You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@zookeeper.apache.org by "Enrico Olivelli (Jira)" <ji...@apache.org> on 2023/02/28 15:16:00 UTC
[jira] [Commented] (ZOOKEEPER-4415) Zookeeper 3.7.0 : The client supported protocol versions [TLSv1.3] are not accepted by server preferences
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17694610#comment-17694610 ]
Enrico Olivelli commented on ZOOKEEPER-4415:
--------------------------------------------
[~xsasahu]
It is not clear to me if we should do anything more here ?
Change to better defaults ?
> Zookeeper 3.7.0 : The client supported protocol versions [TLSv1.3] are not accepted by server preferences
> ---------------------------------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-4415
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4415
> Project: ZooKeeper
> Issue Type: Bug
> Components: server
> Affects Versions: 3.7.0
> Reporter: Santosh Kumar Sahu
> Priority: Blocker
> Labels: pull-request-available
> Time Spent: 40m
> Remaining Estimate: 0h
>
> We are trying to add TLSv1.3 support in Zookeeper, currently by default TLSv1.2 is supported.
> Following are the configuration
> {code:java}
> ssl.protocol=TLSv1.3
> ssl.enabledProtocols=TLSv1.3,TLSv1.2
> serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
> sslQuorumReloadCertFiles=true
> quorumListenOnAllIPs=true
> secureClientPort=2281
> sslQuorum=false
> portUnification=true
> ssl.quorum.clientAuth=need
> ssl.quorum.hostnameVerification=true
> ssl.quorum.keyStore.location=/opt/zookeeper/cert/cert1.pem
> ssl.quorum.trustStore.location=/opt/zookeeper/cert/cacert.pem
> ssl.trustStore.location=/opt/zookeeper/cert/ca/clientcacert.pem
> ssl.keyStore.location=/opt/zookeeper/cert/cert1.pem
> ssl.clientAuth=need
> {code}
> by setting "{*}ssl.enabledProtocols=TLSv1.3,TLSv1.2{*}", only TLSv1.2 communication is working but for TLSv1.3 following error coming
>
> {code:java}
> 2021-10-07T12:24:44.121+0000 [myid:] - ERROR [nioEventLoopGroup-4-2:NettyServerCnxnFactory$CertificateVerifier@434] - Unsuccessful handshake with session 0 x0
> 2021-10-07T12:24:44.123+0000 [myid:] - WARN [nioEventLoopGroup-4-2:NettyServerCnxnFactory$CnxnChannelHandler@273] - Exception caught
> io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: The client supported protocol versions [TLSv1.3] are not accepted by server p references [TLS12]
> at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:471) ~[netty-codec-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) ~[netty-codec-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.50.Final.jar:4.1.5 0.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.50.Final.jar:4.1.5 0.Final]
> at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.50.Final.jar:4.1.50. Final]
> at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) [netty-transport-4.1.50.Final.jar:4.1.50.Final ]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.50.Final.jar:4.1.5 0.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.50.Final.jar:4.1.5 0.Final]
> at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714) [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650) [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576) [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493) [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [netty-common-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [netty-common-4.1.50.Final.jar:4.1.50.Final]
> at java.lang.Thread.run(Thread.java:829) [?:?]
> Caused by: javax.net.ssl.SSLHandshakeException: The client supported protocol versions [TLSv1.3] are not accepted by server preferences [TLS12]
> at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
> at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
> at sun.security.ssl.TransportContext.fatal(TransportContext.java:336) ~[?:?]
> at sun.security.ssl.TransportContext.fatal(TransportContext.java:292) ~[?:?]
> at sun.security.ssl.TransportContext.fatal(TransportContext.java:283) ~[?:?]
> at sun.security.ssl.ClientHello$ClientHelloConsumer.negotiateProtocol(ClientHello.java:916) ~[?:?]
> at sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:832) ~[?:?]
> at sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:813) ~[?:?]
> at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]
> at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?]
> at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) ~[?:?]
> at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) ~[?:?]
> at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
> at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) ~[?:?]
> at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1542) ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1556) ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1440) ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267) ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314) ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501) ~[netty-codec-4.1.50.Final.jar:4.1.50. Final]
> at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440) ~[netty-codec-4.1.50.Final.jar:4.1.50.Final]
> ... 17 more
> {code}
> error"The client supported protocol versions [TLSv1.3] are not accepted by server preferences"
>
>
> Zookeeper using {*}netty 4.1.50 which support TLSv1.3{*}( netty 4.1.31 onwards support TLSv1.3 ref: [https://netty.io/news/2018/10/30/4-1-31-Final.html])
> when trying to openssl with -tls1_3 to connect with zookeeper over TLS port it failed with following error coming
> {code:java}
> openssl s_client --connect zookeeper1:2281 --cert /run/secret/client/clicert.pem --key /run/secret/client/cliprivkey.pem --CAfile /run/secret/ca/cacert.pem -tls1_3
> CONNECTED(00000003)
> 140629337047680:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1544:SSL alert number 70
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 318 bytes
> Verification: OK
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 0 (ok)
> {code}
>
> and if *ssl.enabledProtocols=TLSv1.3* (only TLSv1.3) then TLSv1.2 also not working and following error coming in logs
> {code:java}
> at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714) [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650) [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576) [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493) [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [netty-common-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [netty-common-4.1.50.Final.jar:4.1.50.Final]
> at java.lang.Thread.run(Thread.java:829) [?:?]
> Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
> at sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:170) ~[?:?]
> at sun.security.ssl.ServerHandshakeContext.<init>(ServerHandshakeContext.java:62) ~[?:?]
> at sun.security.ssl.TransportContext.kickstart(TransportContext.java:222) ~[?:?]
> at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:491) ~[?:?]
> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454) ~[?:?]
> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433) ~[?:?]
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637) ~[?:?]
> at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:282) ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1372) ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267) ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314) ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501) ~[netty-codec-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440) ~[netty-codec-4.1.50.Final.jar:4.1.50.Final]
> ... 17 more
> {code}
> error " No appropriate protocol (protocol is disabled or cipher suites are inappropriate)"
> I wonder if TLSv1.3 is really supported in zookeeper or not, if yes then from which version onwards?
> so, would need help to enable TLSv1.3 support,
> let us know if any further information required.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)