1

I have a docker container image which includes Kafka Debezium (2.1) as Source Connector and I have also injected JDBC for Postgres (42.5.1) as Sink Connector in order to transfer records from some tables to some other tables in different database from a single pod/container.

When Source PostgreSQL and Destination PostgreSQL is the same version (v11) everything works as excepted transferring data without any problem.

When Source PostgreSQL is v11 and the Destination PostgreSQL is v14, then an error appear into Sink Connector, like the following:

SSL error: Certificates do not conform to algorithm constraints
Algorithm constraints check failed on signature algorithm: SHA1withRSA

PostgreSQLs are on Azure, v11 is single server and v14 is flexible server. After some investigation, I found (maybe is related) that v11 has minimum TLS of v1.0, while v14 has minimum TLS of v1.2.

So, I tried a couple of things:

First, to ensure that TSL is enabled and set to v1.2 on PostgreSQL v14 and also add a few SSL parameters into Sink Connector like the following (same error):

&ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory&sslmode=require&sslProtocol=TLSv1.2

Second, to ensure that TSL is disabled on PostgreSQL v14 and setting the Sink Connector not to use SSL (same error):

&ssl=false

Not sure why I am getting this error (even with SSL disables on database and on the connector). Is there anything which I can do?

Improve this question

1 Answer 1

Reset to default
2

Found a similar situation with KeyClock and Azure PostgreSQL Flexible Server on GitHub where same error occurs.

Link for similar issue: https://github.com/keycloak/keycloak/issues/17320#issuecomment-1461573077

It would seem that the Azure Database for Postgresql - Single Server, is using the SHA256 DigiCertGlobalRootG2, for anyone using Single Server would not have this problem. But for Flexible server, is still using the old SHA1 Root Certificate, causing this error.

Based on another similar error for oracle client seems that there are some java policy constrains which are setting the minimum level for certifications and tls.

Link for similar issue: SSL handshake exception: "Algorithm constraints check failed: MD5withRSA"

The problem is caused by Oracle disabling hash algorithms which are no longer considered to be secure. Take a look at JRE_HOME/lib/security/java.security It contains the following properties: jdk.certpath.disabledAlgorithms jdk.tls.disabledAlgorithms

=============== UPDATE 2023/03/24 ===============

I tested the above into Confluent-Debezium, changing two files (the first one is not necessary, as the second one is the one which overrides the first one). Depending on Confluent-Debezium version, java location or version maybe varies:

File1: etc/java/java-11-openjdk/java-11-openjdk-11.0.18.0.10-1.fc37.x86_64/conf/security/java.security
File2: /etc/crypto-policies/back-ends/java.config

Changed the following lines of code (comment):

jdk.certpath.disabledAlgorithms
jdk.tls.disabledAlgorithms

For Confluent-Debezium it was necessary to make my own custom image (Dockerfile) with the preferred drivers for required databases and to put a package manager inside, install a vim in order to have flexibility and to overwrite these files.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.