Why no SSL!? Port is open!

Okay, this has taken me too long to not post.. So here it is..:

When your firewall is blocking SSL traffic but allowing HTTP traffic, openssl s_client will show this:

my_host:joris [/etc/stores] openssl s_client -host external_host -port 12345
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

To be complete;

Apache Kafka will show this error if you try to connect over SSL while the SSL traffic is blocked:

[2017-01-04 11:27:32,395] DEBUG Node -1 disconnected. (org.apache.kafka.clients.NetworkClient)
[2017-01-04 11:27:32,395] DEBUG Created socket with SO_RCVBUF = 32768, SO_SNDBUF = 124928, SO_TIMEOUT = 0 to node -2 (org.apache.kafka.common.network.Selector)
[2017-01-04 11:27:32,395] DEBUG Completed connection to node -2 (org.apache.kafka.clients.NetworkClient)
[2017-01-04 11:27:32,397] DEBUG Connection with myhost/10.10.10.10 disconnected (org.apache.kafka.common.network.Selector)
java.io.IOException: Connection reset by peer
 at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
 at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
 at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
 at sun.nio.ch.IOUtil.read(IOUtil.java:197)
 at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
 at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:403)
 at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:270)
 at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:62)
 at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:338)
 at org.apache.kafka.common.network.Selector.poll(Selector.java:291)
 at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:260)
 at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:236)
 at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:135)
 at java.lang.Thread.run(Thread.java:745)
[2017-01-04 11:27:32,397] WARN Failed to send SSL Close message (org.apache.kafka.common.network.SslTransportLayer)
java.io.IOException: Broken pipe
 at sun.nio.ch.FileDispatcherImpl.write0(Native Method)
 at sun.nio.ch.SocketDispatcher.write(SocketDispatcher.java:47)
 at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.java:93)
 at sun.nio.ch.IOUtil.write(IOUtil.java:65)
 at sun.nio.ch.SocketChannelImpl.write(SocketChannelImpl.java:471)
 at org.apache.kafka.common.network.SslTransportLayer.flush(SslTransportLayer.java:195)
 at org.apache.kafka.common.network.SslTransportLayer.close(SslTransportLayer.java:163)
 at org.apache.kafka.common.utils.Utils.closeAll(Utils.java:690)
 at org.apache.kafka.common.network.KafkaChannel.close(KafkaChannel.java:47)
 at org.apache.kafka.common.network.Selector.close(Selector.java:487)
 at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:368)
 at org.apache.kafka.common.network.Selector.poll(Selector.java:291)
 at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:260)
 at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:236)
 at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:135)
 at java.lang.Thread.run(Thread.java:745)
Advertisements

3 thoughts on “Why no SSL!? Port is open!

    1. Hi Bharati,

      The cause is that the firewall is inspecting packets, in this case it allows http traffic but doesn’t allow https (ssl) traffic.

      If you’re in control of that firewall, open up the port(s) and allow https/ssl.
      If you’re not in control of that firewall, ask the corresponding department/engineer to help you out in opening the firewall.

  1. Leonard

    Thank you so much for this page. Helped me a lot. Although port tcp/443 was actually opened in firewall, the ssl was actually blocked.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s