Why no SSL!? Port is open!

Okay, this has taken me too long to not post.. So here it is..:
When your firewall is blocking SSL traffic but allowing HTTP traffic, openssl s_client will show this:

my_host:joris [/etc/stores] openssl s_client -host external_host -port 12345
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---


To be complete;
Apache Kafka will show this error if you try to connect over SSL while the SSL traffic is blocked:

[2017-01-04 11:27:32,395] DEBUG Node -1 disconnected. (org.apache.kafka.clients.NetworkClient)
[2017-01-04 11:27:32,395] DEBUG Created socket with SO_RCVBUF = 32768, SO_SNDBUF = 124928, SO_TIMEOUT = 0 to node -2 (org.apache.kafka.common.network.Selector)
[2017-01-04 11:27:32,395] DEBUG Completed connection to node -2 (org.apache.kafka.clients.NetworkClient)
[2017-01-04 11:27:32,397] DEBUG Connection with myhost/10.10.10.10 disconnected (org.apache.kafka.common.network.Selector)
java.io.IOException: Connection reset by peer
 at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
 at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
 at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
 at sun.nio.ch.IOUtil.read(IOUtil.java:197)
 at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
 at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:403)
 at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:270)
 at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:62)
 at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:338)
 at org.apache.kafka.common.network.Selector.poll(Selector.java:291)
 at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:260)
 at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:236)
 at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:135)
 at java.lang.Thread.run(Thread.java:745)
[2017-01-04 11:27:32,397] WARN Failed to send SSL Close message (org.apache.kafka.common.network.SslTransportLayer)
java.io.IOException: Broken pipe
 at sun.nio.ch.FileDispatcherImpl.write0(Native Method)
 at sun.nio.ch.SocketDispatcher.write(SocketDispatcher.java:47)
 at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.java:93)
 at sun.nio.ch.IOUtil.write(IOUtil.java:65)
 at sun.nio.ch.SocketChannelImpl.write(SocketChannelImpl.java:471)
 at org.apache.kafka.common.network.SslTransportLayer.flush(SslTransportLayer.java:195)
 at org.apache.kafka.common.network.SslTransportLayer.close(SslTransportLayer.java:163)
 at org.apache.kafka.common.utils.Utils.closeAll(Utils.java:690)
 at org.apache.kafka.common.network.KafkaChannel.close(KafkaChannel.java:47)
 at org.apache.kafka.common.network.Selector.close(Selector.java:487)
 at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:368)
 at org.apache.kafka.common.network.Selector.poll(Selector.java:291)
 at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:260)
 at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:236)
 at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:135)
 at java.lang.Thread.run(Thread.java:745)

3 Replies to “Why no SSL!? Port is open!”

    1. Hi Bharati,
      The cause is that the firewall is inspecting packets, in this case it allows http traffic but doesn’t allow https (ssl) traffic.
      If you’re in control of that firewall, open up the port(s) and allow https/ssl.
      If you’re not in control of that firewall, ask the corresponding department/engineer to help you out in opening the firewall.

  1. Thank you so much for this page. Helped me a lot. Although port tcp/443 was actually opened in firewall, the ssl was actually blocked.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.