I think this must related to this change:
https://issues.apache.org/jira/browse/ZOOKEEPER-4415
---------------------------------------------------
* *ssl.protocol* and *ssl.quorum.protocol* :
(Java system properties: **zookeeper.ssl.protocol** and
**zookeeper.ssl.quorum.protocol**)
**New in 3.5.5:**
Specifies to protocol to be used in client and quorum TLS
negotiation.
Default: TLSv1.3 or TLSv1.2 depending on Java runtime version being
used.
* *ssl.enabledProtocols* and *ssl.quorum.enabledProtocols* :
(Java system properties: **zookeeper.ssl.enabledProtocols** and
**zookeeper.ssl.quorum.enabledProtocols**)
**New in 3.5.5:**
Specifies the enabled protocols in client and quorum TLS
negotiation.
Default: TLSv1.3, TLSv1.2 if value of `protocol` property is
TLSv1.3. TLSv1.2 if `protocol` is TLSv1.2.
---------------------------------------------------
I assume you didn't have any of these settings in your original zoo.cfg
configuration, so with the upgrade the default value of ssl.protocol
has been changed to TLSv1.3 (IBM JDK should support that), but in which
case the server should accept both 1.2 and 1.3 clients.
Let me dig deeper.
On Wed, 2024-11-27 at 14:08 -0600, Andor Molnar wrote:
> Hi Aayush,
>
> Thanks for the report. I'm sure I've seen this problem reported
> already, let me dig the archives.
>
> Basically you're saying that accepted TLS protocol has been changed
> from TLSv2 to TLSv3, is that correct?
>
> Best,
> Andor
>
>
>
>
> On Wed, 2024-11-27 at 17:14 +0000, Aayush Gupta wrote:
> >
> > Hii ,
> >
> > We upgraded from Zookeeper 3.9.1 to 3.9.2. TLS was configured
> > before
> > the upgrade. No TLS version specified as part of zoo.cfg. Post
> > upgrade, client to server connection is broken with TLS error (The
> > client supported protocol versions [TLSv1.2, TLSv1.1, TLSv1] are
> > not
> > accepted by server preferences [TLS13]). Looking at the logs,
> > client
> > is using TLS 1.2 and but it looks like server is forcing to use TLS
> > 1.3. Its IBM JDK. Post this, made below changes to zoo.cfg and
> > client-server connection worked fine. ssl.protocol=TLSv1.2. Is
> > this
> > a new change in 3.9.2 which forces to use 1.3 by default?
> >
> > Also , we have raised a Jira.
> >
> > https://issues.apache.org/jira/browse/ZOOKEEPER-4888
> >
> > We would really appreciate if we could get a quick solution to the
> > issue.
> >
> > Thanks,
> > Aayush
> >
> >
> >
> >
> > —
> > Aayush Gupta
> > Software Engineer II
> > Precisely.com
> >
> > p
> >
> > ATTENTION: -----
> > The information contained in this message (including any files
> > transmitted with this message) may contain proprietary, trade
> > secret
> > or other confidential and/or legally privileged information. Any
> > pricing information contained in this message or in any files
> > transmitted with this message is always confidential and cannot be
> > shared with any third parties without prior written approval from
> > Precisely. This message is intended to be read only by the
> > individual
> > or entity to whom it is addressed or by their designee. If the
> > reader
> > of this message is not the intended recipient, you are on notice
> > that
> > any use, disclosure, copying or distribution of this message, in
> > any
> > form, is strictly prohibited. If you have received this message in
> > error, please immediately notify the sender and/or Precisely and
> > destroy all copies of this message in your possession, custody or
> > control.
>
