-
Bug
-
Resolution: Done
-
Major
-
1.7.0.Final
-
None
-
False
-
False
-
-
Debezium docker image 1.7 adds a java.config file at `/etc/crypto-policies/back-ends/java.config` that disables a bunch of unsecure tls algorithms and that is a possibly breaking change.
Upon upgrading we were hit with this error
2021-10-13 16:54:50,875 TRACE || Props: {server.name=meiosdepagamento__db_eldorado_batch, history.consumer.security.protocol=SSL, history.kafka.bootstrap.servers=****************, history.producer.security.protocol=SSL, password=***, history.kafka.topic=meiosdepagamento__db_eldorado_batch.history, user=*********} [io.debezium.jdbc.JdbcConnection]2021-10-13 16:54:50,875 TRACE || URL: jdbc:sqlserver://xxx.xxx.xxx.xxx:1433;databaseName=dbEldoradoBatch [io.debezium.jdbc.JdbcConnection]2021-10-13 16:54:50,883 ERROR || [Worker clientId=connect-1, groupId=1] Failed to reconfigure connector's tasks (meiosdepagamento__db_eldorado_batch), retrying after backoff: [org.apache.kafka.connect.runtime.distributed.DistributedHerder]org.apache.kafka.connect.errors.ConnectException: com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Certificates do not conform to algorithm constraints". ClientConnectionId:063ec11c-f517-4ae2-b669-36458426b24d at io.debezium.jdbc.JdbcConnection.lambda$createPreparedStatement$6(JdbcConnection.java:1373) at java.base/java.util.concurrent.ConcurrentMap.computeIfAbsent(ConcurrentMap.java:330) at io.debezium.jdbc.JdbcConnection.createPreparedStatement(JdbcConnection.java:1367) at io.debezium.jdbc.JdbcConnection.prepareQueryAndMap(JdbcConnection.java:752) at io.debezium.connector.sqlserver.SqlServerConnection.retrieveRealDatabaseName(SqlServerConnection.java:427) at io.debezium.connector.sqlserver.SqlServerConnector.taskConfigs(SqlServerConnector.java:64) at org.apache.kafka.connect.runtime.Worker.connectorTaskConfigs(Worker.java:354) at org.apache.kafka.connect.runtime.distributed.DistributedHerder.reconfigureConnector(DistributedHerder.java:1432) at org.apache.kafka.connect.runtime.distributed.DistributedHerder.reconfigureConnectorTasksWithRetry(DistributedHerder.java:1379) at org.apache.kafka.connect.runtime.distributed.DistributedHerder.lambda$null$24(DistributedHerder.java:1392) at org.apache.kafka.connect.runtime.distributed.DistributedHerder.tick(DistributedHerder.java:398) at org.apache.kafka.connect.runtime.distributed.DistributedHerder.run(DistributedHerder.java:316) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:829)Caused by: com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Certificates do not conform to algorithm constraints". ClientConnectionId:063ec11c-f517-4ae2-b669-36458426b24d at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:2892) at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1881) at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:2452) at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:2103) at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:1950) at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1162) at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:735) at io.debezium.jdbc.JdbcConnection.lambda$patternBasedFactory$1(JdbcConnection.java:237) at io.debezium.jdbc.JdbcConnection$ConnectionFactoryDecorator.connect(JdbcConnection.java:122) at io.debezium.jdbc.JdbcConnection.connection(JdbcConnection.java:891) at io.debezium.connector.sqlserver.SqlServerConnection.connection(SqlServerConnection.java:171) at io.debezium.jdbc.JdbcConnection.connection(JdbcConnection.java:886) at io.debezium.jdbc.JdbcConnection.lambda$createPreparedStatement$6(JdbcConnection.java:1370) ... 16 moreCaused by: javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:349) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:287) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1426) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1336) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:450) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:421) at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1799) ... 27 moreCaused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1681) at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1606) at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1550) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) ... 39 moreCaused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA at java.base/sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:237) at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1677) ... 42 more
Another change is in the java.security file (which is overriden by java.config)
1.6: in /usr/lib/jvm/java-11-openjdk-11.0.8.10-0.el7_8.x86_64/conf/security/java.security
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL
1.7: in /usr/lib/jvm/java-11-openjdk-11.0.12.0.7-4.fc34.x86_64/conf/security/java.security
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves
If this is intended behavior maybe it should be documented as a breaking change?
