TLS Encryption
Transport Layer Security for encrypted connections.
Configuration
Server
{
"Surgewave": {
"Security": {
"TlsEnabled": true,
"CertificatePath": "/certs/server.pfx",
"CertificatePassword": "cert-password",
"ClientCertificateRequired": false
}
}
}
With Client Authentication
{
"Surgewave": {
"Security": {
"TlsEnabled": true,
"CertificatePath": "/certs/server.pfx",
"CertificatePassword": "cert-password",
"ClientCertificateRequired": true,
"TrustedCertificatesPath": "/certs/ca.crt"
}
}
}
Certificate Setup
Generate Self-Signed (Development)
# Generate CA
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt \
-subj "/CN=Surgewave CA"
# Generate server certificate
openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr \
-subj "/CN=localhost"
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -out server.crt
# Create PFX
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt \
-certfile ca.crt -password pass:cert-password
Production Certificates
Use certificates from:
- Let's Encrypt
- Internal PKI
- Commercial CA
Client Configuration
Surgewave.Client
TLS configuration is handled at the broker level. Native clients connect to the TLS-enabled port:
await using var client = new SurgewaveNativeClient("localhost", 9092);
await client.ConnectAsync();
Confluent.Kafka Compatibility Wrapper
For TLS with the Confluent.Kafka compatible API:
using Kuestenlogik.Surgewave.Compatibility.Confluent.Kafka;
var config = new ProducerConfig
{
BootstrapServers = "localhost:9092",
SecurityProtocol = SecurityProtocol.Ssl,
SslCaLocation = "/certs/ca.crt",
SslCertificateLocation = "/certs/client.crt",
SslKeyLocation = "/certs/client.key"
};
Confluent.Kafka
var config = new ProducerConfig
{
BootstrapServers = "localhost:9092",
SecurityProtocol = SecurityProtocol.Ssl,
SslCaLocation = "/certs/ca.crt"
};
TLS + SASL
Combine encryption with authentication:
{
"Surgewave": {
"Security": {
"TlsEnabled": true,
"SaslEnabled": true,
"CertificatePath": "/certs/server.pfx",
"SaslMechanisms": ["SCRAM-SHA-256"]
}
}
}
Client:
var config = new ProducerConfig
{
BootstrapServers = "localhost:9092",
SecurityProtocol = SecurityProtocol.SaslSsl,
SaslMechanism = SaslMechanism.ScramSha256,
SaslUsername = "app",
SaslPassword = "secret",
SslCaLocation = "/certs/ca.crt"
};
Certificate Rotation
- Generate new certificate
- Update server config
- Restart broker (graceful)
- Update clients
For zero-downtime:
- Configure multiple certificates
- Clients trust both old and new CA
Troubleshooting
Certificate Validation Failed
Error: SSL certificate verification failed
- Verify CA certificate is correct
- Check certificate chain
- Ensure CN matches hostname
Handshake Failed
Error: SSL handshake failed
- Verify TLS versions match
- Check cipher suite compatibility
- Ensure certificate is valid
Best Practices
- Use TLS 1.2+ - Disable older versions
- Strong ciphers - Prefer ECDHE, AES-GCM
- Short validity - 90 days for certificates
- Automate rotation - Use cert-manager or ACME