Skip to content

enable.ssl.certificate.verification must be a string and not a boolean #1633

New issue
New issue
Open
Open
enable.ssl.certificate.verification must be a string and not a boolean#1633
Assignees
pranavrthfangnx
Labels
bugReporting an unexpected or problematic behavior of the codebasecode:pythonIssues that are specific to Python or versions of Python independent of library logicpriority:highMaintainer triage tag for indicating high impact or criticality issues
@yzhan289

Description

@yzhan289
yzhan289
opened on Aug 28, 2023

Description

The enable.ssl.certificate.verification configuration for AdminClient only takes strings "true"/"false" rather than the Python booleans True/False. We noticed that even though we would set enable.ssl.certificate.verification: False in our configuration, we would end up with the following error:

%3|1692896138.459|FAIL|dd-agent#producer-1| [thrd:sasl_ssl://192.168.36.20:9071/bootstrap]: sasl_ssl://192.168.36.20:9071/bootstrap: SSL handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed: broker certificate could not be verified, verify that ssl.ca.location is correctly configured or root CA certificates are installed (install ca-certificates package) (after 2ms in state SSL_HANDSHAKE)

The default value of enable.ssl.certificate.verification (according to librdkafka's configuration) is true, so maybe after the config is passed from confluent-kafka-python to librdkafka, the boolean False is converted to the default string "true"?

Based on #1346, one could assume that enable.ssl.certificate.verification should take Python booleans, although from #938 and #1494, other users might be running into this issue too.

The library should either clarify that enable.ssl.certificate.verification should be a string or update the implementation to accept a boolean.

How to reproduce

  1. Configure a kafka cluster that requires SSL but doesn't have a server cert signed by a CA (can be self signed).
  2. Create an AdminClient connection that uses SSL but set enable.ssl.certificate.verification: False (Python boolean not string).

Checklist

Please provide the following information:

  • confluent-kafka-python and librdkafka version: 2.2.0 2.0.2
  • Apache Kafka broker version: N/A
  • Client configuration:
    security.protocol: "sasl_ssl", sasl.mechanism: "PLAIN", enable.ssl.certificate.verification: False, sasl.username: "<username>", sasl.password: "<password>", sasl.kerberos.principal: "kafka@localhost", sasl.kerberos.service.name: "kafka"
  • Operating system: N/A
  • Provide client logs (with 'debug': '..' as necessary)
  • Provide broker log excerpts
  • Critical issue

Metadata

Metadata

Assignees

Labels

bugReporting an unexpected or problematic behavior of the codebasecode:pythonIssues that are specific to Python or versions of Python independent of library logicpriority:highMaintainer triage tag for indicating high impact or criticality issues

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions