Uploaded image for project: 'Debezium'
  1. Debezium
  2. DBZ-4167

Debezium 1.7 image disables unsecure algorithms. Breaks unpatched databases

    XMLWordPrintable

Details

    • Hide

      Use an unsecure database, maybe one with only TLSv1 enabled, as a source using docker image 1.7

      Show
      Use an unsecure database, maybe one with only TLSv1 enabled, as a source using docker image 1.7

    Description

      Debezium docker image 1.7 adds a java.config file at `/etc/crypto-policies/back-ends/java.config` that disables a bunch of unsecure tls algorithms and that is a possibly breaking change.

      Upon upgrading we were hit with this error 

      2021-10-13 16:54:50,875 TRACE  ||  Props: {server.name=meiosdepagamento__db_eldorado_batch, history.consumer.security.protocol=SSL, history.kafka.bootstrap.servers=****************, history.producer.security.protocol=SSL, password=***, history.kafka.topic=meiosdepagamento__db_eldorado_batch.history, user=*********}   [io.debezium.jdbc.JdbcConnection]2021-10-13 16:54:50,875 TRACE  ||  URL: jdbc:sqlserver://xxx.xxx.xxx.xxx:1433;databaseName=dbEldoradoBatch   [io.debezium.jdbc.JdbcConnection]2021-10-13 16:54:50,883 ERROR  ||  [Worker clientId=connect-1, groupId=1] Failed to reconfigure connector's tasks (meiosdepagamento__db_eldorado_batch), retrying after backoff:   [org.apache.kafka.connect.runtime.distributed.DistributedHerder]org.apache.kafka.connect.errors.ConnectException: com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Certificates do not conform to algorithm constraints". ClientConnectionId:063ec11c-f517-4ae2-b669-36458426b24d        at io.debezium.jdbc.JdbcConnection.lambda$createPreparedStatement$6(JdbcConnection.java:1373)        at java.base/java.util.concurrent.ConcurrentMap.computeIfAbsent(ConcurrentMap.java:330)        at io.debezium.jdbc.JdbcConnection.createPreparedStatement(JdbcConnection.java:1367)        at io.debezium.jdbc.JdbcConnection.prepareQueryAndMap(JdbcConnection.java:752)        at io.debezium.connector.sqlserver.SqlServerConnection.retrieveRealDatabaseName(SqlServerConnection.java:427)        at io.debezium.connector.sqlserver.SqlServerConnector.taskConfigs(SqlServerConnector.java:64)        at org.apache.kafka.connect.runtime.Worker.connectorTaskConfigs(Worker.java:354)        at org.apache.kafka.connect.runtime.distributed.DistributedHerder.reconfigureConnector(DistributedHerder.java:1432)        at org.apache.kafka.connect.runtime.distributed.DistributedHerder.reconfigureConnectorTasksWithRetry(DistributedHerder.java:1379)        at org.apache.kafka.connect.runtime.distributed.DistributedHerder.lambda$null$24(DistributedHerder.java:1392)        at org.apache.kafka.connect.runtime.distributed.DistributedHerder.tick(DistributedHerder.java:398)        at org.apache.kafka.connect.runtime.distributed.DistributedHerder.run(DistributedHerder.java:316)        at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)        at java.base/java.lang.Thread.run(Thread.java:829)Caused by: com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Certificates do not conform to algorithm constraints". ClientConnectionId:063ec11c-f517-4ae2-b669-36458426b24d        at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:2892)        at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1881)        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:2452)        at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:2103)        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:1950)        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1162)        at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:735)        at io.debezium.jdbc.JdbcConnection.lambda$patternBasedFactory$1(JdbcConnection.java:237)        at io.debezium.jdbc.JdbcConnection$ConnectionFactoryDecorator.connect(JdbcConnection.java:122)        at io.debezium.jdbc.JdbcConnection.connection(JdbcConnection.java:891)        at io.debezium.connector.sqlserver.SqlServerConnection.connection(SqlServerConnection.java:171)        at io.debezium.jdbc.JdbcConnection.connection(JdbcConnection.java:886)        at io.debezium.jdbc.JdbcConnection.lambda$createPreparedStatement$6(JdbcConnection.java:1370)        ... 16 moreCaused by: javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:349)        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292)        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:287)        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)        at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1426)        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1336)        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:450)        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:421)        at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1799)        ... 27 moreCaused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints        at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1681)        at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1606)        at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1550)        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)        ... 39 moreCaused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA        at java.base/sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:237)        at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1677)        ... 42 more
      

      Another change is in the java.security file (which is overriden by java.config)
      1.6: in /usr/lib/jvm/java-11-openjdk-11.0.8.10-0.el7_8.x86_64/conf/security/java.security

      jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
       EC keySize < 224, 3DES_EDE_CBC, anon, NULL
      

       
      1.7: in /usr/lib/jvm/java-11-openjdk-11.0.12.0.7-4.fc34.x86_64/conf/security/java.security

      jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ 
       DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
       include jdk.disabled.namedCurves
      

      If this is intended behavior maybe it should be documented as a breaking change?

      Attachments

        Activity

          People

            Unassigned Unassigned
            danthimself Thiago Dantas
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: