Skip to content

Commit 0bc7518

Browse files
dpkpjeffwidman
authored andcommitted
Allow configuration of SSL Ciphers (#1755)
1 parent f2f2bfe commit 0bc7518

File tree

4 files changed

+28
-1
lines changed

4 files changed

+28
-1
lines changed

kafka/client_async.py

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -123,6 +123,11 @@ class KafkaClient(object):
123123
providing a file, only the leaf certificate will be checked against
124124
this CRL. The CRL can only be checked with Python 3.4+ or 2.7.9+.
125125
Default: None.
126+
ssl_ciphers (str): optionally set the available ciphers for ssl
127+
connections. It should be a string in the OpenSSL cipher list
128+
format. If no cipher can be selected (because compile-time options
129+
or other configuration forbids use of all the specified ciphers),
130+
an ssl.SSLError will be raised. See ssl.SSLContext.set_ciphers
126131
api_version (tuple): Specify which Kafka API version to use. If set
127132
to None, KafkaClient will attempt to infer the broker version by
128133
probing various APIs. Example: (0, 10, 2). Default: None
@@ -173,6 +178,7 @@ class KafkaClient(object):
173178
'ssl_keyfile': None,
174179
'ssl_password': None,
175180
'ssl_crlfile': None,
181+
'ssl_ciphers': None,
176182
'api_version': None,
177183
'api_version_auto_timeout_ms': 2000,
178184
'selector': selectors.DefaultSelector,

kafka/conn.py

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -140,7 +140,7 @@ class BrokerConnection(object):
140140
should verify that the certificate matches the brokers hostname.
141141
default: True.
142142
ssl_cafile (str): optional filename of ca file to use in certificate
143-
veriication. default: None.
143+
verification. default: None.
144144
ssl_certfile (str): optional filename of file in pem format containing
145145
the client certificate, as well as any ca certificates needed to
146146
establish the certificate's authenticity. default: None.
@@ -154,6 +154,11 @@ class BrokerConnection(object):
154154
providing a file, only the leaf certificate will be checked against
155155
this CRL. The CRL can only be checked with Python 3.4+ or 2.7.9+.
156156
default: None.
157+
ssl_ciphers (str): optionally set the available ciphers for ssl
158+
connections. It should be a string in the OpenSSL cipher list
159+
format. If no cipher can be selected (because compile-time options
160+
or other configuration forbids use of all the specified ciphers),
161+
an ssl.SSLError will be raised. See ssl.SSLContext.set_ciphers
157162
api_version (tuple): Specify which Kafka API version to use.
158163
Accepted values are: (0, 8, 0), (0, 8, 1), (0, 8, 2), (0, 9),
159164
(0, 10). Default: (0, 8, 2)
@@ -201,6 +206,7 @@ class BrokerConnection(object):
201206
'ssl_keyfile': None,
202207
'ssl_crlfile': None,
203208
'ssl_password': None,
209+
'ssl_ciphers': None,
204210
'api_version': (0, 8, 2), # default to most restrictive
205211
'selector': selectors.DefaultSelector,
206212
'state_change_callback': lambda conn: True,
@@ -463,6 +469,9 @@ def _wrap_ssl(self):
463469
self._ssl_context.load_verify_locations(self.config['ssl_crlfile'])
464470
# pylint: disable=no-member
465471
self._ssl_context.verify_flags |= ssl.VERIFY_CRL_CHECK_LEAF
472+
if self.config['ssl_ciphers']:
473+
log.info('%s: Setting SSL Ciphers: %s', self, self.config['ssl_ciphers'])
474+
self._ssl_context.set_ciphers(self.config['ssl_ciphers'])
466475
log.debug('%s: wrapping socket in ssl context', self)
467476
try:
468477
self._sock = self._ssl_context.wrap_socket(

kafka/consumer/group.py

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -187,6 +187,11 @@ class KafkaConsumer(six.Iterator):
187187
providing a file, only the leaf certificate will be checked against
188188
this CRL. The CRL can only be checked with Python 3.4+ or 2.7.9+.
189189
Default: None.
190+
ssl_ciphers (str): optionally set the available ciphers for ssl
191+
connections. It should be a string in the OpenSSL cipher list
192+
format. If no cipher can be selected (because compile-time options
193+
or other configuration forbids use of all the specified ciphers),
194+
an ssl.SSLError will be raised. See ssl.SSLContext.set_ciphers
190195
api_version (tuple): Specify which Kafka API version to use. If set to
191196
None, the client will attempt to infer the broker version by probing
192197
various APIs. Different versions enable different functionality.
@@ -280,6 +285,7 @@ class KafkaConsumer(six.Iterator):
280285
'ssl_keyfile': None,
281286
'ssl_crlfile': None,
282287
'ssl_password': None,
288+
'ssl_ciphers': None,
283289
'api_version': None,
284290
'api_version_auto_timeout_ms': 2000,
285291
'connections_max_idle_ms': 9 * 60 * 1000,

kafka/producer/kafka.py

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -245,6 +245,11 @@ class KafkaProducer(object):
245245
providing a file, only the leaf certificate will be checked against
246246
this CRL. The CRL can only be checked with Python 3.4+ or 2.7.9+.
247247
default: none.
248+
ssl_ciphers (str): optionally set the available ciphers for ssl
249+
connections. It should be a string in the OpenSSL cipher list
250+
format. If no cipher can be selected (because compile-time options
251+
or other configuration forbids use of all the specified ciphers),
252+
an ssl.SSLError will be raised. See ssl.SSLContext.set_ciphers
248253
api_version (tuple): Specify which Kafka API version to use. If set to
249254
None, the client will attempt to infer the broker version by probing
250255
various APIs. Example: (0, 10, 2). Default: None
@@ -312,6 +317,7 @@ class KafkaProducer(object):
312317
'ssl_keyfile': None,
313318
'ssl_crlfile': None,
314319
'ssl_password': None,
320+
'ssl_ciphers': None,
315321
'api_version': None,
316322
'api_version_auto_timeout_ms': 2000,
317323
'metric_reporters': [],

0 commit comments

Comments
 (0)