[jira] [Commented] (CASSANDRA-14842) SSL connection problems when upgrading to 4.0

Tommy Stendahl (JIRA) Wed, 24 Oct 2018 03:51:32 -0700


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-14842?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16662102#comment-16662102
 ]


Tommy Stendahl commented on CASSANDRA-14842:
--------------------------------------------

I this config on the 4.0 node:
{noformat}
server_encryption_options:
     # set to true for allowing secure incoming connections
     enabled: true
     # If enabled and optional are both set to true, encrypted and unencrypted 
connections are handled on the storage_port
     optional: false
     # if enabled, will open up an encrypted listening socket on 
ssl_storage_port. Should be used
     # during upgrade to 4.0; otherwise, set to false.
     enable_legacy_ssl_storage_port: true
     # on outbound connections, determine which type of peers to securely 
connect to. 'enabled' must be set to true.
     internode_encryption: all
     keystore: /usr/share/cassandra/.ssl/cil-intern/server/keystore.jks
     keystore_password: '*********'
     truststore: /usr/share/cassandra/.ssl/cil-intern/server/truststore.jks
     truststore_password: '**********'
     # More advanced defaults below:
     protocol: TLSv1.2
     # store_type: JKS
     cipher_suites: 
[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA]
     # require_client_auth: false
     # require_endpoint_verification: false{noformat}

> SSL connection problems when upgrading to 4.0
> ---------------------------------------------
>
>                 Key: CASSANDRA-14842
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-14842
>             Project: Cassandra
>          Issue Type: Bug
>            Reporter: Tommy Stendahl
>            Priority: Blocker
>
> While testing to upgrade from 3.0.15 to 4.0 the old nodes fails to connect to 
> the 4.0 node, I get this exception on the 4.0 node:
>  
> {noformat}
> 2018-10-22T11:57:44.366+0200 ERROR [MessagingService-NettyInbound-Thread-3-8] 
> InboundHandshakeHandler.java:300 Failed to properly handshake with peer 
> /10.216.193.246:58296. Closing the channel.
> io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: 
> SSLv2Hello is disabled
> at 
> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:459)
> at 
> io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
> at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
> at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
> at 
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
> at 
> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
> at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
> at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
> at 
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
> at 
> io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:808)
> at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:417)
> at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:317)
> at 
> io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:884)
> at 
> io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
> at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:637)
> at sun.security.ssl.InputRecord.read(InputRecord.java:527)
> at sun.security.ssl.EngineInputRecord.read(EngineInputRecord.java:382)
> at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:962)
> at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
> at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:294)
> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1275)
> at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1177)
> at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1221)
> at 
> io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489)
> at 
> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428)
> ... 14 common frames omitted{noformat}
> In the server encryption options on the 4.0 node I have both "enabled and 
> "enable_legacy_ssl_storage_port" set to true so it should accept incoming 
> connections on the "ssl_storage_port".
> I have also tried to upgrade from 3.11.3 to 4.0 and this was also 
> unsuccessful. the 4.0 node does not establish any connection to the old nodes 
> but I can't find any errors in the logs.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Commented] (CASSANDRA-14842) SSL connection problems when upgrading to 4.0

Reply via email to