HOT 3
- Connector tasks stuck in RESTARTING state HOT 1
- Ignoring invalid task provided offset -- not yet consumed HOT 8
- errors.tolerance: String must be one of: none, all HOT 8
- AWS Glue Schema Registry compatability HOT 3
- Automatically create a table based on Avro schema HOT 2
- Ordinal Position of Columns with Schematization HOT 1
- Add Schema Registry Documentation to Snowflake Column Comments HOT 1
- Run time java.lang.NoSuchMethodError for OpenChannelRequestBuilder.setOffsetTokenVerificationFunction HOT 4
- Schematization not working properly when the message is wrapped within a field HOT 1
- Fail / Warn on a topic configured in topic2table.map not present in topics or topics.regex HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from snowflake-kafka-connector.