[jira] [Created] (ZOOKEEPER-3622) ZooKeeper 3.5.6 Quorum TLS protocol issues

["Kelly Schoenhofen (Jira)" <ji...@apache.org>]

Kelly Schoenhofen created ZOOKEEPER-3622:
--------------------------------------------

             Summary: ZooKeeper 3.5.6 Quorum TLS protocol issues
                 Key: ZOOKEEPER-3622
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3622
             Project: ZooKeeper
          Issue Type: Bug
          Components: server
    Affects Versions: 3.5.6
            Reporter: Kelly Schoenhofen


Using 3.5.6 I have quorum tls working, but I'm being asked to tighten up from the default of AES128 & TLS 1.2, I've tried the following in the zoo.cfg:

ssl.quorum.protocol=TLSv1.3

This is apparently not supported yet - is this dependent on the version of openssl on the system, or is this just not an option I can specify? Where can I find the list of protocols that are recognized? If 1.3 is not yet available, not the end of the world.

ssl.quorum.ciphersuites=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

This is not a recognized cipher, neither is AES256/SHA256. The above cipher _should_ be available though, and is the stronger successor to AES128/SHA256.

I have the suspicion that I'm setting it wrong, because if I set it to the cipher it defaults to when unset:

ssl.quorum.ciphersuites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Gives me this when cluster members try to connect:

2019-11-16 19:39:33,731 [myid:1] - INFO [xxx/x.x.x.x:3888:UnifiedServerSocket$UnifiedSocket@273] - Accepted TLS connection from xxx/x.x.x.x:40822 - NONE - SSL_NULL_WITH_NULL_NULL
2019-11-16 19:39:33,732 [myid:1] - WARN [xxx/x.x.x.x:3888:QuorumCnxManager@542] - Exception reading or writing challenge: {}

 

(the only alteration I made to the above snippet is changing the machine names to xxx and ip's to x.x.x.x, I altered it in no other way)

So two questions:

1) is tls 1.3 an option?

2) what is the cipher list? I would like an aes256 option. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)